Menu
01101110 01100101 01110100 01110111 01101111 01110010 01101011 01100001 01100100 01101101 01101001 01101110 01110100 01101111 01101111 01101100 01110011 00001101 00001010

Background

Manage Engine

Our readers provide the funding for our platform, and we may receive a commission when you make a purchase using the links on our site.

Export AD Group Members with PowerShell

/ October 13, 2023 — Active Directory

Export AD Group Members with PowerShell

Average User Rating

    Active Directory is commonly used across organizations to segment user accounts, so they can be given the appropriate access to resources. Often, one or more accounts that have similar characteristics such as belonging to the same department, accessing the same resources, etc are grouped for better management.

    As a Windows administration, you’ll often have to create AD groups, export some groups, modify their access and privileges, merge groups, delete them, and more. Doing this manually can be time-consuming and error-prone, to say the least, and this where PowerShell can come in handy.

    PowerShell is the most convenient way to manage AD services because the cmdlets can do all that you want, thereby saving a lot of time and effort. In this article, we will specifically talk about how you can export AD group members using PowerShell cmdlets.

    But before we get started, make sure you have a Windows computer and logged into an account with permissions to export AD groups. You may also want to have the Active Directory module for PowerShell installed on your device.

    Getting the AD Groups

    You’ll use two PowerShell cmdlets for getting a list of AD group members, and these cmdlets are:

    • Get -AdGroup
    • Get -AdGroupMember

    The first cmdlet returns the AD group objects while the second one looks inside each group and returns all the objects present inside it such as user accounts, contacts, groups, and more. That’s the key difference between these two cmdlets.

    The first step is to get the list of AD group members and for this, use the Get -ADGroup cmdlet. Without any parameters, this command will list all the groups in a domain. Browse through this list to zero in on the group you want to export. This step can be particularly helpful if you don’t know the exact group name.

    Note that the “filter” parameter is required for this cmdlet, but you can use a wildcard to list all the groups.

    Your command will be

    Get -ADGroup -Filter*

    This cmdlet lists all the groups in your domain, so you can browse, and choose the exact group name.

    If you think this is cumbersome, especially if the results bring back hundreds or even thousands of groups, you can narrow it down further using the “Filter” or “Identity” parameter. For example, if you want to see only those groups that are involved in Finance, you can modify the Get -ADGroup cmdlet to the following.

    Get -ADGroup -Identity 'Finance'

    This will limit you to just the groups in Finance.

    Listing the AD Group Members

    Once you’ve zeroed in on the group(s), the next step is to get the list of its members and this is where the Get -ADGroupMember cmdlet can help. You can use the same “Identity” parameter to get the list of members belonging to a particular group.

    Your cmdlet will be

    Get -ADGroupMember -Identity 'Finance'

    This will list all the user and computer objects that are a part of the Finance group.

    The Get -ADGroupMember cmdlet also comes with other parameters to help you get to what you want. Let’s look at more useful parameters.

    Sub-groups

    AD groups contain not just objects, but also other groups, and this is called nesting. The Get -ADGroupMember cmdlet does not return the nested group members by itself simply because the nested group members have the same permission as that of the parent group. But you may need the member list of these subgroups for exporting, and to get this list, use the following parameter.

    Get -ADGroupMember -Identity 'Finance' -Recursive

    As the name suggests, this cmdlet will recursively go inside each subgroup and will fetch the list of members.

    Multiple Groups

    Sometimes you may want to get a list of members from more than one group and for this, use the “foreach” loop that will run through multiple groups to fetch the members who have a specific identity.

    Your code will look like this,

    $department = 'Finance', 'Sales', 'PR'
foreach ($element in $department)
{ Get -ADGroupMember -Identity 'TeamLead'
}

    In this code snippet, you are creating a collection of different departments and inside each department, you are finding the team lead.

    Filtering your Results

    Though the Get -ADGroupMember lists all the entities, in the real world, you won’t need all the members. You’d only want those that meet a specific query or characteristic and for this, you’ll use the “filter” parameter.

    This is a powerful parameter that allows you to refine your results to get to just what you want. For example, if you want to find members who are only in the local domains, you can say,

    Get -ADGroupMember -Identity 'TeamLead' -Filter 'GroupScope -eq "DomainLocal"'

    Based on your needs, you can filter the results using this parameter.

    Moving on, you can choose what attributes of each member you want to see. For example, if you want to see just the name of each member, you can say

    Get -ADGroupMember -Identity 'TeamLead' -Filter 'GroupScope -eq "DomainLocal"' | select Name

    This cmdlet will display only the name of each member who fits the rest of the criteria.

    Exporting AD Members

    Now that you have the list of all the members you want, it’s time to export them. Now, let’s say you want to export the names of these members to a CSV file.

    For this, use the “Export” parameter.

    Your cmdlet will look like this:

    Get -ADGroupMember -Identity 'TeamLead' -Filter 'GroupScope -eq "DomainLocal"' | select Name |Export -csv -path C:\domainNames\member_names.csv

    This command will export the name of all team leads in the local domain to the member_names.csv file. You can open the file to ensure that it has the names you want. You can also use the same command to export these names to another group or any other file format.

    Using Third-party Tools

    PowerShell is versatile and simplifies many complex tasks, especially those related to AD. Still, it’s not for everyone as it requires a certain amount of scripting knowledge and the right environment.

    A better option is to use tools like SolarWinds Admin Bundle for Active Directory that allows you to find and remove inactive users, export and import users in bulk, and more. This 100% FREE SolarWinds tool is sure to make your job easier and hassle-free.

    ManageEngine ADManager Plus – FREE TRIAL

    ManageEngine ADManager Plus

    ManageEngine ADManager Plus is a robust Active Directory management software designed to simplify the complex task of managing AD users, groups, and computers. It provides an intuitive user interface that enables administrators to perform various AD management tasks quickly and efficiently.

    Key Features:

    • AD bulk object editing
    • Advanced object filtering
    • Multiple export options

    Why do we recommend it?

    We recommend ManageEngine ADManager Plus for its comprehensive range of features, including advanced search options and detailed compliance reporting. Its ability to streamline various AD management tasks makes it stand out.

    ADManager Plus helps administrators manage AD groups more effectively than PowerShell alone. It provides an advanced search option that allows administrators to search for group members based on various criteria, including username, email address, and job title. This can save administrators a ton of time, especially when dealing with large AD environments.

    ADManager Plus also offers a wide range of features like user account creation, modification, password management, OU, and group management that make AD management much more streamlined.

    Overall, ADManager Plus is an excellent AD management software that provides administrators with an easy-to-use interface, comprehensive features, and advanced search capabilities. It is a valuable tool for any organization that wants to manage its AD environment better and improve its security posture.

    Who is it recommended for?

    ManageEngine ADManager Plus is ideal for medium to large organizations that require efficient and secure AD management. It’s particularly useful for administrators who are looking for a tool that can save time through features like bulk editing and advanced object filtering. It’s also a good fit for multi-domain environments and teams that require delegation options for NOC or helpdesk.

    Pros:

    • Detailed reporting, can generate compliance reports for all major standards (PCI, HIPAA, ect)
    • Supports multiple domains
    • Supports delegation for NOC or helpdesk teams
    • Allows you to visually view share permissions and the details of security groups

    Cons:

    • Is a comprehensive platform that takes time to fully explore

    There are three editions of ADManager Plus: Free, Standard, and Professional. The Free edition is limited to managing one domain. The Standard version has a wider scope and the Professional edition includes various Help Desk modules. You can get a 30-day free trial of the full version.

    ManageEngine ADManager Plus Start a FREE Trial

    Information

    About