PowerShell Get-ADGroup cmdlet gets one or more active directory groups or gets multiple ad groups based on search conditions. Get-ADGroup gets a default set of group object property values.
In this article, I will explain how to get active directory group with additional properties or get ad group based on a specified search in PowerShell.
Get-ADGroup Syntax
PowerShell Get-ADGroup active directory cmdlet gets ad group based on identity, filter or ldapfilter
Get-ADGroup [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Identity] <ADGroup> [-Partition <String>] [-Properties <String[]>] [-Server <String>] [-ShowMemberTimeToLive] [<CommonParameters>]
Let’s understand each of the Get-ADGroup key parameters as below
–AuthType – It specifies the authentication method to use. AuthType parameter accepts either Basic (or 1) or Negotiate (or 0). It has negotiate as the default authentication method.
SSL (Secure Socket Layer) connection is required to use the Basic Authentication method.
–Credential PSCredential – It specifies user credentials required to perform a Get-ADGroup search for the group. It default accepts the credentials of logged-on users.
To use the Credential parameter, use username as User1 or domain\User1 or you can create and use PSCredential object by using Get-Credential cmdlet.
-Identity – It specifies Active Directory group object search using the distinguished name, GUID, security identifier or SAMAccountName
-Partition – It specifies the distinguished name of an active directory partition.
–Filter – It specifies a query string (PowerShell Expression Language Syntax) to retrieve Active Directory objects. PowerShell wildcards other * are not supported by filter syntax.
-LDAPFilter – LDAPFilter query string is used to filter AD group objects.
PowerShell Get-ADGroup cmdlet gets a default set of active group directory object properties.
Default properties get by the command are: DistinguishedName, GroupCategory, Name, GroupScope, SamAccountName, GUID, ObjectClass, SID
To get additional properties of the ad group object use the -Properties parameter.
Additional properties are: CN, Canonicalname, Created, Deleted, Description, DisplayName, HomePage, LastKnownParent, ManagedBy, Memberof, Members, Modified, ObjectCategory, SIDHistory
Using the Get-AdGroup Filter parameter (wildcard)
If you want to search for a specific group or retrieve multiple groups, use filter or LDAPFilter.
If you want to get all the groups without any search criteria, use the Get-Adgroup filter parameter with a wildcard (asterisk) for the search.
Get-ADGroup -Filter *
In the above Get-AdGroup cmdlet, it uses the Filter parameter with a wildcard (*) to return all the groups available in the domain.
Filter parameter uses PowerShell expression language to write query string for Active Directory.
Using the Get-AdGroup Identity parameter
Get-AdGroup Identity parameter used to get specific Active Directory group.
You can get adgroup by
- Distinguishedname (DN)
- GUID
- Security Identifier (SID)
- SAM name
- display name
- canonical name
Let’s say, you want to get the ‘Sales’ Active Directory group, use the below command
Get-ADGroup -Identity 'Sales'
The above command returns a specific group from the active directory.
Let’s understand PowerShell Active Directory Get-ADGroup cmdlet with examples.
Get Properties for Administrators Group
To get default properties for the Administrators group, run the below command
Get-ADGroup -Identity Administrators | Get-Member
Above PowerShell Get-ADGroup cmdlet use Identity parameter to get distinguished ad object and Get-Member to get properties available.
Cool Tip: How to use PowerShell Set-ADUser to modify Active Directory user attributes.
Get All Groups based on Filter Query String
To get all active directory groups based on specified name starts with ‘Sales’, use below Get-ADGroup cmdlet with -filter parameter as below
Get-ADGroup -filter {name -like 'Sales*'} | Select name
In the above PowerShell example, the command retrieves all ad groups based on the get adgroup filter name starting with Sales.
Cool Tip: how to get-aduser using userprincipalname in PowerShell!
Get All Properties for Administrators Group
Use the Get-ADGroup cmdlet to get all properties for the administrator’s group using the get adgroup Properties parameter.
Get-ADGroup -Identity Administrators -Properties *| Get-Member
Get AD Group by SAMAccountName
Use the Get-ADGroup cmdlet to get ad group by samaccountname. For example, to get adgroup based on samaccountname Administrators, run the below command
Get-ADGroup -Identity Administrators
Cool Tip: how to get-aduser attributes from CSV in PowerShell!
Get-ADGroup by SID
To get ad group property member by SID, run the below command
Get-ADGroup -Identity S-1-5-21-1285264524-1983627485-1293364872-1250 -Properties member
In the above script, Get-AdGroup uses the Identity parameter to find the adgroup by its security identifiers (sid).
Get a Group based on GroupCategory
To get ad group filter by GroupCategory equal to Sales, run the below command
Get-ADGroup -Filter 'GroupCategory -eq "Sales"'
In the above PowerShell command, the Get-ADGroup cmdlet gets all groups that have GroupCategory equal to Sales based on Get-adgroup filter parameter.
Cool Tip: Get-ADGroupMember to export ad group members in PowerShell!
Get AdGroup Filter Name like
To get an active directory group in the current domain group based on name search criteria, use the Get-ADGroup filter on the name parameter.
Get-ADGroup -Filter "name -like '*admin*'" -Properties * | select name
In the above PowerShell script example, the command finds an active directory group with a Get-ADGroup filter name like admin in the current OU group.
To get an active directory group in different domains with a Get-ADGroup filter name like admin, you will need to provide the server name specified by -the server parameter and run the below command to get adgroup where name like admin
Get-ADGroup -Filter "name -like '*admin'" -Properties -server "server-100.net" | select name
Get-ADGroup to Get Count of Active Directory Group
Using the Count property, get a total number of active directory groups available, and run the below command
(Get-ADGroup -Filter '*').Count
In the above PowerShell script, the Get-AdGroup uses the Filter parameter with a wildcard (*) to get the ad group count in AD.
Get-ADGroup to Find ADGroup managed by a Specific User
To get all ad groups managed by the specific user using PowerShell Get-ADGroup filter or Get-ADGroup LDAPFilter as below
PS C:\> Get-ADGroup -Filter 'managedby -eq "<username>"' PS C:\> Get-ADGroup -LDAPFilter '(managedby=<username>)'
In the First command, provide a username in Get-ADGroup -Filter to get all ad groups managed by the user.
The second command, use Get-ADGroup -LDAPFilter to find all groups managed by user based on username.
Cool Tip: How to get ad group member displayname in PowerShell!
Conclusion
I hope the above article on PowerShell Get-ADGroup cmdlet gets one or more specified ad groups.
Get-AdGroup cmdlet returns a default set of properties. To get additional properties, use -Properties parameter.
You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.