Home » PowerShell » PowerShell Get-AdGroupMember – Get AD Group Members

PowerShell Get-AdGroupMember – Get AD Group Members

by

PowerShell `Get-AdGroupMember` cmdlet retrieves members from the active directory, allowing you to specify the group name to retrieve the list of its members. Using the `Identity` parameter, you can specify the exact Active Directory Group from which to retrieve members.

As a System Administrator, it’s essential to query the Active Directory to get a list of users within the specific AD groups. This facilitates tasks such as exporting group members to CSV or other file formats and analysis of user data.

In this article, we will discuss how to use the PowerShell Get-AdGroupMember cmdlet to get ad group members, list members of ad group, and various methods for retrieving and managing AD group memberships.

Table of Contents hide
1 PowerShell Get-AdGroupMember
2 PowerShell Get AD Group Members
3 How to Get List of Users from Groups and Nested Groups
4 How to Get AdGroupMember Enabled Account
5 Get-AdGroupMember MaxGroupOrMemberEntries Modification
6 Get AdGroupMemeber Filter Example
7 Conclusion
8 Recommended Content

PowerShell Get-AdGroupMember

Get-AdGroupMember cmdlet gets members of an active directory groups.

Syntax

Get-ADGroupMember
   [-AuthType <ADAuthType>]
   [-Credential <PSCredential>]
   [-Identity] <ADGroup>
   [-Partition <String>]
   [-Recursive]
   [-Server <String>]
   [<CommonParameters>]

Parameters

-Identity: is used to specify an active directory group object using any of the values like distinguishedName, GUID, SID, or SAMAccountName.

-Recursive: Get all the members from the hierarchy of the group.

-Server: Specify the Active Directory Domain Service instance to connect to by providing one of the values for the corresponding domain name or directory server.

PowerShell Get AD Group Members

Active Directory groups often contain multiple subgroups and users associated with each group, making it essential to efficiently retrieve group members information.

Using PowerShell, you can easily get a list of users from the AD group, and get groups from the AD group along with its subgroup memberships.

Get-ADGroupMember -Identity "Shell_Sales" | Select-Object Name | Sort-Object Name

In the above PowerShell script, the Get-AdGroupMember cmdlet uses the `Identity` parameter to specify the adgroup name, in this case, “Shell_Sales” to get ad group members. It then pipes the output to the Select-Object command.

The Select-Object cmdlet retrieves the names of the group members. Finally, the Sort-Object cmdlet organizes the results alphabetically by name.

Below is the output of the PowerShell script, displaying the list of group members from the Active Directory.

Name
----
Administrator
ShellGeek
Shell_Asia
Shell_Europe

How to Get List of Users from Groups and Nested Groups

To get list of users from ad groups and nested groups, use the Get-ADGroupMember cmdlet to recursively check through the specified by -Recursive parameter in the active directory and get ad group members.

Get-ADGroupMember -Identity "Shell_Sales" -Recursive | Get-ADUser -Property DisplayName | Select-Object DisplayName

In the above PowerShell script to get members of the ad group,

Using PowerShell Get-AdGroupMemeber gets members of the active directory group specified by the Identity parameter. It then pipes the output that contains ad group members to the `Get-AdUser` command.

The Get-ADUser cmdlet retrieves users from a list of ad users and returns the aduser display name. Finally, the Select-Object cmdlet is used to displayname of all ad users from groups and nested groups on the console.

How to Get AdGroupMember Enabled Account

To get adgroupmember enabled accounts in the specified group, use the Get-AdGroupMember cmdlet. This command lists all the members of the group and pipes them to the `Get-AdUser` cmdlet to get enabled user accounts.

$group = "SALESLEADER"

$adusers = Get-ADGroupMember -Identity $group | where {$_.objectclass -eq "user"}

foreach ($activeuser in $adusers) 
{ 

    Get-ADUser -Identity $activeuser | where {$_.enabled -eq $true} | select Name, SamAccountName, UserPrincipalName, Enabled 
    
 }

In the above PowerShell script, the Get-AdGroupMember uses the Identity parameter to get all users from the adgroup “SALESLEADER” and store them in the $adusers variable.

Use the foreach loop to iterate over the $adusers and use the Get-AdUser cmdlet to check the user account enabled status and select the name, and samaccountname for enabled accounts.

The output of the above PowerShell script gets adgroupmember enabled users.

Get AdGroupMember Enabled Accounts
Get AdGroupMember Enabled Accounts

The output displays the Name, SamAccountName, UserPrincipalName, and Enabled columns. Enabled columns display the get adgroupmember enabled True results only.

Get-AdGroupMember MaxGroupOrMemberEntries Modification

The `Get-AdGroupMember` has a default limit of 5000 to get active directory objects and their properties.

If you have more than 5000 active directory objects and try to get all members using the Get-AdGroupMember, it throws an error: “Get-AdGroupMember: The size limit for this request was exceeded.

You can increase the MaxGrouporMemberEntries to retrieve active directory objects more than the default limit.

Refer to the below steps to add MaxGroupOrMemberEntries:

  • Go to the Domain Controller
  • Navigate to location C:\Windows\ADWS
  • Open the file Microsoft.ActiveDirectory.WebServices.exe.config in Notepad
  • Check if the MaxGroupOrMemberEntries key is available or not, If available then increase the size else follow the below key to the file.
  • Add entry <add key=”MaxGroupOrMemberEntries” value=”10000”/>

Note: Kindly take the backup of Microsoft.ActiveDirectory.WebServices.exe.config before making any changes.

Get AdGroupMemeber Filter Example

To get users from the specified AD group, use the Get-AdGroupMember cmdlet with a filter to check if the ObjectClass is equal to the “user“.

 Get-ADGroupMember "SALESLEADER" | where {$_.objectclass -eq "user"} | Select Name,DistinguishedName | Format-Table -AutoSize

In the above PowerShell script, Get-AdGroupMember gets all the members from the adgroup “SALESLEADER“. It then pipes the output to the filter to get users from the group.

The Get-AdGroupMember uses Format-Table for output formatting as given below.

PS C:\> Get-ADGroupMember "SALESLEADER" | where {$_.objectclass -eq "user"} | Select Name,DistinguishedName | Format-Table -AutoSize

Name                             DistinguishedName
----                                   -----------------
Tom Smith                    CN=Tom Smith,OU=SALES,DC=SHELLPRO,DC=LOCAL
Chris Dore                    CN=Chris Dore,OU=SALES,DC=SHELLPRO,DC=LOCAL
Gary Waugh                 CN=Gary Waugh,OU=SALES,DC=SHELLPRO,DC=LOCAL


PS C:\>

To get a list of groups from the active directory, use the Get-AdGroupMember Filter to check if the ObjectClass is equal to the “group“.

 Get-ADGroupMember "SALESLEADER" | where {$_.objectclass -eq "group"} | Select Name,DistinguishedName | Format-Table -AutoSize

In the above PowerShell script, the Get-AdGroupMember gets all the members from the active directory and uses the get adgroupmember filter to check if ObjectClass is equal to the group and retrieves the group names.

Conclusion

I hope the above article on how to get ad group members and get a list of users from ad groups and nested groups may help you to understand the use of the PowerShell Get-ADGroupMember cmdlet.

You can read more about how to export ad group members to a CSV file and Set-AdGroup to modify active directory group attributes in PowerShell.

You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.

Recommended Content

Get Adgroupmember SAMAccountname

Get Adgroupmember count for users and groups

Get Adgroupmember name and email address

Get Adgroupmember from multiple groups

Get AdGroupMember of Domain Admins Group