Get-ADGroup Cmdlet – Definition
Get-ADGroup primarily enables IT admins to retrieve information pertaining to Active Directory groups as follows:
- You can identify a group in many ways like its Distinguished Name, GUID, SID or SAM Account Name.
- You can use Filter and LDAP Filter to fetch information about multiple groups from Active Directory. Use PowerShell Expression Language to create queries that make up the filter condition; it also enables type conversion to various types.
- Additionally, you can define a group object variable, like $GroupObject.
Get-ADGroup searches some of the default properties of a group object. To specifically search for other properties, use the Properties parameter.
Get-ADGroup – Syntax
Get-ADGroup most commonly uses the following parameters:
- Identity
- Filter
- LDAPFilter
Following is a sample syntax for this cmdlet. Later we will use several examples to define the parameters and their values based on the scenarios.
Get-ADGroup [-AuthType ] [-Credential ] [-Identity] -Filter -LDAPFilter [-Properties <String[]>] [-ResultPageSize ] [-ResultSetSize ] [-SearchBase ] [-SearchScope ] [-Server ] [-ShowMemberTimeToLive] []
Table Of Contents
-
Get-ADGroup – Definition
-
Get-ADGroup – Syntax
-
Get-ADGroup – Parameters
-
Get Groups using the Identity Parameter
-
Using the Filter Parameter
-
Get the Properties for a Group
-
Search all Groups Based on Filter Query
-
Search a Group by SAMAccountName
-
Search a Group by SID (Security Identifier)
-
Search AD Group with Filter again
-
Get Count of AD Groups
-
Search AD Groups Managed by a Specific User
-
Search Groups for Group Type and Scope
-
Search Groups Based on OU
-
Search Groups Based on an OU and Sub-OUs
-
Search Groups from a Different Server
-
Search Groups using LDAPFilter
-
Export the Results to CSV Format
-
GroupID by Imanami
-
GroupID Management Shell
-
Conclusion
Get-ADGroup Cmdlet- Parameters
The Get-ADGroup cmdlet commonly uses the following parameters:
- Credentials
- AuthType
- Identity
- Filter
- LDAPFilter
- Properties
- ResultPageSize
- ResultSetSize
- SearchBase
- SearchScope
- Server
Credential
Credential parameter can be used to provide alternate credentials to run the PowerShell commands.
- By default, PowerShell uses the logged-on user’s credentials to run commands and script.
- To use Credential parameter, you can provide username to this parameter, and you will be prompted for the password.
- You can also create a variable and assign credentials to that, then such variable can be used within the command or script.
If the used credentials do not have the appropriate permissions in Active Directory to perform the cmdlet or script operations, PowerShell returns an error.
Authtype
Authtype parameter specifies the type of authentication to employ. The following are valid values for it:
- Negotiate or 0
- Basic or 1
Negotiate is the standard authentication technique. The Basic authentication technique requires a Secure Sockets Layer (SSL) connection.
Identity
Identity is a required parameter for Get-ADGroup Cmdlet. You can provide an Active Directory group as value that needs to be searched. For example, the following can be provided as value to identify the required group:
- Distinguished Name
- GUID
- SID
- Display name
- Canonical name
- SAM account name
Identity parameter accepts pipeline input, but you cannot use wildcard characters.
Filter Parameter
You can use a query string in Filter parameter to search for objects in Active Directory.
The string should conform to the PowerShell Expression Language syntax. For the value types that the Filter parameter receives, the PowerShell Expression Language syntax offers comprehensive type-conversion support. The operator is positioned between the attribute and the value because the syntax utilizes an in-order representation.
Here are some examples of the filter parameter.
