Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session

X

How Can I Find Out Which Active Directory Groups I’m a Member Of?

Active Directory, IT Pros

Active Directory groups

The ability to administer and maintain up-to-date user lists and groups is critical to the security of an organization.

Using the GUI

There are a number of different ways to determine which groups a user belongs to. First, you can take the GUI approach:

  1. Go to “Active Directory Users and Computers”.
  2. Click on “Users” or the folder that contains the user account.
  3. Right click on the user account and click “Properties.”
  4. Click “Member of” tab.

Using the Command Line

Not so fun clicking around, is it? How about some command line options?

  1. Open up a command promt (cmd.exe or PowerShell)
  2. Run: gpresult /V

You’ll get output that looks like this (I’ve truncated it to only include the group info):

output

You could also run whoami /groups to get similar info. This command will also list distribution groups and nesting (i.e., if you’re in Group A which is itself a member of Group B, it’ll display Group B).

Not satisfied yet?  Try net user [username] domain as yet another option.

The Bigger Question

As you can see, there are plenty of ways to ascertain Active Directory group membership, manually and programmatically. But the question that almost always goes unanswered is: “What exactly does this group give access to?”

This is an especially tricky question to answer when you have poorly named groups, but even with pristine group names, mistakes are made and you’ll almost always find that groups give unwarranted access to data.

Practical Next Steps

So how do you connect the dots between Active Directory group memberships and the files, folders, SharePoint sites, and mailboxes they’re connected to? Using only the native tools and Windows management options, it’s a hugely daunting and time-consuming task.

Get a 1-on-1 demo of Varonis DatAdvantage to see a saner, easier and above all more secure way to manage your Active Directory users.

Cindy Ng

Cindy Ng

Cindy is the host of the Inside Out Security podcast.

 

Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.