How can I determine what groups a user belongs to from the command line in Windows Server 2003?

A. To display groups that a user belongs to, use the Dsget command with the -memberof switch. For example, when I type

dsget user "CN=John K. Savill,CN=Users,DC=uk,DC=savilltech,DC=com" -memberof

my computer displays

"CN=sale2,OU=Sales,DC=uk,DC=savilltech,DC=com""CN=Domain Admins,CN=Users,DC=uk,DC=savilltech,DC=com""CN=Domain Users,CN=Users,DC=uk,DC=savilltech,DC=com"

These results show that the user is a member of three direct groups: sale2, Domain Admins, and Domain Users. Because the direct groups that the user belongs to might be members of other groups, which makes the user a member of those other groups as well, you can add the -expand switch to view implicit group memberships. For example, if I type

dsget user "CN=John K. Savill,CN=Users,DC=uk,DC=savilltech,DC=com" -memberof -expand

my computer displays

"CN=sale2,OU=Sales,DC=uk,DC=savilltech,DC=com""CN=Domain Admins,CN=Users,DC=uk,DC=savilltech,DC=com""CN=Domain Users,CN=Users,DC=uk,DC=savilltech,DC=com""CN=sale1,OU=Sales,DC=uk,DC=savilltech,DC=com""CN=Administrators,CN=Builtin,DC=uk,DC=savilltech,DC=com""CN=Users,CN=Builtin,DC=uk,DC=savilltech,DC=com"

Because I've expanded the list of groups, notice that groups sale1, Administrators, and Users appear in the list. In this example, sale2 is a member of sale1, Domains Admins is a member of Administrators, and Domain Users is a member of Users.