78

I am on Windows 8 connected to domain.

I wish to view the users and groups of an AD Security group. I am not the owner of the group. The command:

net group /domain TheGroupName

shows the direct users of that group but does not show the groups within the group.

As an alternative to the Windows 8, I also have remote access to a Windows Server 2008 R2 and am an admin for that machine but not an admin for the domain. The program "dsget" does not appear to be installed.

This question is expanding on this one (511715)

Community
  • 1
crokusek
  • 1,012
  • 1
  • 9
  • 12
  • If you want a better answer to an already existing question. The proper procedure is to offer a bounty to that existing question. – Ramhound Aug 21 '14 at 18:13
  • 1
    That question has been answered as it was phased. This is a new but very related question. – crokusek Aug 21 '14 at 18:15
  • What makes you think you should have access to obtain the lists of users and groups if you aren't a domain administrator (or have the appropriate specific permission, whatever that might be, on your domain account)? To me the opposite would seem intuitive. – user Aug 21 '14 at 18:15
  • That command works for me now, and as far as I know I am not a Domain Admin. Are you saying I must be? I don't think I am the owner of the group either. – crokusek Aug 21 '14 at 18:15
  • 1
    The 'Search Active Directory' function from My Computer->Network will grant you the access to view groups and basic user information without special permissions. – Abraxas Aug 21 '14 at 18:37
  • You might also be able to query AD using LDAP see http://stackoverflow.com/questions/22224465/querying-windows-active-directory-server-using-ldapsearch-from-command-line – nijave Aug 26 '16 at 00:09
  • You might not have the appropriate access in Active Directory to query groups. Local permissions != domain permissions – nijave Aug 26 '16 at 00:10
  • @MichaelKjörling If you're a local admin setting up a share on a local computer's drive and adding an active directory usergroup, you'd better be able to look up who exactly you are granting access to (at least at present...obviously, a domain admin can add and delete users to a usergroup after you check) – mpag Jan 30 '17 at 20:48

3 Answers3

102

Go to 'Computer', click on 'Network' from the left menu, in the top bar select 'Search Active Directory'

You should be able to search for groups and view membership here, even if not an admin.

Access 'Search Active Directory'

Abraxas
  • 4,306
  • 6
  • 30
  • 47
  • 5
    "So easy a non-domain admin can do it." I didn't realize 'Computer' meant within explorer or Alt-Q 'Network'. Can even double click to drill down. Thanks. Don't know why this was not an answer to the linked question, because its only for Windows 8? – crokusek Aug 21 '14 at 18:41
  • I hadn't seen the other question but no, this works on Win7 and, I think, Vista even. :) I recently found it like a month ago and have been telling everyone I know since lol – Abraxas Aug 21 '14 at 19:45
  • 1
    This dialog has been around forever. IIRC Windows 2000 contains it, too. – Daniel B Aug 22 '14 at 07:15
  • 17
    Command line (or Run) equivalent: `"C:\Windows\System32\rundll32.exe" dsquery.dll,OpenQueryWindow` – Trisped Aug 07 '15 at 17:43
  • 2
    Where is the equivalent in Windows 10? – flickerfly Jan 04 '17 at 17:11
  • 3
    @flickerfly in W10, just click on the top of the window on Network (File Network View) and you'll see the "Search Active Directory" thing. seems that "ribbon" (is that what it's called ?) is hidden by default. I've added another answer with a more straightforward way to call this program, and I have a handy shortcut to that command now. – Razvan Zoitanu Feb 02 '17 at 10:21
  • I don't see how you go from this to finding the members in the group once you search and locate the group. Am I missing something? – StatsStudent Feb 04 '20 at 15:42
  • 1
    @StatsStudent - double click on any found groups and you will see the subgroups/users within. – Forty3 Feb 26 '20 at 15:10
43

Run this from a command prompt to get the complete membership of an AD group (users AND groups). Tested on Windows 10.

Rundll32 dsquery.dll OpenQueryWindow

There's a handy Advanced Tab in there that supports partial string searches (starting with, ending with).

Razvan Zoitanu
  • 531
  • 4
  • 8
13

Sysinternals offers AD Explorer, a utility for listing the complete LDAP structure of an AD forest. It’s slighty overkill for your intended use, though.

I don’t know which permissions exactly are necessary for querying this data, but I guess any logged-in user can do it. I never had any problems querying just about everything, but maybe the domain at work isn’t secured properly.

Usability note: You need not enter your credentials if you’re logged on as a domain user.

You do, however, need the IP address or host name of a Domain Controller. It’s likely this is the same as your DNS server, so just fire up nslookup and try the address displayed there.

Daniel B
  • 60,360
  • 9
  • 122
  • 163
  • 2
    You can open up a command prompt and do "echo %LOGONSERVER%" to see the AD server the computer used for authentication. In addition, you should be able to do "nslookup my.domain.name" to list all the AD servers. So if you login using "mydomain\myuser" try "nslookup mydomain" – nijave Aug 26 '16 at 00:15
  • 1
    leaving all fields (IP, User, Pw) blank worked for me – trykyn May 09 '21 at 12:32