There is no any Windows native command which can be used to get a list of security groups a user or users belong to. The below command can help you achieve this. You need to download the ADFind.exe, a tool developed by Joeware, from http://www.joeware.net/downloads/files/AdFind.zip. This tool can also be scripted. I will give two examples of this tool as mentioned below:
- Use this tool to get the security groups of a user.
To accomplish the above mentioned goal, you need to run the following command:
ADFind.exe -b "CN=Peter, OU=Finance, DC=Contoso,DC=com" -s base -tokengroups -resolvesids -sddl+
The above command will get the list of Security Groups Peter belongs to. You need to know the DN of the Peter so that you can get the Security Groups. In the second example, you don't need to know the DN of the user to achieve the same goal.
- Use this tool to get the security groups of users from a text file.
Run the following command to get the DNs of all users of a Security Group.
DsQery group -name "SecurityGroupName" | DsGet group -members -expand > AllUserNames.txt
The above command will get the list of user accounts from Security Group "SecurityGroupName" and the output of this will be stored in the AllUserNames.txt file with the DN of that user.
Now, you have got the DN of all the users. Next, run the following command to get the Security Groups of each user account mentioned in the AllUserNames.txt and the output of each user's security group will be stored in UserName text file.
For /F "Tokens=*" %a in (AllUserNames.txt) Do ADFind.exe -b %a -s TokenGroups -resolvesids -sddl+ > UserName_%a.txt