Scribd Logo
Upload

Welcome to Scribd!

  • Command Line Prompts For Checking Active Directory Membership

    Uploaded by

    Om Pal
    28 views4 pages

    Original Title

    DS Querry

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    28 views4 pages

    Command Line Prompts For Checking Active Directory Membership

    Uploaded by

    Om Pal

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    Command Line Prompts for Checking Active Directory Membership

    Posted on ​June 13, 2012​ by devinknight

    Using Active Directory groups are a great way to manage and maintain security for a solution. Think about if you had
    to manually add users to your Analysis Services roles each time someone new wanted access to your cube. Ideally,
    you would have an AD group in the SSAS role membership and anytime someone wants access to the cube they
    simply need to get added to the AD group and nothing would need to be changed in Analysis Services.
    My goal in this post is not to convince you that AD groups are a good thing. Hopefully you already understand that.
    What I really want to show you is a few “tricks” for dealing checking permission to AD groups.
    The first example will return back all AD groups that a user is a member of and lots of other good information about a
    selected user. When troubleshooting access to your solution this gives you a quick way to rule out membership to
    the proper AD group as a possible issue.
    Open a command line prompt by clicking your Start Menu and then select Run. Type CMD and click OK where you
    will use the following code:
    Template:
    net user /domain “<AD Account>”
    Example:
    net user /domain “dknight”

    The second example will return all users that are members of a specified AD group. Open a command line prompt
    again and use the following code:
    Template:
    net group /domain “<AD Group>”
    Example:
    net group /domain “Schema Admins”
    While these seem like simple commands you may find them very useful when troubleshooting permission errors.
    Another great thing is you don’t have to be a server admin to use these just about anyone can run them.

    http://windowsitpro.com/active-directory/view-remove-ad-delegated-permissions

    http://www.computerperformance.co.uk/Logon/DSquery_user.htm

    https://technet.microsoft.com/en-us/library/cc732535.aspx

    http://www.pearsonitcertification.com/articles/article.aspx?p=1718489

    Open a command prompt.

    Type: net user <userName> /domain

    It will list both Local and Global groups that user belongs to.

    If you want it to only list the groups, you can use Find to filter it:
    net user <userName> /domain | find "Group"

    This has worked in all (NT) version of Windows since at least NT 4.

    on Vista/2008+ you can also use WhoAmI /Groups to get a verbose list of group memberships
    (including their UIDs, etc.) for the current user.

    Open a command prompt.

    Type: net user <userName> /domain

    It will list both Local and Global groups that user belongs to.

    If you want it to only list the groups, you can use Find to filter it:

    net user <userName> /domain | find "Group"

    This has worked in all (NT) version of Windows since at least NT 4.

    on Vista/2008+ you can also use WhoAmI /Groups to get a verbose list of group memberships
    (including their UIDs, etc.) for the current user.

    nice. didn't know about this. FWIW it also works on 2008 R2 (not just Win7 as question is
    tagged with) – James Jun 25 '13 at 14:25
    2
    this worked, i also just found out that WHOAMI /GROUPS also shows more verbose information
    about the groups you are a member of as well – Alexander Miles Jun 25 '13 at 14:27
    2
    I forgot about WHOAMI /groups, Old habits I guess, the Net User command has been around
    since NT 4 days. :) I'll add that to my answer to round it out. – Ƭᴇcʜιᴇ007 Jun 25 '13 at 14:39

    this post is also useful serverfault.com/questions/49405/… shows how to get all the users in a
    group – Jonny Leeds Dec 2 '14 at 13:05
    add a comment

    GPRESULT​ is the right command, but it cannot be run without parameters. ​/v​ or verbose option 
    is difficult to manage without also outputting to a text file. E.G. I recommend using 
    gpresult /user myAccount /v > C:\dev\me.txt​--Ensure C:\Dev\me.txt exists 
    Another option is to display summary information only which may be entirely visible in the 
    command window: 
    gpresult /user myAccount /r 
    The accounts are listed under the heading: 

    The user is a part of the following security groups


    ---------------------------------------------------

    Or you could use ​dsquery​ and ​dsget​:

    dsquery user domainroot -name <userName> | dsget user -memberof


    To retrieve group memberships something like this: 

    Tue 09/10/2013 13:17:41.65


    C:\
    >dsquery user domainroot -name jqpublic | dsget user -memberof
    "CN=Technical Support Staff,OU=Acme,OU=Applications,DC=YourCompany,DC=com"
    "CN=Technical Support Staff,OU=Contosa,OU=Applications,DC=YourCompany,DC=com"

    "CN=Regional Administrators,OU=Workstation,DC=YourCompany,DC=com"

    You might also like