Using Active Directory security groups is a best practice for quickly and accurately assigning permissions to users, computers, and groups. But how can you get a list of all the members of a security group?
While you could use the PowerShell cmdlet Get-ADGroup, group members will be identified by their distinguished names, making the results difficult to read. A better option is to use the Get-ADGroupMember cmdlet. This article provides the syntax of this cmdlet and lots of useful examples.
Using Get-ADGroupMember
To get a list of all members of a security group, simply enter the Get-ADGroupMember cmdlet in a PowerShell window and you’ll be prompted to input the group name:
Get-ADGroupMember Parameters
The Get-ADGroupMember cmdlet accepts the following parameters:
- -AuthType <ADAuthType>
- -Credential <PSCredential>
- -Identity <ADGroup>
- -Partition <String>
- -Recursive
- -Server <String>)
The Identity and Recursive parameters are most used, so let’s dive into each of them.
Identity Parameter
Use the Identity parametertospecify the AD group whose members you want to list. You can specify the group by its distinguished name, GUID, SID or SAM account name.
To get the output in a more readable tabular format, we will use the following command:
Get-ADGroupMember -Identity Office365-E3 | ft
Recursive Parameter
A security group can have other groups among its members; this is called group nesting. To see the members of the nested groups using the ADGroupMember cmdlet, we need to use the Recursive parameter.
For example, suppose the security group TestOrg8-Versacorp has five members, which are all groups: Engineering, Finance, Marketing, Operations and Sales. Running the Get-ADGroupMember cmdlet on TestOrg8-Versacorp without the Recursive parameter will return those five groups, but not their members, as shown here:
But if we add the Recursive parameter, the Get-ADGroupMember cmdlet will list the members of all the nested groups:
Get-ADGroupMember -Identity TestOrg8-Versacorp -Recursive | ft
Additional Examples of Get-ADGroupMember
Let’s review some other common use cases for Get-ADGroupMember.
Specify which Member Properties to Display
If you want to specify exactly which properties to display about each group member, you can use the Select-Object cmdlet, as shown here:
Get-ADGroupMember -Identity Office365-E3 | Select-Object name, objectClass,distinguishedName
Limit the Output to Members with a Specific Object Type
As noted earlier, a security group can have users, computers, and nested groups as members. But you can easily limit the output of the Get-ADGroupMember cmdlet to just one of these object classes.
If you want to see only the members who are user objects, use this cmdlet:
Get-ADGroupMember -Identity VPN | Where-Object {$_.objectClass -eq "user"} | ftSimilarly, if you want to see only the nested groups, use this cmdlet:
Get-ADGroupMember -Identity VPN | Where-Object {$_.objectClass -eq "group"} | ftAnd if you want to see only the computer objects that are members, use this cmdlet:
Get-ADGroupMember -Identity VPN | Where-Object {$_.objectClass -eq "computer"} | ftHere is the output from all three commands:
Export Group Membership Information to a CSV File
Here’s how you can export the output of the Get-ADGroupMember cmdlet to a CSV file:
Get-ADGroupMember -Identity Office365-E3 | Get-ADUser -Properties * | Select Name,Mail,department,title,employeeid | Export-csv -Path C:\adgroupmemberslist.csv -NoTypeInformationThere are three cmdlets at work here:
- Get-ADGroupMember gets the members of the specified AD group and delivers the results to the second cmdlet (Get-ADUser).
- Get-ADUser retrieves the specified properties of those members (name, email address, department, title, and employee ID) and passes the results to the third cmdlet (Export-csv).
- Export-csv exports the results to a CSV file, as shown below:
Export the Members from a Specific OU to a CSV File
Users, computers, and group objects all reside in OUs within Active Directory.
Run the following PowerShell script to export group members from a specified OU to a CSV file:
$OrgUnit = 'OU=VPN,DC=milkyway,DC=local'
# Get Active Directory groups from a specific Organizational Unit
$AD_Groups = Get-ADGroup -Filter * -SearchBase $OrgUnit
# Search through AD_Groups variable and get AD group name and member user name
$AD_Group_Members = foreach ($Group in $AD_Groups) {
Get-ADGroupMember -Identity $Group -Recursive | Select-Object @{Name='Group';Expression={$Group.Name}}, @{Name='Member';Expression={$_.Name}}
}
# Export groups and users to csv file from AD_Group_Members variable
$AD_Group_Members | Export-Csv -Path C:\AD_Group_Members.csv -NoTypeInformation
In this script:
- The first line defines the path to the desired OU.
- The second line uses the Get-ADGroup cmdlet to get all AD groups from that OU.
- Then the script cycles through those AD groups, getting each group’s name and members.
- The last line uses the Export-csv cmdlet export the results to a CSV file.
And here is the resulting CSV file:
View the Output in an Interactive Table
To display the output in an interactive table, use the Out-GridView cmdlet:
Get-ADGroupMember -Identity VPN | Select-Object name, objectClass,distinguishedName | Out-GridView
In the resulting table, you can easily reorder the columns, sort the rows, filter the data, and more.
List the Members of Global (or Universal) Groups Only
To list the members of Global groups only, use Get-ADGroup with Get-ADGroupMember as shown here:
Get-ADGroup -Filter {GroupScope -eq "Global"} | Get-ADGroupMember | Select-Object name, objectClass,distinguishedName
Display Additional Information about Group Members
The Get-ADGroupMember cmdlet returns only information from the group’s ‘member’ attribute, which consists mainly of each member’s CN, OU, and domain name.
If you need additional information, such as members’ email addresses and display names, then you can pipe the output of Get-ADGroupMember into the Get-ADUser cmdlet and specify the additional properties you want to see, as follows:
Get-ADGroupMember -Identity Office365-E3 | Get-ADUser -Properties DisplayName,EmailAddress | Select Name,DisplayName,EmailAddress,SAMAccountName
