Get-AdGroupMember PowerShell cmdlet gets AD group members, members can be users, computers, or groups. Administrator often needs to export active directory group members to CSV file to know who are the users in the group or particular distribution list.
Windows PowerShell Active Directory module is one of the popular modules to manage the active directory domains, manage objects in the active directory, and get information about computers, and users.
Active Directory module consolidates a group of cmdlets which helps to manage different objects, get AD group members, and export active directory group members.
Using Get-AdGroupMember cmdlet, you can easily get ad group members from the active directory and export ad group members to CSV or file.
In this article, we will discuss about Get-ADGroupMember examples, how to use the cmdlet to list group members in PowerShell, and how to get ad group members, and export members of the ad group to a CSV file.
Get-ADGroupMember
PowerShell Get-ADGroupMember cmdlet gets ad group members. Ad group members can be users, computers, or groups.
Get-AdGroupMember Syntax
Get-ADGroupMember [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Identity] <ADGroup> [-Partition <String>] [-Recursive] [-Server <String>] [<CommonParameters>]
Get-ADGroupMember Examples
You can use the Get-AdGroupMember cmdlet in Powershell to get all members of a group, get all administrators group members, and export all the members of a group to the CSV file.
Let’s understand using Get-AdGroupMember to list ad group members and export ad group members to the CSV file.
Get-AdGroupMember of Group
Use the Get-ADGroupMember cmdlet in PowerShell to get a list of all members of the AD group. Members can be users, groups, or computers.
In PowerShell to list ad group members of a specific group, use the Identity parameter. You can identify Active Directory groups by displayname, SAM account name, GUID, distinguished name, or security identifier.
Get-AdGroupMember -Identity "Group Name"
Get All Members of the Ad group
Use the Get-AdGroupMember cmdlet in PowerShell to get a list of all members in the “Administrators” ad group.
Get-AdGroupMember -Identity 'Administrators'
In the above PowerShell script, the Get-AdGroupMember gets a list of all members of the AD group specified by the Identity parameter.
The output of the above PowerShell script that gets all the members of the Administrators group is given below.
To get the member names only, use the Select command to select the ad group member name.
Get-AdGroupMember -Identity 'Administrators' | Select name
The output of the above PowerShell script to get an active directory group member name is:
Export Ad Group Members to CSV file
PowerShell Get-AdGroupMember cmdlet gets a list of ad group members and the Export-CSV cmdlet in PowerShell to export ad groups to a csv file.
To get ad group members and export the AD group members list to a CSV file, use the following command.
Get-AdGroupMember -Identity 'Administrators' | Export-csv -Path D:\Powershell\adgroupmemers.csv -NoTypeInformation
In the above PowerShell script, the Get-AdGroupMember command gets group members of Administrators ad group specified by the Identity parameter.
It gets all members of the “Administrators” active directory group and uses the Export-CSV to export group members of the ad group to a CSV file.
Export Security Group Members to CSV File
To export security group members to a csv file, use the Get-AdGroupMember command that retrieves the members of a security group and pipe the result to the Export-CSV cmdlet to export security group members information to a csv file.
Get-ADGroupMember -Identity DL-Sales | Export-csv -Path C:\Powershell\security_adgroupmemers.csv -NoTypeInformation
In the above PowerShell script, the “DL-Sales” is a security ad group that contains the members. The Get-AdGroupMember command uses the Identity parameter that specifies a security group “DL-Sales” to get all members of the ad group and pass the result to the Export-CSV cmdlet.
The Export-Csv command uses the Path parameter to export security active directory group members to csv on the specified location.
Export Ad Group Member Email Address to Csv
Use Get-AdGroupMember to get ad group member email addresses and export group members to the CSV file.
Get-AdGroupMember -Identity 'SalesLeader' | Get-AdUser -Properties * | Select Name,Mail | Export-csv -Path D:\Powershell\adgroupmembers.csv -NoTypeInformation
In the above PowerShell script, the Get-AdGroupMember cmdlet gets members of ad group and passes the output to the Get-AdUser cmdlet to get ad group member properties like Name and Email address and pass output to the third command.
Using the Export-Csv cmdlet in PowerShell, it exports ad group member email addresses to a CSV file.
Cool Tip: How to get adgroupmember count in PowerShell!
Export Ad Group Members from Specific OU
The Organizational Unit in Active Directory contains users, computers, and group objects. Use Get-AdGroupMember to list members of ad groups and export group members to a CSV file.
