Using PowerShell to Get AD Group Members
You can use the Get-AdGroupMember cmdlet in PowerShell with the Identity parameter to retrieve members of an AD group, which can consist of nested groups, users, or computers.
Of course, there is a little more to it than that, especially depending on your end goal and how much information from the users you need to dump out in the list.
In this article I’m going to step through the essentials of using PowerShell to get AD group members and their corresponding lists of users. I will also show you how to export AD group members to a CSV or other file format so you can manipulate the data or import it into other scripts or tools to use as part of your automation workflows.
Before we play around, make sure you have the PowerShell Active Directory Module within RSAT installed or that you are running these commands from a Windows Server Domain Controller (naughty naughty).
With that said, let’s look at the syntax for the Get-AdGroupMember cmdlet.
Get-AdGroupMember cmdlet Syntax
Get-ADGroupMember [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Identity] <ADGroup> [-Partition <String>] [-Recursive] [-Server <String>] [<CommonParameters>]
You can retrieve this syntax yourself by entering “Get-Help Get-AdGroupMember”
Here is a summary of the parameters:
- -AuthType: Specifies whether to use basic or negotiate authentication methods.
- -Credential: Specifies the user account credentials to use for running the commands, which defaults to the logged in user if not specified.
- -Identity: Specifies the AD group object, using values like distinguishedName, GUID, SID, or SAMAccountName.
- -Partition: Specifies the AD partition distinguished name to use if different from default
- -Recursive: Gets all members from the hierarchy of the group that do not contain child objects.
- -Server: Specifies the AD DS instance to connect to by entering a domain name or directory server.
Get Basic List of All Members of AD Group
To get a dump of all the members of specific group run the following command:
Get-ADGroupMember -Identity AP_ADMINS
This example uses the -Identity parameter to specify the AP_ADMINS group as the group we want to retrieve the list of users from. You’ll see that spits out an unformatted list of all group members including their distinguishedName, name, objectClass, objectGUID, SamAccountName, and SID.
We can do better than this.
Get All Members of AD Group and Format as a Table
Run the following command:
Get-ADGroupMember -Identity AP_ADMINS | ft
This example adds the format table (ft) modifier to the previous command to format the list as a table.
Chances are this table contains a lot of information you’re not interested in. We can clean the table up using the select-object cmdlet:
Get-ADGroupMember -Identity AP_ADMINS | Select-Object Name | ft
We can take it another step further and pipe in the Get-ADUser cmdlet to display more relevant information about each returned object:
Get-ADGroupMember -Identity AP_ADMINS | Get-ADUser -Properties DisplayName,EmailAddress | Select Name,DisplayName,EmailAddress,SAMAccountName | ft
This example pulls in the DisplayName and EmailAddress from the returned objects and then uses the select command to add them to the selection list that will be printed to the PowerShell console.
Get All AD Group Members and Sort Alphabetically
Run the following command:
Get-ADGroupMember -Identity AP_ADMINS | Select-Object Name | Sort-Object Name
This example uses the Select-Object cmdlet to select just the name of the object and the Sort-Object cmdlet to sort the objects by Name before listing all the group members.
Get All Nested AD Group Members
If you have any groups that have nested groups within them as members you’ll notice the above commands don’t list out the user or computer accounts contained within those groups. To also list out the nested group members we must use the -Recursive parameter.
Run the following command:
Get-ADGroupMember -Identity AP_ADMINS -Recursive | ft
This example uses the -Recursive parameter without any variables to list out the members of your nested groups.
Get Filtered List of AD Group Members
The previous commands will list out all members of group whether they are a group, user, or computer account. To filter on a specific type of member run the following command:
Get-ADGroupMember -Identity AP_ADMINS | Where-Object {$_.objectClass -eq "user"} | ft
This example uses the Where-Object cmdlet to filter on the objectClass “user” before printing the list to the console. You can replace user with computer or group to filter for those object types.
Export List of AD Group Members to CSV
Most likely your goal is to export your list of members to something like Excel so you can manipulate, audit, or import the data into another system. We can use the Export-CSV cmdlet to export the results to a CSV file:
Get-ADGroupMember -Identity AP_ADMINS | Get-ADUser -Properties DisplayName,EmailAddress | Select Name,DisplayName,EmailAddress,SAMAccountName | Export-CSV -Path "C:\temp\ADGroupMembers.csv" -NoTypeInformation
This will export the list of AD group members from the AP_ADMINS group to a CSV file named “ADGroupMembers.csv” and store in a temp folder on the C drive. The -NoTypeInformation parameter strips the header information from the CSV file.
Export List of Enabled AD Group Members to CSV
To close out, lets tie a few of the above examples together to show how to write a script that filters your list of group member by enabled accounts and then exports them to a csv file:
$groupName = "Enter Group Name Here" $csvFile = "C:\temp\Enabled_AD_Group_Members.csv" $users = Get-ADGroupMember -Identity $groupName.Trim() | Where-Object {$_.objectclass -eq "user"} $Report = foreach ($activeanddisabledusers in $users) { Get-ADUser -Identity $activeanddisabledusers -Properties enabled | Select-Object -Property DisplayName, SamAccountName, UserPrincipalName, Enabled } $Report | Export-Csv $csvFile -NoTypeInformation
In this script, the group name is stored in the $groupName variable and the CSV file name and path is stored in the $csvFile variable. We then create a $user variable and store the results of the Get-AdGroupMember cmdlet, filtering on user accounts only. We then loop through this filtering on enabled accounts and store the results with the DisplayName, SamAccountName, UserPrincipalName, and Enabled properties in the CSV file.
If you just need to retrieve a list of all users, regardless of group membership, from AD check out our tutorial Powershell: Export Active Directory Users to CSV.