Export Members of a Particular Active Directory Group Using PowerShell

In this post, I’ll show you how to use PowerShell to get the members of an Active Directory group.

The PowerShell Get-ADGroupMember cmdlet is used to list the members of an Active Directory group. You can just type the cmdlet in a PowerShell window and you’ll be prompted to enter the name of the group you want to use.

Figure 1

Note that you must be logged in to Windows with a domain user account that has permission to read the group(s) you want to list. You must also have the Active Directory module for Windows PowerShell installed on the device where you want to run the Get-ADGroupMember cmdlet.

You can add the name of the group to the command as shown below and format the output by piping the results to the Select-Object cmdlet:

Get-ADGroupMember -Identity Administrators | Select-Object name, objectClass,distinguishedName

Combine the Get-ADGroup and Get-ADGroupMember cmdlets to perform more complex searches. In the example below, I list all members of groups with domain local scope:

Get-ADGroup -Filter {GroupScope -eq "DomainLocal"} | Get-ADGroupMember | Select-Object name, objectClass,distinguishedName
Figure 2

You can add the -Recursive parameter to Get-ADGroupMember to list all members of child groups.

Get-ADGroupMember -Identity 'Enterprise Admins' -Recursive

Note that the group name is enclosed using apostrophes because it contains a space. Don’t forget that Out-GridView can be useful for sorting and filtering the results using a simple GUI interface.

Get-ADGroupMember -Identity Administrators | Select-Object name, objectClass,distinguishedName | Out-GridView

If you want a keepsake or want to perform further processing, you can export the list to a comma-delimited file that can be opened in Excel or used by another program. The command below saves the group members list to the current working directory in a file called adgroupmembers.csv.

Get-ADGroupMember -Identity Administrators | Select-Object name, objectClass,distinguishedName | Export-CSV -Path “adgroupmembers.csv”

It is important that you track and audit active directory group membership changes as each change could potentially result in over-privileged users and a higher data security risk. To do this, it’s recommended to use an Active Directory Auditing solution, such as LepideAuditor for Active Directory.

Download LepideAuditor for Active Directory