Sometimes, it is a challenge to know what groups a user actually is in. In particular, this includes not just direct membership groups, but also indirect membership (nested groups). You may have added a user to a group, but aren’t sure if the user is actuallly getting the security token for that group when they log on. I have found many scripts over the years to show group membership for a logged on user, but most of them are querying Active Directory. In doing some troubleshooting this week, I discovered a gem of a tool to do this. It can be found in a collection of tools created by joe (this is lowercase joe of AD fame, not Joe also of AD fame – there is a very clear distinction 🙂 ). joe has a number of tools on his website (http://joeware.net ) that he has developed for AD related tasks. In this case, the tool I found is called sectok and it will return everything that is in a logged on users security token. It is a simple command line tool to list all the groups that a logged on user. Here is some sample output:
|
SecTok V01.00.00cpp Joe Richards (joe@joeware.net) November 2001 User: S-1-5-21-3556900197-2913673288-4150463142-1114 – ME\doug Group: S-1-1-0 – Everyone |
This is a great way to get a quick and dirty look at everything contained by the security token of a user.
Another tool that is available and builtin to Vista is whoami. This is also available in the XP SP2 Support tools.