dsget active directory group

Viewing Active Directory Groups Using DSGet Group

The dsget utility can be used to view various information about Active Directory catalog objects. In this article we will show how to use the dsget group command to list info about different groups in the AD domain.

To use the dsget command, the Microsoft Windows Administration Tools Pack – Adminpak.msi (for Windows XP/Windows Server 2003 and below) or Active Directory Domain Services (AD DS) Tools from the Remote Server Administration Tools (RSAT) package (in modern versions of Windows) must be installed on your computer.

The dsget group command without parameters displays a list of all groups in the Active Directory domain (if there are a large number of groups in the domain, the command will run for a rather long time). To get the properties of a specific AD group, run the following command:

dsget group "CN=Domain Admins,CN=Users,DC=theitbros,DC=com"

dsget group active directory

The group name must be specified in the DistinguishedName (DN) format.

By default, the group DN and its description are displayed.

The full syntax and attributes available for the dsget group command is:

dsget group <GroupDN ...> [-dn] [-samid] [-sid] [-desc] [-secgrp]  [-scope] [{-s <Server> | -d <Domain>}] [-u <UserName>]  [-p {<Password> | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}]  [-part <PartitionDN> [-qlimit] [-qused]]

For example, to find out the group SID, run:

dsget group "CN=Domain Admins,CN=Users,DC=theitbros,DC=com" -sid

To check the group type: Security (yes) or Distribution (no), run:

dsget group "CN=Domain Admins,CN=Users,DC=theitbros,DC=com" -secgrp

To determine group membership allows another dsget group command optional parameters: -Members and -Memberof. The -Members parameter indicates which users and groups are included to this group, and the -Memberof parameter — which groups this group belongs to. Suppose you want to list current members of the Domain Admins group. Run the command:

dsget group "CN=Domain Admins,CN=Users,DC=theitbros,DC=com" –members

dsget group ad

To display a complete list of users, including nested groups (recursively), run:

dsget group "CN=Domain Admins,CN=Users,DC=theitbros,DC=com" –members -expand

Similarly, you can get a list of groups in which this group consists:

dsget group "CN=Domain Admins,CN=Users,DC=theitbros,DC=com" –memberof


As you can see, the last two commands, when displaying the list of users/groups, return them in DN format, which is not very convenient. Therefore, to get usernames (or other fields) you need to use the command in conjunction with dsget user:

dsget group "CN=Domain Admins,CN=Users,DC=theitbros,DC=com" -members | dsget user -samid -upn -desc

ds get group active directory

As you remember, the group name for the dsget group command must be specified in the distinguishedName format. In order not to specify the DN of the group, you can use the dsget group command together with the dsquery command. For example, to get a list of users in the ‘Domain Admins’ group and export it to a text file, run the command:

dsquery group -samid "Domain Admins" | dsget group -members > c:\ps\exportgoupmembers.txt

As you can see, now you do not need to specify the group DN.

If you do not know the exact name of the group, you can specify only part of the name. The wildcard character *is used. For example, you want to find all the groups whose names begin with NY:

dsquery group -name NY* | dsget group -dn -scope -secgrp

In a similar way, you can list, for example, all email addresses of users who consist in a group and save the list to a CSV file:

dsquery group -samid "Domain Admins" | dsget group -members | dsget user -email >admin_emails.csv

You may also like:

Installing Active Directory Users and Computers MM... One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). The ADUC snap-in is used to p...
AD Account Keeps Locking Out Sometimes there are situations when AD account keeps locking out, this happen when you try to log on to a domain computer and getting an error on the ...
Store BitLocker Recovery Keys using Active Directo... In a domain network, you can store the BitLocker recovery keys for encrypted drives in the Active Directory Domain Services (AD DS). This is one of th...
How to transfer FSMO Roles From a Failed Domain Co... In case domain controller, which owns FSMO (Flexible Single Master Operation) roles, is fail (virus attack, fatal software problems or catastrophic ha...
Fix: Active Directory Domain Controller Could Not ... In this article, we’ll take a look at why it’s not possible to join a new computer to the Active Directory domain with an error Active Directory Domai...

Add Your Comment