Accounts with privileged credentials give potential attackers the permissions they need to get inside critical systems. To reduce this risk, it is essential to remove unnecessary permissions by following the Principle of Least Privilege (PoLP).
The Principle of Least Privilege is the practice of limiting user profile privileges to the bare minimum of what is necessary for the user’s specific job requirements. When done correctly, following the PoLP can successfully reduce the risk of privilege abuse and insider threats by limiting the potential attack surface.
To implement this approach, you can either use Active Directory Users and Computers (ADUC) to manually review user object properties or use PowerShell scripts to generate reports that list specific domain local group names (such as Enterprise Admins and Domain Administrators) and then manually check which groups a particular user account belongs to.
However, both of these options are time consuming and can be complex; and if you want to filter your report or add more details, you will need more expertise in PowerShell scripting and cmdlet parameters.
In this article, we will look at two native methods, ADUC and PowerShell, for finding Active Directory User’s Group Membership. We will then look at a more straightforward solution using the Lepide Auditor.
1. Using Get-ADPrincipalGroupMembership Cmdlet
Please below given steps
- Open the PowerShell ISE
You will need to download the correct Remote Server Administration Tools (RSAT) package for your OS if you don’t have the Active Directory module installed on your Windows machine
To activate the module, use the import-module ActiveDirectory command from an elevated PowerShell prompt
- Run one of the following PowerShell scripts, specifying the AD user account name (samaccountname) you’re querying and the path to export to
This report will output the user group list with group categories and scope:
Import-Module ActiveDirectory
$UserName = “T.Simpson[SO1]“ | Get- groupcategory, groupscope | ADPrincipalGroupMembership $Usernameor
Add-ADPrincipalGroupMembership -Identity Admin -MemberOf DC_Admin
2. Using Active Directory Users and Computers (ADUC)
ADUC remains the most common way to investigate a user’s group memberships. Simply launch the console, open the user’s properties, and go to the MemberOf tab, as shown below:
How Lepide Helps
An alternative, more straightforward, solution to this native method, which requires no knowledge of PowerShell, is to use the User’s Group Membership Report included as part of the Lepide Active Directory Auditor. This report lists all users alongside the groups to which they belong. This report can be exported to CSV, PDF or MHT format:
Please follow below steps to run the report:
- Click the ‘User & Entity Behavior Analytics’ icon and select Active Directory Reports, Active Directory State Reports, User’s Group Membership
- Click Generate Report
- The report will run and can be sorted, filtered, grouped, saved, and exported
