Enumerating AD Security Group Members (Including Nested Groups) Without Domain Admin Rights
A domain user on Windows 8 or later needs to view both direct members and nested groups within an Active Directory Security Group but lacks domain admin privileges and access to standard AD management tools. The built-in 'net group /domain' command is insufficient as it omits nested groups, and dsget may not be installed. The primary resolution is to use the native 'Search Active Directory' feature accessible through Windows Explorer's Network view, which exposes full group membership including nested groups without elevated privileges.
Indicators
- 'net group /domain <GroupName>' returns only direct user members and omits nested groups
- dsget command is not found or unavailable on the system
- User is not a domain admin and cannot access Active Directory Users and Computers (ADUC)
- User has local admin rights on a Windows Server 2008 R2 machine but holds no elevated domain privileges
- Remote Server Administration Tools (RSAT) are not installed on the Windows 8 client
Likely causes
- User lacks domain admin or group owner privileges required by most standard AD query tools
- dsget (part of Windows Server Administration Tools) is not installed on the target machine
- 'net group' command has inherently limited output that excludes nested group membership
- RSAT is not installed on the Windows 8 client, so PowerShell AD cmdlets and ADUC are unavailable
Diagnostic steps
-
Run 'net group /domain <TheGroupName>' from Command Prompt to confirm it lists direct members only and omits nested groups
-
Verify whether dsget is available by running 'dsget /?' in Command Prompt; if not found, confirm it is not installed and move to the GUI workaround
-
Open Windows Explorer on the Windows 8 client and click 'Network' in the left navigation pane
-
In the top toolbar of the Network view, click 'Search Active Directory' to open the AD search dialog
-
In the 'Search Active Directory' dialog, set the search type to 'Groups', enter the target group name, and execute the search
-
Double-click the returned group result to open its Properties and navigate to the 'Members' tab, which displays both direct users and nested groups
Resolution path
- Open Windows Explorer and click 'Network' in the left navigation pane
- Click 'Search Active Directory' in the top toolbar of the Network view
- Set the search type to 'Groups' and enter the target AD Security Group name, then search
- Double-click the returned group in search results to open its Properties dialog
- Navigate to the 'Members' tab to view all direct users and nested groups without requiring elevated privileges
Prevention
- Install Remote Server Administration Tools (RSAT) on Windows 8/10/11 client machines used for administration to provide proper AD query tooling including ADUC and PowerShell AD cmdlets
- Ensure dsget and related Windows Server Administration Tools are available on any server used for AD administration tasks
- Request read-only delegation on specific AD groups from domain admins for users who require regular, repeatable access to group membership data
- Standardise on PowerShell with the ActiveDirectory module (via RSAT) for scriptable, auditable, and repeatable AD group membership queries including recursive nested group expansion
Tools
- Windows Explorer 'Search Active Directory' (built-in, no elevation required, Windows 8+)
- net group /domain <GroupName> (Command Prompt, built-in — limited to direct members only)
- dsget (Windows Server Administration Tools — if installed on the system)
- Active Directory Users and Computers / ADUC (requires RSAT installation)
- PowerShell Get-ADGroupMember cmdlet (requires RSAT ActiveDirectory module)