PowerShell Get-ADGroup cmdlet gets one or more active directory groups or gets multiple ad groups based on search conditions. Get-ADGroup gets a default set of group object property values.
The Get-AdGroup cmdlet in PowerShell can be used to
- List All Ad Groups
- Get the Default Properties of an Ad Group
- Get All Properties of an Administrator Group
- Find All Groups Based on Filter Query String
- List All Members of the Ad Group
- Get Ad Group by SamAccountName
- Get Ad Group by SID
- Find a Group Based on Group Category
- Get AdGroup Filter by Name
- Get Count of Active Directory Groups
- Find AdGroup Managed by User
The Get-AdGroup cmdlet in PowerShell retrieves a default set of properties of a group. To get all the properties of a group, use the Properties * parameter.
In this article, I will explain how to get an active directory group with additional properties or get ad group based on a specified search in PowerShell.
Get-ADGroup Syntax
PowerShell Get-ADGroup active directory cmdlet gets ad group based on identity, filter, or ldapfilter.
Get-ADGroup [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Identity] <ADGroup> [-Partition <String>] [-Properties <String[]>] [-Server <String>] [-ShowMemberTimeToLive] [<CommonParameters>]
Let’s understand the PowerShell Active Directory Get-ADGroup cmdlet with examples.
Get a List of All Groups
To get all the groups without any search criteria, use the Get-Adgroup filter parameter with a wildcard (asterisk) for the search.
Get-ADGroup -Filter *
In the above Get-AdGroup cmdlet, it uses the Filter parameter with a wildcard (*) to return all the active directory groups available in the domain. It displays the basic information about all ad groups such as DistinguishedName, GroupCategory, GroupScope, Name, ObjectClass, ObjectGUID, SamAccountName, and SID.
The Filter parameter uses PowerShell expression language to write query strings for Active Directory.
The output of the above PowerShell script to list all ad groups is given below.
Get the Default Properties of an AD Group
The PowerShell Get-AdGroup command uses the Identity parameter to get a specific Active Directory group. The Identity parameter specifies the ad group you want to retrieve.
You can get adgroup by
- Distinguishedname (DN)
- GUID
- Security Identifier (SID)
- SAM name
- display name
- canonical name
Let’s say, you want to get the ‘DL-Sales‘ Active Directory group and run the following command.
Get-ADGroup -Identity 'DL-Sales'
The above command returns specific group information from the active directory.
The output of the above PowerShell script to get adgroup properties is given below.
PS C:\> Get-ADGroup -Identity 'DL-Sales'
DistinguishedName : CN=DL-SALES,OU=SALES,DC=SHELLPRO,DC=LOCAL
GroupCategory : Security
GroupScope : Global
Name : DL-SALES
ObjectClass : group
ObjectGUID : a3835367-50f5-4859-b0e7-8f65a3336d4b
SamAccountName : DL-SALES
SID : S-1-5-21-1326752099-4012446882-462961959-36102
PS C:\>
Get All Properties of Administrators Group
To get default properties for the Administrators group, run the below command
Get-ADGroup -Identity Administrators -Properties *
In the above PowerShell script, the Get-ADGroup cmdlet uses the Identity parameter to specify the distinguished name, in this case, “Administrators” to get a distinguished ad object. The command uses the Properties * parameter that returns all the properties of an adgroup.
The output of an above command that displays all the properties of a group is given below.
Cool Tip: How to use PowerShell Set-ADUser to modify Active Directory user attributes.
Get All Groups based on Filter Query String
To get all active directory groups based on specified names starting with ‘Sales‘, use the Get-ADGroup command with -filter parameter that checks the condition {name -like 'Sales*'} and pipes the output to the Select command to select the specified property, in this case, name.
Get-ADGroup -filter {name -like 'Sales*'} | Select name
In the above PowerShell example, the command retrieves all ad groups based on the get adgroup filter name starting with Sales.
PS C:\> Get-ADGroup -filter {name -like 'Sales*'} | Select name
name
----
SALESLeader
SALESLeader_EU
PS C:\>Cool Tip: How to get-aduser using userprincipalname in PowerShell!
Get All Members for Administrators Group
Use the Get-ADGroup cmdlet to get all properties for the administrator’s group using the get adgroup Properties parameter. This command uses the Properties * parameter to get all properties and pipes the result to the Get-Member cmdlet to list all properties and methods of an adgroup.
Get-ADGroup -Identity Administrators -Properties *| Get-Member
Get AD Group by SAMAccountName
Use the Get-ADGroup cmdlet to get ad group by SamAccountname.
For example, to get adgroup based on SamAccountname “Administrators“, run the following command.
Get-ADGroup -Identity Administrators
The output of the above PowerShell script to search for a group by its SAMAccountName is given below.
