How to List Active Directory Group Members (dsforum2wiki)

How to List Active Directory Group Members (dsforum2wiki)

Here are a few different ways to list members of an Active Directory group:

  1. Using built-in Active Directory command-line tools

    Following command will provide you first name and last name of member of a group:

    dsquery group domainroot -name groupname | dsget group -members | dsget user -fn -ln

  2. Using a filter

    The following filter returns the members of a specific group.
    You have to specify the groups distinguishedName.

    ldifde -f groupMembers.txt -r "(&(objectClass=User)(memberOf=CN=myGroup,OU=MyContainer,DC=myOrg,DC=local))" -l "sAMAccountName,givenName,sn"

  3. Using Adfind (Adfind is a free tool that you can download from www.joeware.net/freetools/tools/adfind/index.htm)

    TO RETRIEVE THE DN OF THE GROUP

    adfind -default -f "(&(objectCategory=group)(name=<GROUPNAME>))" -dsq

    or

    adfind -default -f "(&(objectCategory=group)(name=<GROUPNAME>))" -dn

    TO RETRIEVE THE PROPERTIES (givenName=firstname, sn=surname sAMAccountName, pre-w2k logon name, description=description, cn=full name, displayName=displayname) OF THE MEMBERS OF THE GROUP

    adfind -b "<DN of group>" -asq member givenName sn sAMAccountName description cn displayName

  4. Use PowerShell with free Quest AD Cmdlets (http://www.quest.com/powershell/activeroles-server.aspx), with the following one-liner query.
                          Get-QADGroupMember GROUPNAME
             
               You may also use the -indirect switch to retrieve the nested group membership.

                          Get-QADGroupMember GROUPNAME -indirect

              Conversely, you may also look up the user's direct and indirect group membership with
              the Get-QADMemberOf cmdlet.
 
                            Get-QADMemberOf USERNAME

                            Get-QADMemberOf USERNAME -indirect
 
          5.    Using PowerShell with native AD Cmdlets i.e ADWS/ADMGS
                 (http://technet.microsoft.com/en-us/library/dd378937%28WS.10%29.aspx)

                             Get-ADGroup GROUPNAME -properties members
                             or
                             Get-ADGroupMember GROUPNAME -recursive
                
                 For #4 and #5 above, use built-in help to learn more about the Cmdlets and the available syntaxes
 
                  for e.g Help Get-ADGroup -full




References

This article was derived from the forum post Active Directory Saved Query - Group Member Listing.



Other Languages

This article is also available in the following languages:

Sort by: Published Date | Most Recent | Most Useful
Comments
  • Export to Excel with Quest AD Cmdlets:

    Set-QADProgressPolicy -ShowProgress $true -ProgressThreshold 2 | Out-Null

    $gr=Read-Host; $day=Get-Date -UFormat "%Y-%m-%d"; $fle=$gr+"_"+$day+".csv"; Get-QADGroupMember $gr -UseGlobalCatalog -Activity 'Retrieving group' | Sort-Object | select DisplayName,NTAccountName,Email,Company,Department | Get-Unique -asstring | Export-Csv -Encoding unicode -NoTypeInformation -path $env:temp\$fle; Invoke-Item $env:temp\$fle

  • I have mentioned another method using PowerShell script in the following blog:

    portal.sivarajan.com/.../list-group-members-in-active.html

Page 1 of 1 (2 items)