Get-ADGroup -Filter “GroupCategory -eq ’Security’” Get-ADGroup -Filter “GroupScope -eq ‘Global’”
Most of your requirements should be met by the following operators:
| Operator | Meaning | Sample expression |
|---|---|---|
| -eq | Equal to | Name -eq “G.U.Marketing” |
| -ne | Not equal to | GroupType -ne “-2147483640” |
| -gt | Greater than | Modified -gt “01-06-2021” |
| -ge | Greater than or equal | Created -ge “01-01-2018” |
| -lt | Less than | Modified -lt “01-02-2021” |
| -le | Less than or equal | Created -le “01-01-2018” |
| -like | Wildcard search | extensionAttribute1 -like “*” |
| -notlike | Wildcard search with negation | Name -notlike “Exchange*” |
| -and | And | Name -like “G.U.*” -and Name -like “*legal*” |
| -or | Or | Name -like “*marketing*” -or Name -like “*legal*” |
Please take note of the following in the examples above:
- Put apostrophes around the value(s) being compared.
- Use -like ‘*’ and -notlike ‘*’ to locate empty or full values.
The code snippets provided below should help you organize your Get-ADGroup search queries’ filters in a proper way:
Get-ADGroup -Filter 'Name -eq "Marketing"' Get-ADGroup -Filter 'GroupType -ne "-2147583640"' Get-ADGroup -Filter 'Modified -gt "01-07-2020"' Get-ADGroup -Filter 'Created -ge "01-07-2017"' Get-ADGroup -Filter 'Modified -lt "02-02-2020"' Get-ADGroup -Filter 'Created -le "05-05-2016"' Get-ADGroup -Filter 'extensionAttribute5 -like "*"' Get-ADGroup -Filter 'Name -notlike "Exchange*"' Get-ADGroup -Filter 'Name -like "F.M.*" -and Name -like "*HR*"' Get-ADGroup -Filter 'Name -like "*finance*" -or Name -like "*Manager*"'
LDAP Filter Parameter
You can specify an LDAP query string that can be used to filter group objects in Active Directory.
You can execute your current LDAP queries using this option. The LDAP syntax’s functionality is supported by the Filter parameter syntax as well.The datatype of this parameter is a string. You cannot use a pipeline with this parameter.
Partition Parameter
Partition parameter is used to define the distinguished name of the Active Directory partition you want to search.
One of the current directory server’s naming contexts should be the distinguished name. This partition will be searched to find the objects on the bases of the defined value in the Identity parameter. If no value is provided, the default value of the current directory partition is used.
Below are some rules for setting the default value for Partition in Active Directory Domain Services (AD DS) environments. Keep in mind that the rules that are mentioned first are assessed first, and once a default value has been established, no more rules are examined.
- If the Identity is set to a distinguished name, this distinguished name will automatically be used as the default value for Partition.
- When using an Active Directory provider drive to run commands, the default value of Partition is created automatically based on the drive’s current path.
- If none of the scenarios occur, the target domain’s default partition or naming context is assigned as the default value for Partition.
Properties
By default, only some of the common properties of an object are returned when you use the identity parameter only.
To display specific properties of an object, use the properties parameter and the name of the property you want to see.
- You can specify the properties to view with a comma-separated list of property names.
- To display all the properties, use * (asterisk) with the properties parameter.
- Use the property’s name to refer to a specific extended property.
- For properties that are not default or extended properties, you must supply the LDAP display name of the property.
ResultPageSize
This indicates how many objects will be shown on a single page of the inquiry. It uses the value as int32. 256 is the default. This parameter does not accept wildcard characters or pipeline input.
ResultSetSize
The maximum number of objects that the search should return is indicated by this parameter. Int32 is used as value. This parameter does not accept wildcard characters or pipeline input.
SearchBase
This parameter is used to provide the search base as an OU’s distinguished name, so the search returns all the results within that OU. When this parameter is not used, PowerShell runs the cmdlet for the target domain.
SearchScope
This parameter specifies the scope of a search within an OU defined in the SearchBase parameter. There are three possible values for this parameter: 0, 1, and 2. See Search Groups Based on an OU and Sub-OUs for details.