PS C:\> Get-ADGroup -Identity Administrators
DistinguishedName : CN=Administrators,CN=Builtin,DC=SHELLPRO,DC=LOCAL
GroupCategory : Security
GroupScope : DomainLocal
Name : Administrators
ObjectClass : group
ObjectGUID : 92275f8c-2056-4de9-b4b2-646d4ef128d1
SamAccountName : Administrators
SID : S-1-5-32-544
PS C:\>
Cool Tip: How to get-aduser attributes from CSV in PowerShell!
Get-ADGroup by SID
To get ad group property member by SID, run the following command.
Get-ADGroup -Identity S-1-5-21-1326752099-4012446882-462961959-36102 -Properties member
In the above PowerShell script, Get-AdGroup uses the Identity parameter to find the adgroup by its security identifiers (sid).
The output of the script to search for a group with a specific SID is given below.
PS C:\> Get-ADGroup -Identity S-1-5-21-1326752099-4012446882-462961959-36102 -Properties member
DistinguishedName : CN=DL-SALES,OU=SALES,DC=SHELLPRO,DC=LOCAL
GroupCategory : Security
GroupScope : Global
member : {CN=Gary Waugh,OU=SALES,DC=SHELLPRO,DC=LOCAL}
Name : DL-SALES
ObjectClass : group
ObjectGUID : a3835367-50f5-4859-b0e7-8f65a3336d4b
SamAccountName : DL-SALES
SID : S-1-5-21-1326752099-4012446882-462961959-36102
PS C:\>Get a Group based on GroupCategory
To get ad group filter by GroupCategory equal to Sales, run the following command.
Get-ADGroup -Filter 'GroupCategory -eq "Sales"'
In the above PowerShell command, the Get-ADGroup cmdlet gets all groups that have GroupCategory equal to Sales based on Get-adgroup filter parameter.
Cool Tip: Get-ADGroupMember to export ad group members in PowerShell!
Get AdGroup Filter Name like
To get an active directory group in the current domain group based on name search criteria, use the Get-ADGroup filter on the name parameter.
Get-ADGroup -Filter "name -like '*admin*'" -Properties * | select name
In the above PowerShell script example, the command finds an active directory group with a Get-ADGroup filter name like admin in the current OU group.
To get an active directory group in different domains with a Get-ADGroup filter name like admin, you will need to provide the server name specified by -the server parameter and run the below command to get adgroup where name like admin
Get-ADGroup -Filter "name -like '*admin'" -Properties -server "server-100.net" | select name
Get-ADGroup to Get Count of Active Directory Group
Using the Count property, get the total number of active directory groups available, and run the below command
(Get-ADGroup -Filter '*').Count
In the above PowerShell script, the Get-AdGroup uses the Filter parameter with a wildcard (*) to get the ad group count in AD.
Find ADGroup Managed by a Specific User
To get all ad groups managed by the specific user using PowerShell Get-ADGroup filter or Get-ADGroup LDAPFilter as below
PS C:\> Get-ADGroup -Filter 'managedby -eq "<username>"' PS C:\> Get-ADGroup -LDAPFilter '(managedby=<username>)'
In the First command, provide a username in Get-ADGroup -Filter to get all ad groups managed by the user.
The second command uses Get-ADGroup -LDAPFilter to find all groups managed by the user based on username.
Cool Tip: How to get ad group member displayname in PowerShell!
PowerShell Get-AdGroup Parameters
Let’s understand each of the Get-ADGroup key parameters below
–AuthType – It specifies the authentication method to use. AuthType parameter accepts either Basic (or 1) or Negotiate (or 0). It has negotiate as the default authentication method.
SSL (Secure Socket Layer) connection is required to use the Basic Authentication method.
–Credential PSCredential – It specifies user credentials required to perform a Get-ADGroup search for the group. It default accepts the credentials of logged-on users.
To use the Credential parameter, use username as User1 or domain\User1 or you can create and use PSCredential object by using Get-Credential cmdlet.
-Identity – It specifies Active Directory group object search using the distinguished name, GUID, security identifier, or SAMAccountName
-Partition – It specifies the distinguished name of an active directory partition.
–Filter – It specifies a query string (PowerShell Expression Language Syntax) to retrieve Active Directory objects. PowerShell wildcards other * are not supported by filter syntax.
-LDAPFilter – LDAPFilter query string is used to filter AD group objects.
PowerShell Get-ADGroup cmdlet gets a default set of active group directory object properties.
The default properties for the command are: DistinguishedName, GroupCategory, Name, GroupScope, SamAccountName, GUID, ObjectClass, SID
To get additional properties of the ad group object use the -Properties parameter.
Additional properties are: CN, Canonicalname, Created, Deleted, Description, DisplayName, HomePage, LastKnownParent, ManagedBy, Memberof, Members, Modified, ObjectCategory, SIDHistory
Conclusion
I hope the above article on the PowerShell Get-ADGroup cmdlet gets one or more specified ad groups.
Get-AdGroup cmdlet returns a default set of properties. To get additional properties, use -Properties parameter.
You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.