Using Groups in Active Directory, you may quickly assign permissions and applications to your users in Active Directory. But how can you get all members of a group?
Group members within AD can be obtained by using the Get-ADGroup command-let with the “member” property, as shown below:
Get-ADGroup -Identity VPN -Properties member | select-object -property member
Limitations of Get-ADGroupMember
The Get-ADGroupMember cmdlet has a limitation. This cmdlet fetches information about group members from the ‘member’ attribute of a group, which mainly consists of a member’s CN, OU and domain name.
In most circumstances, a simple list of all group members isn’t what you’re looking for. You’ll presumably want to collect more member information, such as each member’s email address and display name.
Using Get-ADGroupMember in Powershell
The Get-ADGroupMember command-let in PowerShell can be used to export or update all users in an Active Directory group.
This command-let returns a list of Active Directory group members. Users, groups, and machines can all be members. Simply type the cmdlet in a PowerShell window and you’ll be prompted to input the group name.
Read More: Distribution Group Management via Set-DistributionGroup
Get-ADGroupMember Parameters
We will discuss the following here:
- Identity Parameter
- Select-Object Helping Command-let
- Get Nested-Group Member
- Recursive Parameter
Identity parameter
The Identity parameter specifies the group to access within AD. A group’s distinguished name, GUID, security identifier, or Security Account Manager (SAM) account name can all be used to identify it.
However, if you observe the following Get-ADGroupMember command-let output, you’ll see that limited information is displayed about each group member, and that too in raw format. What if you want to get this output in a tabular format? For this, use the following command-let:
Get-ADGroupMember -Identity Office365-E3 | ft
Select-Object Helping Command-let
You can achieve similar results by adding the Select-Object helping command-let to get your desired set of properties.
Get-ADGroupMember -Identity Office365-E3 | Select-Object name, objectClass,distinguishedName
Get Nested-Group Member
In Active Directory, nested groups are a popular practice. They let you give permissions and policies to users depending on their participation in a group.
Example:Let’s assume that we have nested the groups of different departments (Sales, Operations, Marketing, Finance and Engineering) in a group named “TestOrg8-Versacorp”.
We can’t just use Get-ADGroupMember to get the actual users who have access to TestOrg8-Versacorp because that will only return the five department groups, i.e., Sales, Operations, Marketing, Finance, and Engineering.
Recursive Parameter
We can use the -recursive argument to look for members of the five nested groups. The Get-ADGroupMember command-let will enable us to search all nested groups in Active Directory as well. It is as:
Get-ADGroupMember -Identity TestOrg8-Versacorp -Recursive | ft
Examples of Get-ADGroupMember
We can use Get-ADGroupMember to:
- Filter a Specific Object Type from Group Membership
- Export AD Group Members’ Email Addresses to CSV
- Export AD Group Members from a Specific OU to CSV
Get a Specific Object Type in Group Membership
When a group contains users, nested groups, and computers as members, you may want to extract only the user members. Alternatively, extract the nested groups or computers only.
To do so, we can use the object class of the group member to filter the results. This can be a user, a computer, or a group. Following are the varying object classes to get objects in group memberships via the Get-ADGroupMember cmdlet:
- $_.objectClass -eq “user”
- $_.objectClass -eq “group”
- $_.objectClass -eq “computer”
Filtering Users From a Group
Following is the syntax for the Get-ADGroupMember cmdlet to filter users from groups:
Get-ADGroupMember -Identity VPN | Where-Object {$_.objectClass -eq "user"} | ft
Filtering Nested Groups
Following is the syntax for the Get-ADGroupMember cmdlet to filter groups:
Get-ADGroupMember -Identity VPN | Where-Object {$_.objectClass -eq "group"} | ft
Filtering Computer Objects
Following is the syntax for the Get-ADGroupMember cmdlet to filter computer objects:
Get-ADGroupMember -Identity VPN | Where-Object {$_.objectClass -eq "computer"} | ft
Export AD Group Members’ Email Addresses to CSV
You can export the email addresses of AD Group members to a CSV file along with other attributes, like name, department, title, and employee ID.
Use Get-ADGroupMember to get the members of an Active Directory group and export to a CSV file, as shown below.
Get-ADGroupMember -Identity Office365-E3 | Get-ADUser -Properties * | Select Name,Mail,department,title,employeeid | Export-csv -Path C:\adgroupmemberslist.csv -NoTypeInformation
Here,
- The Get-ADGroupMember command-let in the above PowerShell script gets members of an AD group and delivers the results to the second command-let.
- The second command-let uses Get-ADUser to retrieve AD group member properties, such as name, email address, department, title, and employee ID. It then passes the results to the third command-let.
- The Export-csv command-let exports the desired properties of AD group members to a CSV file.
Export AD Group Members from a Specific OU
Users, computers, and group objects all reside in OUs within Active Directory.
Run the following PowerShell script to export group members from a specified OU to a CSV file with the group name and Active Directory username.
$OU = 'OU=Lawson,DC=Knox,DC=lab'
# Get adgroups from specific OU
$adGroups = Get-ADGroup -Filter * -SearchBase $OU
# Iterate through adgroups and get ad group name and user name
$adGroupMembers = foreach ($Group in $adGroups) {
Get-ADGroupMember -Identity $Group -Recursive | Select-Object @{Name='Group';Expression={$Group.Name}}, @{Name='Member';Expression={$_.Name}}
}
# export ad group name and user to csv file
$adGroupMembers | Export-Csv -Path C:\adGroupMembers.csv -NoTypeInformation
In a previous blog, AD User Management via Set-ADUser, I have used Windows PowerShell ISE, which is more appropriate for PowerShell scripting like the above.
In the PowerShell script above:
- The path to the OU is defined in the first instruction. It gets AD groups from the given OU using the Get-ADGroup command-let.
- The next script is used to recursively cycle across AD groups to obtain:
- AD group members
- Group name
- Username belonging to each AD group in the specified OU
- The Export-csv command-let is used to export the group members from that specified OU to a CSV file.
Extract Output using the Out-GridView Cmdlet
The Out-GridView cmdlet transmits a command’s output to a grid view window, which displays it as an interactive table.
To review your data, you can use the following table features:
- Hide, show, or reorder the columns
- Sort the rows
- Filter quickly
- Filter by criteria
- Copy and paste
Get-ADGroupMember -Identity VPN | Select-Object name, objectClass,distinguishedName | Out-GridView
Using Get-ADGroup with Get-ADGroupMember
You can use Get-ADGroup with Get-ADGroupMember to filter the results according to your requirements.
For example, if all the domain local groups are queried in the entire domain, they can also be filtered for membership in Global and Universal groups, as shown below:
Get-ADGroup -Filter {GroupScope -eq "Global"} | Get-ADGroupMember | Select-Object name, objectClass,distinguishedName
Using Get-ADGroupMember with Get-ADUser
You can also provide a group object through the pipeline to specify the group. For example, you can acquire a group object with the Get-ADGroupMember command-let and then feed it through the pipeline to the Get-ADUser cmdlet.
Get-ADGroupMember -Identity Office365-E3 | Get-ADUser -Properties DisplayName,EmailAddress | Select Name,DisplayName,EmailAddress,SAMAccountName
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.