To export ad group members from a specific OU to a CSV file with the group name and ad user name, run the below PowerShell script
$OU = 'OU=SALES,DC=SHELLPRO,DC=LOCAL'
# Get adgroups from specific OU
$adGroups = Get-ADGroup -Filter * -SearchBase $OU
# Iterate through adgroups and get ad group name and user name
$adGroupMembers = foreach ($Group in $adGroups) {
Get-ADGroupMember -Identity $Group -Recursive | Select-Object @{Name='Group';Expression={$Group.Name}}, @{Name='Member';Expression={$_.Name}}
}
# export ad group name and user to csv file
$adGroupMembers | Export-Csv -Path D:\adGroupMembers.csv -NoTypeInformation
In the above PowerShell script,
In the first command, we define the Organizational Unit (OU) path
Using the Get-AdGroup cmdlet, it gets ad groups from specific OU.
In the next command, it uses foreach to iterate over ad groups recursively to get ad group members, group names, and user names belonging to the ad group in a specific OU.
Using Export-Csv cmdlet in PowerShell, it exports members of ad group from specific OU to CSV file.
Cool Tip: How to get adgroupmember samaccountname in PowerShell!
Get members of Ad group including members of child groups
By default Get-AdGroupMember gets a list of all members from the active directory group. Use recursive the parameter to get members of a group and child groups.
Let’s consider if the Sales group contains user John Tigre and the group EUSalesLeader.
EUSalesLeader ad group contains user Smith Waugh.
Use Get-AdGroupMember with Recursive parameter to get John Tigre and Smith Waugh
Get-ADGroupMember -Identity "Sales" -Recursive
The above PowerShell script uses the Get-AdGroupMember command uses the Identity parameter to get all the members of the Sales ad group including members of the child group using the Recursive parameter.
Get-AdGroupMember Parameters
Let’s understand the Get-ADGroupMember cmdlet key parameter as below:
–AuthType – It specifies the authentication method to use. AuthType parameter accepts either Basic (or 1) or Negotiate (or 0). It has Negotiate default authentication method.
SSL (Secure Socket Layer) connection is required to use the Basic Authentication method.
–Credential PSCredential – It specifies user credentials required to perform the Get-ADGroup search for the group. It default accepts the credentials of logged-on users.
To use the Credential parameter, use username as User1 or domain\User1 or you can create and use PSCredential object by using Get-Credential cmdlet.
-Identity – It specifies Active Directory group object search using the distinguished name, GUID, security identifier or SAMAccountName
-Partition – It specifies the distinguished name of an active directory partition.
-Recursive – It specifies getting all ad group members from a group that does not contain child objects.
Get-ADGroupMember FAQ
To solve the above issue, the system must have an Active Directory module. You can check if the module is available or not using Get-Module -ListAvailable
If the Active Directory module is not available then import it using import-module activedirectory
Check the Active Directory module requirement at http://technet.microsoft.com/en-us/library/dd378937.aspx
If you are trying to list thousands of group members, you may come across a size limit for this request was exceeds the issue with Get-AdGroupMember.
By default, the limit is 5000 objects. This limit is from Active Directory Web Service and applies to three cmdlets Get-ADGroupMember, Get-ADPrincipalGroupMembership, and Get-ADAccountAuthorizationGroup.
You can modify it in the config file. You will have to make sure to update the config file on each DC.
On Domain controller, open file at location C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe.config and look for appSettings tag, add below tag<add key="MaxGroupOrMemberEntries" value="15000" />
Save the config file and restart the ADWS service on DC. Repeat the above step on each DC.
Use the below command to the get-aduser account name, email addressGet-ADGroupMember "Asia_Sales_Users" | Sort -Property Name | foreach{ get-aduser $_ -Properties SamAccoutName| select Name, Surname, GivenName,
SamAccountname, EmailAddress | ft -AutoSize
If you want to get lists of users from one group and add them to another groupGet-ADGroupMember "asia_sales" | Get-ADUser | Foreach-Object {Add-ADGroupMember -Identity "India_sales" -Members $_}
Get-ADGroupMember -identity “Asia_Sales” | select name | Export-csv -path C:\PowerShell\adgroupmembers.csv -NoTypeInformation
This command list member of ad groups that belong to the Asia_Sales group and exports their information to the adgroupmembers.csv file using Export-csv
Conclusion
Hope you find and like the above article to get active directory group members using Get-AdGroupMember cmdlet is helpful and educational.
The PowerShell Active Directory module provides a powerful cmdlet to perform and export active directory members to CSV files.
You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.