extract group members from active directory

How to Extract Group Members from Active Directory and Export It to CSV file


In this article we’ll take a look at few examples of using PowerShell to extract group members from Active Directory different groups. This article should teach you how to build a list of accounts in a specific Active Directory group and export it to a CSV file, which is convenient to process in MS Excel and other Office programs.

Previously, to build a list of users in Active Directory group, you had to use VBS scripts, or DSQuery or CSVDE command-line utilities, which were not flexible enough and convenient.

To interact with Active Directory from PowerShell, Microsoft developed a special module Active Directory Module for Windows PowerShell. For the first time this module appeared in Windows Server 2008 R2 and in order to use it you must load it into your PowerShell session at first:

Import-Module ActiveDirectory

In Windows Server 2012/R2/Windows Server 2016 this module is automatically installed and loaded when the ADDS (Active Directory Domain Services) role is installed on the server when the server is promoted to a domain controller. In desktop operating systems (Windows 10/Windows 7), the Active Directory Module for Windows PowerShell is included in the Remote Server Administration Tools, which you need to download, install and enable separately.

extracting active directory group members

Please note that in order to use the ActiveDirectory module, you don’t need to be a member of the Domain Admins group, any authenticated domain user can obtain information about Active Directory users and groups using AD PowerShell module.

To get the information about the user accounts that are included in the Active Directory security group, use the Get-ADGroupMember cmdlet.

For example, to display the list of members of the Domain Admins group, run the following command:

Get-ADGroupMember ‘Domain Admins’

powershell get ad group members

If you do not know the exact name of the group, you can display the full list of groups in Active Directory using the command:

Get-ADGgroup -filter * | sort name | select Name

You can display only usernames:

Get-ADGroupMember -Identity ‘Domain Admins’| ft name

powershell get active directory group members

If the specified group contains other Active Directory groups, you must use the Recursive parameter to list members of Active Directory based on nested groups.

Get-ADGroupMember -Identity ‘Domain Admins’ -Recursive | ft name

The -recursive switch instructs the Get-ADGroupMember command to parse each nested group and display only objects that are not containers (user or computer). This command will display even those users who do not directly belong to the specified group.

You can display more detailed information about the accounts in this group in this way:

Get-ADGroupMember -Identity ‘Domain Admins’ | foreach { Get-ADUser $_ -Properties * }

You can use the more complex PowerShell command, which allows you to list all members of a certain domain security group with information about the company, department and job title, followed by sorting and grouping depending on the specific attribute (company):

Get-ADGroupMember -Recursive ‘Domain Admins’ | ForEach {

Get-ADUser -filter {samaccountname -eq $_.SamAccountName}  -Properties displayName, company, title, department

}  | Sort-Object company,displayName | Format-Table displayName,company,department,title -GroupBy company -AutoSize

list members of ad group

In order to extract group members from Active Directory into a text file, add the following command:

| Out-File -Width 5000 "C:\PS\ADGroupUsersByCompany.txt"

To export the list to the CSV csv, add the following pipe:

| Export-Csv -NoTypeInformation .\ADGroupUsersByCompany.csv -Encoding Unicode

You can calculate the total number of users in a group:

(Get-ADGroupMember -Identity Administrators).Count

Here is another useful example. Let’s try to find all AD groups containing the *Admin* keyword in the name, and display the users that are added in these groups. To display only unique objects, use the -uniq argument:

Get-ADGroup -filter 'SamAccountName -like "*Admin*"' | Get-ADGroupMember -recursive|Select-Object -uniq

In some cases, you can face error, which occurs during the execution of the Get-ADGroupMember command:

Get-ADGroupMember : The specified directory service attribute or value does not exist

This means that the group includes users from other forests (foreign security principals). The Get-ADGroupMember cmdlet doesn’t support working with users of different forests in Active Directory.

You may also like:

Add Calendar Permissions in Office 365 via Powersh... This is a tutorial on how to add calendar permissions in Office 365 for your users via Powershell. You can add permissions onto a specific mailbox, or...
Deploy LGPO with MDT 2013 Local Group Policy (LGPO) of computer is configured through gpedit.msc snap-in, which does not provide the possibility to export/import settings. That...
Configuring GPO Proxy Settings for Internet Explor... The article shows how to configure GPO proxy settings for Internet Explorer 11 browser using Active Directory Group Policies. In earlier versions of I...
Using PsExec to Run Commands Remotely The PsExec is an easy Windows utility to replace the telnet tool. It allows you to run programs and processes on remote systems, using all the feature...
Installing Active Directory Users and Computers MM... One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). The ADUC snap-in is used to p...

Add Your Comment