A popular use of PowerShell is working with Active Directory Directory Services (AD). There are so many time-saving things PowerShell can do with AD objects. Using the PowerShell Get-ADGroupMember
cmdlet and other cmdlets can save you a ton of time.
Active Directory groups are a great way to segment out user accounts. Groups allow admins to define resource access across many systems.
In this article, let’s use PowerShell to get AD group members and export AD group members. You can then use this information to generate tons of interesting reports.
Manage and Report Active Directory, Exchange and Microsoft 365 with ManageEngine ADManager Plus. Download Free Trial!
Prerequisites
If you’d like to follow along in this article, please be sure you have the following requirements ready to go:
- Working on a Windows 10, domain-joined computer
- Logged in with a user that can read AD group and user accounts
- Have the PowerShell Active Directory module installed
Learning the Basics
To query AD groups and group members, you have two PowerShell cmdlets at your disposal – Get-AdGroup
and Get-AdGroupMember
.
Get-ADGroup
queries a domain controller and returns AD group objects. Get-AdGroupMember
looks inside of each group and returns all user accounts, groups, contacts and other objects that exist in that group.
Getting AD Groups
To find AD groups with PowerShell, you can use the Get-ADGroup
cmdlet. With no parameters, Get-ADGroup
will query AD and return all groups in a domain using the Filter
parameter. The Filter
parameter is required. It exists to limit the groups returned based on various criteria.
For example, to find all groups without regard for any criteria, use Get-ADGroup
and specify a wildcard (asterisk) for the Filter
parameter. You can see an example below. Scrolling through all of these groups may take awhile if you have hundreds or even thousands in your domain.
Get-ADGroup -Filter *
If you need to find a single group, you can use the Identity
parameter.
The Identity
parameter is a common parameter amongst all Active Directory PowerShell cmdlets. It allows you to limit your query down to a single AD object. For example, if you needed to check if a group called HR existed, you could find out by running the command below.
Get-ADGroup -Identity 'HR'
Getting AD Group Members with Get-AdGroupMember
Using PowerShell to list members of AD group requires the Get-ADGroupMember
cmdlet. This cmdlet gets user, group and computer objects in a particular group. Perhaps you need to find all members of the Administrators group. In its simplest form, you’d simply use the Identity
parameter again specifying the name of the group as below.
Get-ADGroupMember -Identity 'Administrators'
Note that
Get-AdGroupMember
only returns group membership for users, groups and computers. It will not return other AD objects like contacts.
Enumerating Group Members inside of Group Members
As you may know, AD groups can not only contain user accounts but other groups also called nesting. When a group is nested inside of another group, the members of that group inherit the same permissions assigned to the parent group.
By default, the PowerShell Get-AdGroupMember
cmdlet does not return nested group members. To remediate that, you can use the Recursive
parameter. For example, you could find members of groups nested inside of the HR group using the Recursive
parameter as shown below.
Get-ADGroupMember -Identity 'HR' -Recursive
Getting Multiple Groups/Members at Once
If you need to query AD for many different groups or group members at once, you can also do that using a PowerShell foreach loop. A foreach loop runs a command or code for each item in a collection. In this case, that collection will be a list of group names.
Perhaps you need to find all group members in the HR, Accounting, and IT groups. To do that, you’d first create a collection or array of these group names. The example below defines this collection as $groupNames
. Then, for each name in that collection, run Get-ADGroupMember
providing the name of each group to the Identity
parameter.
$groupNames = 'HR','Accounting','IT'
foreach ($group in $groupNames) {
Get-ADGroupMember -Identity $group
}
You could alternatively use the
ForEach-Object
cmdlet to loop over groups.
Using Alternate Credentials
Like many other PowerShell cmdlets, the AD group cmdlets have a Credential
parameter. By default, whenever you run an AD group cmdlet, it uses your logged-in credentials to query Active Directory. This behavior dictates you need to be on a domain-joined computer logged in as an Active Directory user that has permission.
But what if you’re on a workgroup computer or need to authenticate to AD as a different user? In that case, you can use the Credential
parameter. This parameter allows you to specify a username and password to use for authentication.
For example, perhaps your user account doesn’t have the right to perform an AD task. You have a service account with additional rights. You can be logged in as a standard user yet still authenticate with the service account as shown below.
The Get-Credential
cmdlet prompts for a username/password to create a credential. This credential is then passed to the Get-AdGroup
cmdlet for authentication.
Get-ADGroup -Identity 'HR' -Credential (Get-Credential)
The
Credential
parameter is ubiquitous in PowerShell for providing authentication credentials. For more information, read Using the PowerShell Get-Credential cmdlet and all things credentials.
Getting Group Members with Get-ADGroup?
It may sound counterintuitive but you can also get group members with the Get-ADGroup
cmdlet also.
It turns out that Get-ADGroup
returns a property for each group called members
. This is a collection of AD objects that are members of a group.
For example, to find group members in that HR group again without using Get-ADGroupMember
, you could do something like this:
Get-ADGroup -Identity 'HR' -Properties members
Why use this method over the other? The main difference is that the members
properties contains all types of AD objects – not just users, computers, and other groups.
Perhaps you have contacts inside of various groups. When you run Get-ADGroupMember
, those contacts would not show up. But if you tell Get-ADGroup
to return all members in that group along with expanding that collection as shown below, you’ll see the contacts.
Get-ADGroup -Identity 'HR' -Properties members | Select-Object -ExpandProperty members
Finding Specific AD Attributes
In the basics section above, you simply were returning all groups and group members. The information returned for each group and group member is only a subset of the AD attributes associated with each type of object.
