How do I resolve Listing AD group memberships for a user with 'net user /domain'?

Use the syntax 'net user /domain' instead of 'net user DOMAIN\username' • The query is sent to the current logged-on domain controller and returns the AD user object • Read the 'Global Group Memberships' and 'Local Group Memberships' fields in the output to obtain group membership

How do I prevent Listing AD group memberships for a user with 'net user /domain'?

Document that 'net user' targets the local SAM unless '/domain' is specified • Avoid 'DOMAIN\user' syntax with 'net user'; always pass the bare sAMAccountName with '/domain' • For cross-domain or nested-group enumeration, prefer 'dsget user -memberof -expand' or PowerShell 'Get-ADPrincipalGroupMembership' over 'net user'

P4 · Active Directory

Listing AD group memberships for a user with 'net user /domain'

The 'net user' command queries the local SAM by default and does not accept 'DOMAIN\user' syntax, so attempts to enumerate Active Directory group memberships fail. Appending the '/domain' switch with the bare sAMAccountName redirects the query to the current logged-on domain controller and returns the user's global and local group memberships.

Indicators

'net user londondom\john' returns a System error or 'user name could not be found'
'net user johnlocal' returns results for local accounts but the same syntax fails for AD accounts
Administrators cannot retrieve AD group memberships using the default 'net user' syntax

Likely causes

'net user' defaults to querying the local SAM database rather than Active Directory
'DOMAIN\user' syntax is not recognised by the 'net user' command
The '/domain' switch was omitted, so the query was not directed to a domain controller

Diagnostic steps

Open an elevated command prompt on a domain-joined workstation logged into the target AD domain.
Run 'net user <localaccount>' to confirm the command works against the local SAM.
Run 'net user <sAMAccountName> /domain' to query the AD account against the current logon domain controller.
Review the 'Local Group Memberships' and 'Global Group Memberships' fields in the output to enumerate group membership.
If the user resides in another domain or forest, log on from a workstation in that domain or use 'dsquery'/'dsget' / PowerShell 'Get-ADPrincipalGroupMembership' instead.

Resolution path

Use the syntax 'net user <sAMAccountName> /domain' instead of 'net user DOMAIN\username'
The query is sent to the current logged-on domain controller and returns the AD user object
Read the 'Global Group Memberships' and 'Local Group Memberships' fields in the output to obtain group membership

Prevention

Document that 'net user' targets the local SAM unless '/domain' is specified
Avoid 'DOMAIN\user' syntax with 'net user'; always pass the bare sAMAccountName with '/domain'
For cross-domain or nested-group enumeration, prefer 'dsget user -memberof -expand' or PowerShell 'Get-ADPrincipalGroupMembership' over 'net user'

Tools

net user
net user /domain
Windows command prompt
dsquery / dsget
PowerShell ActiveDirectory module (Get-ADPrincipalGroupMembership)

References

Using the 'net user' command in Windows XP to list all group memberships for a specific Active Directory user (Super User)

active-directorynet-usergroup-membershipcommand-linesysadminenumeration