In this article we’ll take a look at few examples of using PowerShell to extract group members from different Active Directory group. This article should teach you how to build a list of accounts in a specific Active Directory group and export it to a CSV file, which is convenient to process in MS Excel and other Office programs.
Previously, to build a list of users in Active Directory group, you had to use VBS scripts, or DSQuery or CSVDE command-line utilities, which were not flexible enough and convenient.
To interact with Active Directory from PowerShell, Microsoft developed a special module — PowerShell Active Directory module. For the first time this module appeared in Windows Server 2008 R2 and in order to use it you must load it into your PowerShell session at first:
Import-Module ActiveDirectory
In Windows Server 2012/R2/Windows Server 2016 this module is automatically installed and loaded when the ADDS (Active Directory Domain Services) role is installed on the server when the server is promoted to a domain controller. In desktop operating systems (Windows 10/Windows 7), the Active Directory Module for Windows PowerShell is included in the Remote Server Administration Tools, which you need to download, install and enable separately.
Please note that in order to use the ActiveDirectory module, you don’t need to be a member of the Domain Admins group, any authenticated domain user can obtain information about Active Directory users and groups using AD PowerShell module.
To get the information about the user accounts that are included in the Active Directory security group, use the Get-ADGroupMember cmdlet.
For example, to display the list of members of the Domain Admins group, run the following command:
Get-ADGroupMember ‘Domain Admins’
If you do not know the exact name of the group, you can display the full list of groups in Active Directory using the command:
Get-ADGgroup -filter * | sort name | select Name
You can display only usernames:
Get-ADGroupMember -Identity ‘Domain Admins’| ft name
If the specified group contains other Active Directory groups, you must use the Recursive parameter to list members of Active Directory based on nested groups.
Get-ADGroupMember -Identity ‘Domain Admins’ -Recursive | ft name
The -recursive switch instructs the Get-ADGroupMember command to parse each nested group and display only objects that are not containers (user or computer). This command will display even those users who do not directly belong to the specified group.
You can display more detailed information about the accounts in this group in this way:
Get-ADGroupMember -Identity ‘Domain Admins’ | foreach { Get-ADUser $_ -Properties * }
You can use the more complex PowerShell command, which allows you to list all members of a certain domain security group with information about the company, department and job title, followed by sorting and grouping depending on the specific attribute (company):
Get-ADGroupMember -Recursive ‘Domain Admins’ | ForEach {
Get-ADUser -filter {samaccountname -eq $_.SamAccountName} -Properties displayName, company, title, department
} | Sort-Object company,displayName | Format-Table displayName,company,department,title -GroupBy company -AutoSize
In order to extract group members from Active Directory into a text file, add the following command:
| Out-File -Width 5000 "C:\PS\ADGroupUsersByCompany.txt"
To export the list to the CSV csv, add the following pipe:
| Export-Csv -NoTypeInformation .ADGroupUsersByCompany.csv -Encoding Unicode
You can calculate the total number of users in a group:
(Get-ADGroupMember -Identity Administrators).Count
Here is another useful example. Let’s try to find all AD groups containing the *Admin* keyword in the name, and display the users that are added in these groups. To display only unique objects, use the -uniq argument:
Get-ADGroup -filter 'SamAccountName -like "*Admin*"' | Get-ADGroupMember -recursive|Select-Object -uniq
In some cases, you can face error, which occurs during the execution of the Get-ADGroupMember command:
Get-ADGroupMember : The specified directory service attribute or value does not exist
This means that the group includes users from other forests (foreign security principals). The Get-ADGroupMember cmdlet doesn’t support working with users of different forests in Active Directory.
1 comment
Can you export users in an AD group and then create a Excel spreadsheet, so that each group in the work book, has its own sheet? So that’s one workbook but with multiple sheets. Group A,B,C = Sheet A,B,C.