How to Get Active Directory Groups a User is Member Of

Active Directory security groups are used to control access to specific resources. Members within these groups can access network resources based on the permissions assigned to the group.

Identifying the AD group that grants access to a particular folder helps you to manage user access effectively by adding or removing them from the group.

Run the following PowerShell script to identify which AD group grants users access to a shared folder in Active Directory.

$userlist = Import-CSV -Path '<FileLocation>'
$folder = "<FolderPath>"
foreach ($user in $userlist) { 
    $username = $user.SamAccountName
    $groups = (Get-ADUser -Identity $username -Properties MemberOf).MemberOf |
              ForEach-Object { (Get-ADGroup $_).Name }
    $GroupsWithAccess = @()
    foreach ($group in $groups) {
        $acl = Get-ACL -Path $folder
        if ($acl.Access | Where-Object { $_.IdentityReference -match $group }) {
            $GroupsWithAccess += $group
        }
    }
    if ($GroupsWithAccess.Count -gt 0) {
        foreach ($GroupWithAccess in $GroupsWithAccess) {
            Write-Host "$user has access to the folder via Group '$GroupWithAccess'"
        }
    } else {
        Write-Host "$username does not have access to the folder via any group."
    }
}

Note: The CSV file should have a column named SamAccountName with the required names listed in each row.

In organizations with multiple domains, managing cross-domain access is essential, especially when users in Domain A need access to resources in Domain B. To provide access, users from Domain A are added to AD groups in Domain B, the resource domain. These groups manage permissions to resources (like shared folders or applications) specifically within Domain B.

Therefore, it is important to know your users' group memberships across other domains to ensure they have appropriate access to necessary resources.

Run the cmdlet below to get cross domain group membership of an AD user using PowerShell.

Get-ADPrincipalGroupMembership -Identity <DistinguishedName> -ResourceContextServer <ResourceDomainName> -ResourceContextPartition “DC=domainA,DC=com”

If you’re part of a large organization, manually checking each user’s group details in the ADUC console can take significant time. However, using a simple PowerShell script, you can retrieve group memberships for multiple users without the need to locate each one individually.

Run the cmdlet below to fetch users from a CSV file and view the groups they can access.

$userlist = Import-CSV -Path '<FileLocation>''
foreach($user in $userlist){
    $username = $user.SamAccountName
    Write-host “$username is a member of the groups below.”
    Get-ADPrincipalGroupMembership -Identity $username -ResourceContextServer <DomainName> |
        Select name | 
        ft -hidetableheaders
}

Note: The CSV file should have a column named SamAccountName with the required names listed in each row.

• A centralized report that enables you to easily locate all users' group membership details in Active Directory.
• Along with users' group membership details, this report displays their account status, OU name, department, job title, and more. This eliminates the need to navigate through multiple reports to gather each piece of information.
• Leverage AdminDroid’s Schedule Report functionality to receive this centralized report in your Teams channels or mailboxes to track user memberships regularly.

Imagine someone accidentally adds an unauthorized user to the Domain Admins group. This grants them the same privileges as domain administrators and puts sensitive data at risk. Identifying who added users to a “Domain Admins” group allows you to analyze whether that user should have the privilege to add users to group. If not, you can alter the group’s security permissions to prevent them from adding users to the group.

Before you can audit changes in your Active Directory, you need to turn on auditing using the GPMC console. Once you’ve enabled auditing, follow the steps below to audit group membership changes in Active Directory using Event Viewer.

Navigating through the event viewer can be time consuming as it requires you to remember and enter different event IDs for membership changes across various groups scope types.

• In this report, you can see detailed information on member additions that include Added Time, Group Name, Added Member, and Added By, etc.
• You can use the Added By chart to identify who adds users to groups in Active Directory and limit the permissions of unwanted users.