logo

Get-ADGroupMember Cmdlet: Find Active Directory Group Members

Using Active Directory security groups is a best practice for quickly and accurately assigning permissions to users, computers, and groups. But how can you get a list of all the members of a security group?

While you could use the PowerShell cmdlet Get-ADGroup, group members will be identified by their distinguished names, making the results difficult to read. A better option is to use the Get-ADGroupMember cmdlet. This article provides the syntax of this cmdlet and lots of useful examples.

Using Get-ADGroupMember

To get a list of all members of a security group, simply enter the Get-ADGroupMember cmdlet in a PowerShell window and you’ll be prompted to input the group name:

Using Get-ADGroupMember
Handpicked related content:

Get-ADGroupMember Parameters

The Get-ADGroupMember cmdlet accepts the following parameters:

  • -AuthType <ADAuthType>
  • -Credential <PSCredential>
  • -Identity <ADGroup>
  • -Partition <String>
  • -Recursive
  • -Server <String>)

The Identity and Recursive parameters are most used, so let’s dive into each of them.

Identity Parameter

Use the Identity parametertospecify the AD group whose members you want to list. You can specify the group by its distinguished name, GUID, SID or SAM account name.

To get the output in a more readable tabular format, we will use the following command:

Get-ADGroupMember -Identity Office365-E3 | ft
Identity Parameter

Recursive Parameter

A security group can have other groups among its members; this is called group nesting. To see the members of the nested groups using the ADGroupMember cmdlet, we need to use the Recursive parameter.

For example, suppose the security group TestOrg8-Versacorp has five members, which are all groups: Engineering, Finance, Marketing, Operations and Sales. Running the Get-ADGroupMember cmdlet on TestOrg8-Versacorp without the Recursive parameter will return those five groups, but not their members, as shown here:

Recursive Parameter

But if we add the Recursive parameter, the Get-ADGroupMember cmdlet will list the members of all the nested groups:

Get-ADGroupMember -Identity TestOrg8-Versacorp -Recursive | ft
Recursive Parameter

Additional Examples of Get-ADGroupMember

Let’s review some other common use cases for Get-ADGroupMember.

Specify which Member Properties to Display

If you want to specify exactly which properties to display about each group member, you can use the Select-Object cmdlet, as shown here:

Get-ADGroupMember -Identity Office365-E3 | Select-Object name, objectClass,distinguishedName
Specify which Member Properties to Display

Limit the Output to Members with a Specific Object Type

As noted earlier, a security group can have users, computers, and nested groups as members. But you can easily limit the output of the Get-ADGroupMember cmdlet to just one of these object classes.

If you want to see only the members who are user objects, use this cmdlet:

Get-ADGroupMember -Identity VPN | Where-Object {$_.objectClass -eq "user"} | ft

Similarly, if you want to see only the nested groups, use this cmdlet:

Get-ADGroupMember -Identity VPN | Where-Object {$_.objectClass -eq "group"} | ft

And if you want to see only the computer objects that are members, use this cmdlet:

Get-ADGroupMember -Identity VPN | Where-Object {$_.objectClass -eq "computer"} | ft

Here is the output from all three commands:

Limit the Output to Members with a Specific Object Type

Export Group Membership Information to a CSV File

Here’s how you can export the output of the Get-ADGroupMember cmdlet to a CSV file:

Get-ADGroupMember -Identity Office365-E3 | Get-ADUser -Properties * | Select Name,Mail,department,title,employeeid | Export-csv -Path C:\adgroupmemberslist.csv -NoTypeInformation

There are three cmdlets at work here:

  1. Get-ADGroupMember gets the members of the specified AD group and delivers the results to the second cmdlet (Get-ADUser).
  2. Get-ADUser retrieves the specified properties of those members (name, email address, department, title, and employee ID) and passes the results to the third cmdlet (Export-csv).
  3. Export-csv exports the results to a CSV file, as shown below:
Export Group Membership Information to a CSV File

Export the Members from a Specific OU to a CSV File

Users, computers, and group objects all reside in OUs within Active Directory.

Run the following PowerShell script to export group members from a specified OU to a CSV file:

$OrgUnit = 'OU=VPN,DC=milkyway,DC=local'
# Get Active Directory groups from a specific Organizational Unit
$AD_Groups = Get-ADGroup -Filter * -SearchBase $OrgUnit
# Search through AD_Groups variable and get AD group name and member user name
$AD_Group_Members = foreach ($Group in $AD_Groups) {
Get-ADGroupMember -Identity $Group -Recursive | Select-Object @{Name='Group';Expression={$Group.Name}}, @{Name='Member';Expression={$_.Name}}
}
# Export groups and users to csv file from AD_Group_Members variable
$AD_Group_Members | Export-Csv -Path C:\AD_Group_Members.csv -NoTypeInformation

In this script:

  • The first line defines the path to the desired OU.
  • The second line uses the Get-ADGroup cmdlet to get all AD groups from that OU.
  • Then the script cycles through those AD groups, getting each group’s name and members.
  • The last line uses the Export-csv cmdlet export the results to a CSV file.

And here is the resulting CSV file:

Export the Members from a Specific OU to a CSV File

View the Output in an Interactive Table

To display the output in an interactive table, use the Out-GridView cmdlet:

Get-ADGroupMember -Identity VPN | Select-Object name, objectClass,distinguishedName | Out-GridView

In the resulting table, you can easily reorder the columns, sort the rows, filter the data, and more.

View the Output in an Interactive Table

List the Members of Global (or Universal) Groups Only

To list the members of Global groups only, use Get-ADGroup with Get-ADGroupMember as shown here:

Get-ADGroup -Filter {GroupScope -eq "Global"} | Get-ADGroupMember | Select-Object name, objectClass,distinguishedName
List the Members of Global (or Universal) Groups Only

Display Additional Information about Group Members

The Get-ADGroupMember cmdlet returns only information from the group’s ‘member’ attribute, which consists mainly of each member’s CN, OU, and domain name.

If you need additional information, such as members’ email addresses and display names, then you can pipe the output of Get-ADGroupMember into the Get-ADUser cmdlet and specify the additional properties you want to see, as follows:

Get-ADGroupMember -Identity Office365-E3 | Get-ADUser -Properties DisplayName,EmailAddress | Select Name,DisplayName,EmailAddress,SAMAccountName
Display Additional Information about Group Members
Jonathan Blackwell
Since 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put Netwrix GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.
More great reading
Find Inactive Users in AD via Powershell
Featured tags
Active Directory CISSP Cyber attack Data classification Data governance Data security GDPR Insider threat IT compliance IT security Office 365 Risk assessment SharePoint Windows Server
...