Maybe you want to see a user account’s email address, last logon date, or other associated AD attribute? To do this, you’ll need to get creative.
Perhaps you were able to find all of the group members in the HR group but need to also see each user account’s email address?
$groupMembers = (Get-ADGroup -Identity 'HR' -Properties members).members
$groupMembers | Select-Object -Property Name, @{Name='Member';exp={Get-AdUser -Identity $_.Name -Properties emailAddress,lastlogonDate}}
Filtering Results
Up to this point, you’ve found all groups and group members, but in a day-to-day work environment, you rarely need to do this. Chances are, you’ll need to only find a limited number of each item. The AD group cmdlets have a few ways you can handle this.
The Filter
Parameter
As mentioned earlier, both cmdlets have the Filter
parameter. This parameter allows you to limit what is returned in many different ways outside the scope of this article.
Using the Filter
parameter, you can limit results by any AD attribute such as name, group type, email address, last logon for users and so on.
For example, perhaps you want to find only security groups. In that case, you’d specify a GroupCategory
attribute and set a condition to ensure only Security
groups are returned.
Get-ADGroup -Filter 'GroupCategory -eq "Security"'
Maybe you want to find all security groups but they must not be domain local groups. You’d then add another condition (this time using the -ne
operator) to prevent any domain local groups from being returned.
Get-ADGroup -Filter 'GroupCategory -eq "Security" -and GroupScope -ne "DomainLocal"'
If you’d like to learn how to create query filters, be sure to check out Learning Active Directory and LDAP Filters in PowerShell.
Limiting Group Results by Organizational Unit (OU)
Perhaps you have various groups nested in OUs. You don’t necessarily want to find all groups but only groups in a specific OU. In that case, you can use the SearchBase
parameter.
The SearchBase
parameter allows you to specify an OU’s distinguished name (DN) to start searching for groups in. For example, perhaps you have an OU called Locations at the root of your domain. In the Locations OU, you have each location OU created like Austin, NYC, and Los Angeles. You are only looking for groups in the NYC OU and need to restrict seeing the others.
An example AD OU structure is shown below. Notice that other groups exist outside of the Locations OUs.
company.local
- Locations
- Austin
- NYC
- Group 1
- Group 2
- Los Angeles
- Computers
- Group 3
- Group 4
- Service Accounts
Perhaps you need to find all AD groups that are only in the NYC OU. To limit the query, you’d use the SearchBase
parameter providing the DN as shown below. All groups inside of the Locations OU are returned.
Get-ADGroup -Filter '*' -SearchBase 'OU=Locations,OU=NYC,DC=company,DC=pri'
But now you need to find all groups in all OUs under the Locations OU. Get-ADGroup
only returns groups in the Locations OU itself – not in the child OUs.
To return groups inside of child OUs, you’d need to use the SearchScope
parameter. This parameter is similar to the Recursive
parameter in that it will inspect child objects too.
For example, to find all groups in any OU under the Locations OU, specify Subtree
or 2
. This value for SearchScope
tells Get-ADGroup
to recursively look at all children, grand children and on down OUs.
Get-ADGroup -Filter '*' -SearchBase 'OU=Locations,DC=company,DC=pri' -SearchScope 2
For a complete breakdown of SearchScope
parameter options, refer to the Get-ADGroup
documentation.
Exporting AD Groups and Members
So you finally know how to query and return the groups and group members you need. All this information is sent to the PowerShell console. But now you need to get this information into a CSV file or Excel worksheet.
The only thing you need to do now is send all of that information to a file.
Exporting to a CSV
One popular format to export AD information to is a CSV. PowerShell has a handy cmdlet that allows you to easily create CSV files from PowerShell output called Export-Csv
.
You can create a CSV file from any command covered in this article by piping it to Export-Csv
. Using the example below, will redirect all output that Get-AdGroup
would have return to the console, to a CSV file instead.
Get-ADGroup -Filter '*' -SearchBase 'OU=Locations,DC=company,DC=pri' -SearchScope 2 | Export-Csv -Path 'departmental_groups.csv' -NoTypeInformation
For more information on this handy cmdlet, check out Export-Csv: The PowerShell Way to Treat CSV Files as First-Class Citizens.
You can also easily export results to CSV via the Get-AdGroupMember
cmdlet.
Exporting to Excel
PowerShell doesn’t have a native way to export information to Excel. But, you can always download the free community module called ImportExcel. This module brings CSV-like export abilities directly to Excel worksheets. To install the PowerShell module, run Install-Module ImportExcel -Scope CurrentUser
.
Using the example above, instead of a CSV file, you needed to export the groups to an Excel worksheet, you’d use the Export-Excel
cmdlet as shown below.
Find leaked & unsafe passwords in your Active Directory by checking against the NCSC Password list.
Get-ADGroup -Filter '*' -SearchBase 'OU=Locations,DC=company,DC=pri' -SearchScope 2 | Export-Excel -Path 'departmental_groups.csv'
The ImportExcel module has a ton of functionality to work with Excel. If you need a fancier worksheet, it probably has a function for you.
For more information on using the ImportExcel module, read this article. It provides a great introduction to some common use cases it can handle.
Manage and Report Active Directory, Exchange and Microsoft 365 with ManageEngine ADManager Plus. Download Free Trial!
Conclusion
Using just two PowerShell cmdlets, you can do just about anything with AD groups. This article was just an intro to the functionality available to you. Use the knowledge gathered here, follow some of the links to deeper subject dives in the article and see what you can build!