Getting List of Current Group Memberships

While you can contact the Active Directory to retrieve a list of group memberships for a user, a much easier way gets that information directly from a user’s access token – no AD contact needed.

This one-liner dumps the SIDs for all groups the current user is member of:

#requires -Version 3.0
[System.Security.Principal.WindowsIdentity]::GetCurrent().Groups.Value

And here is how you get a translated list of group names:

#requires -Version 3.0
[System.Security.Principal.WindowsIdentity]::GetCurrent().Groups.Translate( [System.Security.Principal.NTAccount])

If this list contains duplicates, then you know that you have multiple SIDs all pointing to the same name. This can occur when you have migrated your AD in the past (SID history). Just pipe the result to Sort-Object -Unique to remove duplicates.

Twitter This Tip! ReTweet this Tip!

  • Or get both with

    whoami /groups

    GROUP INFORMATION

    -----------------

    Group Name                                 Type             SID          Attributes                                                    

    ========================================== ================ ============ ===============================================================

    Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group            

    BUILTIN\Administrators                     Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner

    BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group            

    NT AUTHORITY\REMOTE INTERACTIVE LOGON      Well-known group S-1-5-14     Mandatory group, Enabled by default, Enabled group            

    NT AUTHORITY\INTERACTIVE                   Well-known group S-1-5-4      Mandatory group, Enabled by default, Enabled group            

    NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group            

    NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group            

    LOCAL                                      Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group            

    Authentication authority asserted identity Well-known group S-1-18-1     Mandatory group, Enabled by default, Enabled group            

    Mandatory Label\High Mandatory Level       Label            S-1-16-12288  

  • Or for those wanting to run on Version 2.0

    [System.Security.Principal.WindowsIdentity]::GetCurrent().Groups | Select-Object Value | ForEach-Object { ( [System.Security.Principal.SecurityIdentifier]$_.Value).Translate( [System.Security.Principal.NTAccount] ) }