Server
Using this parameter, you can specify an instance or server for an Active Directory Domain Services. You can use the fully qualified domain name or the NetBIOS name of the directory service server. You can also use the port with FQDN.
Get Groups Using the Identity Parameter
Use the identity parameter to simply provide the display name, GUID, DN (distinguished name) or samAccountName of the group object you want to search and see the properties. Following is an example of the Administrators group and its default properties.
Get-ADGroup -Identity Administrators
Using the Filter Parameter
If you need to search for specific group or multiple groups, you can use filter parameter with an argument. Or if you want to search for all the groups without any filter condition, you can use wildcard (asterisk) with filter parameter. It is as shown below:
Get-ADGroup -Filter *
Get the Properties for a Group
By default, when you only use the group name with identity parameters, only a handful of properties are displayed in PowerShell. But if you want to see all the properties of a group, use the following cmdlet, which uses the properties parameter with wildcard (* asterisk).
Get-ADGroup -Identity Administrators -Properties *
Search all Groups Based on Filter Query
As we mentioned above for the Filter examples, using filter with wildcard will return all the groups in the domain. To get the desired groups using the filter parameter, you can use a specific query. For example, if you want to search all the groups with the word “Sales” in their name, you can construct the query as shown below. The operators that can be used are discussed in the Filter section.
Get-ADGroup -filter {name -like '*Sales*'} | Select name
Search a Group by SAMAccountName
You can use the SAMAccountName in the identity parameter to search a group by its SAMAccountName, as shown below:
Get-ADGroup -Identity "NBC Corp"
Search a Group by SID (Security Identifier)
A security identifier is important because it is used to store group permissions in ACL (Access Control List). To search for a group with a specific SID, you can use the following command. We have also used the member property to show the group’s membership.
Get-ADGroup -Identity S-1-5-21-2144973983-3571309751-2556536001-2690 -Properties member
Search AD Group with Filter again
Here we have used another example of the filter parameter with extended properties like name, mail, and membership shown in the result. Notice that the syntax of the filter argument is typed in a different format than the previous example.
Get-ADGroup -Filter "name -like '*finance*'" -Properties * | select name,mail,member
Get Count of AD Groups
If you want to get the total count of group objects in the domain, use the Get-ADGroup cmdlet with the Count command, as shown below. To retrieve all the groups from the domain, we have used the filter parameter with wildcard.
(Get-ADGroup -Filter '*').Count
Search AD Groups Managed by a Specific User
If you want to look for groups owned by a specific user or builtin administrator, use the following filter in the command to retrieve those groups.
Get-ADGroup -Filter 'managedby -eq "administrator"'
Notice in the above screenshot that results are shown with default properties and when there are too many results, it becomes difficult to analyze the details. So, to narrow down the properties, we can use the name and distinguished name of the groups owned by a specific user, so that the administrator can analyze the distinguished name of a group to know its name and location. It is as shown below:
Get-ADGroup -Filter 'managedby -eq "administrator"' -Properties * | select Name,distinguishedname
Search Groups for Group Type and Scope
If you want to search for groups based on their group type (i.e., security or distribution) and then further filter them by group scope (i.e., universal, global, or domain local), you can use the following cmdlet with filters. Again, results will be shown with default properties, so we have used name as extended property and shown only the names in the results, as in the screenshot below.
Get-ADGroup -Filter 'GroupCategory -eq "Security" -and GroupScope -ne "DomainLocal"' -Properties * | select name
Search Groups Based on OU
If you want to search groups in a specific OU, you can use the following cmdlet with the SearchBase parameter, with a value as distinguished name of the OU you want to search group objects in.
Get-ADGroup -Filter "GroupScope -eq 'DomainLocal'" -SearchBase "OU=NBC,DC=milkyway,DC=local" | select name
Search Groups Based on an OU and Sub-OUs
If you want to search groups in a specific OU and its sub-OUs, use the SearchScope parameter. The Search scope parameter accepts values as follows.
- Base or 0
- OneLevel or 1
- Subtree or 2
The Search Scope parameter is only used in conjunction with the Search Base parameter.
