Home » PowerShell » PowerShell – Get AD Group Members and list of Users

PowerShell – Get AD Group Members and list of Users

by

PowerShell Get-AdGroupMember is used to get members from the active directory. You can get ad group members by specifying the active directory group name. The Identity parameter specifies the Active Directory Group to access to get members of the group.

As a System Administrator, we have to query the active directory to get a list of users in the AD group and export ad group members to CSV or any file format.

In this article, we will discuss how to use the PowerShell Get-AdGroupMember cmdlet to get users from the AD group and get members of ad group.

Table of Contents hide
1 PowerShell Get-AdGroupMember
2 PowerShell Get AD Group Members
3 Get List of Users from Groups and Nested Groups
4 Get AdGroupMember Enabled Account
5 Get-AdGroupMember MaxGroupOrMemberEntries Modification
6 Get AdGroupMemeber Filter Example
7 Conclusion
8 Recommended Content

PowerShell Get-AdGroupMember

Get-AdGroupMember cmdlet gets members of an active directory group, using the below syntax.

Syntax

Get-ADGroupMember
   [-AuthType <ADAuthType>]
   [-Credential <PSCredential>]
   [-Identity] <ADGroup>
   [-Partition <String>]
   [-Recursive]
   [-Server <String>]
   [<CommonParameters>]

Parameters

-Identity: is used to specify an active directory group object using any of the values like distinguishedName, GUID, SID, or SAMAccountName.

-Recursive: Get all the members from the hierarchy of the group.

-Server: Specify the Active Directory Domain Service instance to connect to by providing one of the values for the corresponding domain name or directory server.

PowerShell Get AD Group Members

Active Directory groups can have multiple groups within them and have users associated with each group.

To get a list of users from the AD group and get groups from the AD group, run the below command

Get-ADGroupMember -Identity "Shell_Sales" | Select-Object Name | Sort-Object Name

In the above PowerShell script, the Get-AdGroupMember cmdlet uses the Identity parameter to specify the adgroup name to get ad group members and users from the "Shell_Sales" ad group and passes the output to the Select-Object command.

Select-Object cmdlet selects the name of the object and sorts the object by Name to get members of the ad group to the console.

The output of the above PowerShell script to list group members from the active directory as below

Name
----
Administrator
ShellGeek
Shell_Asia
Shell_Europe

Get List of Users from Groups and Nested Groups

To get list of users from ad groups and nested groups, use the Get-ADGroupMember cmdlet to recursively check through the specified by -Recursive parameter in the active directory and get ad group members.

Get-ADGroupMember -Identity "Shell_Sales" -Recursive | Get-ADUser -Property DisplayName | Select-Object DisplayName

In the above PowerShell script to get members of ad group,

Using PowerShell Get-AdGroupMemeber get members of the active directory group specified by the Identity parameter and passes ad group members to the second command.

The second command uses the Get-ADUser cmdlet to get ad users from a list of ad users and returns the aduser display name

The third command, Select-Object displayname of all ad users from groups and nested groups on the console.

Get AdGroupMember Enabled Account

To get adgroupmember enabled accounts in the specified group, use the Get-AdGroupMember cmdlet to get all the members of the group and piped them to the Get-AdUser cmdlet to get enabled accounts.

$group = "SALESLEADER"

$adusers = Get-ADGroupMember -Identity $group | where {$_.objectclass -eq "user"}

foreach ($activeuser in $adusers) 
{ 

    Get-ADUser -Identity $activeuser | where {$_.enabled -eq $true} | select Name, SamAccountName, UserPrincipalName, Enabled 
    
 }

In the above PowerShell script, the Get-AdGroupMember uses the Identity parameter to get all users from the adgroup SALESLEADER and stores them in the $adusers variable.

Use the foreach loop to iterate over the $adusers and use the Get-AdUser cmdlet to check the user account enabled status and select the name, and samaccountname for enabled accounts.

The output of the above PowerShell script to get adgroupmember enabled accounts is:

Get AdGroupMember Enabled Accounts
Get AdGroupMember Enabled Accounts

Get-AdGroupMember MaxGroupOrMemberEntries Modification

The Get-AdGroupMember has a default limit of 5000 to get active directory objects and their properties.

If you have more than 5000 active directory objects and tried to get all members using the Get-AdGroupMember, it throws an error: “Get-AdGroupMember: The size limit for this request was exceeded.

You can increase the MaxGrouporMemberEntries to retrieve active directory objects more than the default limit.

Refer to the below steps to add MaxGroupOrMemberEntries:

  • Go to the Domain Controller
  • Navigate to location C:\Windows\ADWS
  • Open the file Microsoft.ActiveDirectory.WebServices.exe.config in notepad
  • Check if the MaxGroupOrMemberEntries key is available or not, if available then increase the size else follow the below key to the file.
  • Add entry <add key=”MaxGroupOrMemberEntries” value=”10000”/>

Note: Kindly take the backup of Microsoft.ActiveDirectory.WebServices.exe.config before making any changes.

Get AdGroupMemeber Filter Example

To get users from the group, use the get adgroupmember filter to check if ObjectClass is equal to the “user“.

 Get-ADGroupMember "SALESLEADER" | where {$_.objectclass -eq "user"} | Select Name,DistinguishedName | Format-Table -AutoSize

In the above PowerShell script, Get-AdGroupMember gets all the members from the adgroup “SALESLEADER” and uses the filter to get users from the group.

The Get-AdGroupMember uses Format-Table for output formatting as given below

PS C:\> Get-ADGroupMember "SALESLEADER" | where {$_.objectclass -eq "user"} | Select Name,DistinguishedName | Format-Table -AutoSize

Name                             DistinguishedName
----                                   -----------------
Tom Smith                    CN=Tom Smith,OU=SALES,DC=SHELLPRO,DC=LOCAL
Chris Dore                    CN=Chris Dore,OU=SALES,DC=SHELLPRO,DC=LOCAL
Gary Waugh                 CN=Gary Waugh,OU=SALES,DC=SHELLPRO,DC=LOCAL


PS C:\>

To get a list of groups from the active directory, use the Get-AdGroupMember Filter to check if the ObjectClass is equal to the “group“.

 Get-ADGroupMember "SALESLEADER" | where {$_.objectclass -eq "group"} | Select Name,DistinguishedName | Format-Table -AutoSize

In the above PowerShell script, the Get-AdGroupMember gets all the members from the active directory and uses the get adgroupmember filter to check if ObjectClass is equal to the group and retrieves the group names.

Conclusion

I hope the above article on how to get ad group members and get a list of users from ad groups and nested groups may help you to understand the use of the PowerShell Get-ADGroupMember cmdlet.

You can read more about how to export ad group members to a CSV file and Set-AdGroup to modify active directory group attributes in PowerShell.

You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.

Recommended Content

Get Adgroupmember SAMAccountname

Get Adgroupmember count for users and groups

Get Adgroupmember name and email address

Get Adgroupmember from multiple groups

Leave a Comment