Active Directory Groups allow you to easily assign permissions or software to your users. But how do you get all members of a group? To export or update all users of an ADGroup we can use the Get-ADGroupMember cmdlet in PowerShell.
In this article, we are going to take a look at how you can use the Get-ADGroupMember command in PowerShell.
Before we start, make sure that you have installed the PowerShell Active Directory Module.
Get all Group members with Get-ADGroupMember
The Get-ADGroupMember command will get all objects that are members of the group. This can be users, computers, and also other (nested) groups. To simply list all members of a group we can use the following cmdlet in PowerShell:
Get-ADGroupMember -Identity SG_M365_BP | ft
This will list all members of the group SG_M365_BP and format them into a table (ft).
A simple list of all group members is in most cases not what you are looking for. You probably want to get more user details, like the email address or display name of all the users.
To do this we can simply pipe the Get-ADuser cmdlet behind it, request all the details that we need from each user in de group:
Get-ADGroupMember -Identity SG_M365_BP | Get-ADUser -Properties DisplayName,EmailAddress | Select Name,DisplayName,EmailAddress,SAMAccountName
You can select any attribute that you need in the Get-ADUser part, but make sure that you also add it to the select add the end of the cmdlet.
Nested Groups
Nested groups are a common practice in the Active Directory. They allow you to assign permissions or policies to users based on their group membership. Let’s take the following example where we have assigned PowerBi to the sales management and managing board:
To get the actual users that have access to PowerBi, we can’t simply do Get-ADGroupMember, because that will only return the two groups:
What we want is to get the members of the two nested groups. To do this, we can use the -recursive parameter. This way the Get-ADGroupMember cmdlet will also go through all nested groups in the Active Directory.
Get-ADGroupMember -Identity SG_PowerBi -Recursive | ft
Get only users,computers or nested groups
When you have a group mixed with users and nested groups, you might want to get only the users from that group. Or only the other nested groups.
To do this we can filter the results on the objectClass of the group member. This can be:
- user
- computer
- group
# Get only the users from a group
Get-ADGroupMember -Identity SG_PowerBi | Where-Object {$_.objectClass -eq "user"} | ft
# Or get only the nested groups
Get-ADGroupMember -Identity SG_PowerBi | Where-Object {$_.objectClass -eq "group"} | ft
Export Group Members to CSV with PowerShell
Most of the time when I use the Get-ADGroupMember cmdlet I want to export the results to Excel. To do this we can use the Export-CSV cmdlet in PowerShell. This will export all the results of your PowerShell cmdlet to an csv file.
Let’s say we want to export all members of the SG_M65_BP group with there emailaddress to Excel:
Get-ADGroupMember -Identity SG_M365_BP | Get-ADUser -Properties DisplayName,EmailAddress | Select Name,DisplayName,EmailAddress,SAMAccountName | Export-CSV -Path c:\temp\M365BP-users.csv -NoTypeInformation
This will export the results to a csv file and store it in C:\Temp. The -NoTypeInformation cmdlet removes that header information from the CSV file. If you want to know more about export to CSV, then make sure you read this article.
Wrapping Up
As you have seens, it’s pretty easy to get all members of a group with Get-ADGroupMember. Make sure that you use the -recursive parameter when you have nested groups.
If you have any questions, just drop a comment below.
Hi Rudy, I get this on some of my groups “Get-ADGroupMember: An operations error occurred.” but i can’t get it to log it into a text file even with *>&1 >> C:\tmp\log.txt I would basically just want it to list the group it was trying and failed so I can manually check it out. Any help appreciated
I don’t have a solution for that, but if you search online on the error, it seems that you are not the only one. Seems like a known issue.
Great information, thank you! In our case we haven an OU with about 40 groups.
I want to know what users are in each group. I’m sure this can be done without specifying each group seperately… Would you mind giving me some help on this?
Something like this should get your started in the right direction:
$groups = Get-AdGroup -filter * $groups | Foreach-Object { $group = $_ $users = Get-AdGroupMember -identity $_ $users | Foreach-Object { [PSCustomObject]@{ Groupname = $group.Name User = $_.Name } } }Thank you Rudy, that helped me a bit.
Atleast I get to run something that gives me an output.
But perhaps you can help me a little bit more 🙂
I have a specific OU called “Rollen”.
In there are about 60 global groups.
I want to export those 60 global groups from this OU “rollen” with it’s members outputting to a csv that shows also the Full Name and Description.
This way I should be able to see
$Global Group Name , $User Full Name, Description
Thank you!
Something like this should work. You can wrap it in a function and then call the function and pipe export-csv behind it:
$groups = Get-AdGroup -filter * -SearchBase "OU=Rollen,OU=Sites,DC=Lazyadmin,DC=NL" $groups | Foreach-Object { $group = $_ $users = Get-AdGroupMember -identity $_ $users | Foreach-Object { $user = Get-AdUser -Identity $_ -Properties description| Select name, description [PSCustomObject]@{ Groupname = $group.Name User = $user.Name Description = $user.description } } }This doesnt return Contacts in a Group though right?
Correct, only de member of an Active Directory group.
While the Get-ADGroupMember does retrieve all users and nested groups, I need to have more information. I need to know what group the user was in that was nested in the original group.
What would you do next to get this? The information only shows:
distinguishedName
name
objectClass
objectGUID
SamAccountName
SID
I need to know what group they were in they were a member of a nested group.
You will need to write a script that first gets all the nested groups, stores the group name, and then gets the members of the groups. Format your data in a pscustomobject and output it to CSV.
These guides might get your started: Creating PowerShell Scripts and How to Export PowerShell to CSV
I am looking to find the groups a group is a member of? Example, If I lookup domain admins I want to know the member of..
You can use the Get-ADPrincipalGroupMembership cmdlet for that:
Get-ADPrincipalGroupMembership group-name | select nameHello, I would like to use Get-ADGroupMember -Identity to find the members that belong to both groups.
Example: Get-ADGroupMember -Identity “groupA”, “groupb”
Thank you
You will have to do this from the user perspective:
Get-ADUser -Filter * -Properties memberOf | `
Where-Object {
$_.memberof.contains('CN=SG_PowerBi,OU=users,DC=lazyadmin,DC=nl') -and `
$_.memberof.contains('CN=SG_M365_BP,OU=users,DC=lazyadmin,DC=nl' )
}