- When you specify the base value, the cmdlet only searches in the OU provided in the Search Base parameter.
- OneLevel provides the facility to search in immediate child OUs.
- Subtree value provides the functionality to search in all sub-OUs under the OU defined in the Search Base parameter.
You can use the example below for reference.
Get-ADGroup -Filter * -SearchBase "OU=BaseOU,DC=milkyway,DC=local" -SearchScope OneLevel | select name
Get-ADGroup -Filter * -SearchBase "OU=BaseOU,DC=milkyway,DC=local" -SearchScope Subtree | select name
Search Groups from a Different Server
If you want to search for group objects on a particular domain controller, you can use the Server parameter, as shown below.
Get-ADGroup -Filter * -SearchBase "OU=BaseOU,DC=milkyway,DC=local" -Server dcexch2013.milkyway.local | select name
Search Groups using LDAPFilter
If you want to search objects using LDAP filter, use the syntax given below to find groups. We have used the Search Base and Search Scope parameters to limit the search further.
Get-ADGroup -LDAPFilter "(name=NBC*)" -SearchScope Subtree -SearchBase "OU=BaseOU,DC=milkyway,DC=local" | select name
Export the Results to CSV Format
Get-ADGroup -Filter "name -like 'NBC*'" -Properties * | select name,mail,groupscope
The above cmdlet will show the results in PowerShell, as shown below.
You can simply add Export-CSV with the path where you want to save the CSV file, as shown below.
Get-ADGroup -Filter "name -like 'NBC*'" -Properties * | select name,mail,groupscope | Export-CSV C:\TestFolder\GroupsResult.csv
Here is a screenshot of the results in the form of a CSV file:
Below is another example to see the distinguished name of the group objects to find out their location in the domain.
Get-ADGroup -Filter "name -like 'NBC*'" -Properties * | select name,mail,distinguishedname | Export-CSV C:\TestFolder\GroupsResult.csv
GroupID by Imanami
When it comes to searching Active Directory, GroupID by Imanami, an Identity and Access management application, provides an easy-to-use graphical user interface to search and modify user, contact, and group objects. GroupID Self-Service portal provides a web-based interface that simplifies user and group management tasks for Active Directory administrators. Administrators can also empower end-users to update their profiles and manage their own groups.
The group search function in GroupID mainly offers five capabilities along with other powerful features.
- The Self-Service portal provides a quick search option for searching Active Directory for user, group, and contact objects by their name, display name, and canonical name properties.
- Besides that, there is an Advanced Search option, where you can narrow down the search, limit the object scope, and search by additional properties.
- There is a group search functionality specifically for groups only.
- You can easily export the results.
- Groups are sorted into My Groups, My Memberships, My Expiring Groups, My Expired Groups, and My Deleted Groups, with a separate tab dedicated to each type.
Advanced Search View
GroupID Management Shell
GroupID Management Shell is an interface used for managing objects, such as users, contacts, mailboxes, static groups, Smart groups, and Dynasties, in identity stores based on Active Directory and Azure.
GroupID Management Shell is created using Microsoft Windows PowerShell technology. It provides a platform for many of the activities that GroupID can carry out, including support for tasks that GroupID Management Console does not provide.
GroupID Management Shell has a cmdlet similar to Get-ADGroup, namely Get-Group This cmdlet can perform almost all the tasks that Get-ADGroup does. Below is a description of the Get-Group command within GroupID Management Shell.
Conclusion
In this blog, first we have discussed how an AD administrator can find the group objects using ADUC and export them, along with the limitations in that process. Then we have discussed the syntax of the Get-ADGroup cmdlet, parameter description, followed by using several common parameters in a number of examples related to day-to-day activities. Lastly, we have provided an example of how to export the results using the Export-CSV cmdlet. Overall, we have described the Get-ADGroup cmdlet in a manner such that end-users from basic to advanced level can benefit from it.
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.