Find What Groups a User In AD is a Member OfFind What Groups a User In AD is a Member Of
Here is how for one person:
get-aduser foo.user -properties MemberOf |Select -ExpandProperty memberof
or use the newer command:
Get-ADPrincipalGroupMembership foo.user | select name
or use the older command-line:
net user foo.user /domain
Here is how for a group in an OU:
get-aduser -filter * -searchbase "ou=ou-name-here,dc=company-domain,dc=com" -properties MemberOf |Select -ExpandProperty memberof
or you need just the Name and MemberOf:
get-aduser -filter * -searchbase "ou=ou-name-here,dc=company-domain,dc=com" -properties MemberOf |Select samaccountname,memberof
And if you need to put the whole thing together:
get-aduser -filter * -searchbase "ou=ou-name-here,dc=company-name,dc=com" -properties Memberof |Select samaccountname,@{n="Groups";e={(Get-ADPrincipalGroupMembership $_).name}} |ft -wrap
Or if you need just the accounts that are more than the "Domain Users" group:
get-ADuser -Filter * -searchbase "ou=ou-name-here,dc=company-domain,dc=com" -properties Memberof |where memberof -ne "Domain Users" |Select samaccountname,@{n="Groups";e={(Get-ADPrincipalGroupMembership $_).name}}
But maybe miss off the Guest account:
get-ADuser -Filter * -searchbase "ou=Disabled Users,dc=foodomain,dc=tld" -properties Memberof |where {($_.memberof -ne "Domain Users") -and ($_.samaccountname -ne "Guest")} |Select samaccountname,@{n="Groups";e={(Get-ADPrincipalGroupMembership $_).name}}
And to take this one step further, if you need to remove the user from all the account's groups, then:
Get-ADUser -filter * -searchbase "ou=ou-name-here,dc=company-domain,dc=com" -Properties MemberOf |where {($_.memberof -ne "Domain Users") -and ($_.samaccountname -ne "Guest")} |ForEach-Object{$_.MemberOf |Remove-ADGroupMember -Members $_.DistinguishedName -Confirm:$false}