How to List AD Group Members with PowerShell

Photo of author

By Victor Ashiedu

Published

Do you want to learn various ways to list AD group members with PowerShell? This guide teaches you 3 methods to accomplish this.

Option 1: Use the Get-ADGroupMember Command

The fastest and easiest method to list AD group members is to run the Get-ADGroupMember command.

The Get-ADGroupMember cmdlet has a parameter called Identity. This is the parameter you use to specify the AD group you want to list its members.

Furthermore, you can specify the group’s sAMAccountName or distinguishedName in the Identity parameter. The commands below list the members of the AD group, Remote Writers.

The first command uses the sAMAccountName (“Remote Writers”) of the group. However, the second command uses the group’s distinguishedName (“CN=Remote Writers,DC=itechguides,DC=local”). Remember to change these before you run your command.
Get-ADGroupMember -Identity "Remote Writers"
Get-ADGroupMember -Identity "CN=Remote Writers,DC=itechguides,DC=local"

The two commands produces the same result. As shown in my screenshot below, the AD group has two group members – Victor Ashiedu and Anthony Raj.

If you look closer to the result of the last command, each user listed has three properties – name, SamAccountName, and distinguishedName – that you may want in your report.

To display these three properties and discard the rest, pipe the commands above to a Select-Object cmdlet.

I am showing only the first command. If you prefer the command that uses distinguishedNam as the identity of the group, feel free to use the second command.
Get-ADGroupMember -Identity "Remote Writers" | Select-Object name, SamAccountName, distinguishedName

Isn’t this better looking? It sure does, but you can even modify the headers to look even better.

Use The PowerShell Get-ADGroupMember Command To List AD Group Members

To use custom headers for the result, modify the command as shown below.

Get-ADGroupMember -Identity "Remote Writers" |  Select-Object @{Name = "Name";Expression = {$_.name}}, @{Name = "User Name";Expression = {$_.SamAccountName}}, @{Name = "distinguishedName";Expression = {$_.distinguishedName}}

The last command produces a better-looking header.

Option 2: Use the Get-ADGroup Command

In the last section, you learned how to list AD group members with the Get-ADGroupMember command. PowerShell has another cmdlet – Get-ADGroup – that you can use to display the properties of an AD group.

As you would expect, one of the properties of an AD group is group members. To list the members of an AD group with the Get-ADGroup, run the command and specify the Properties parameter as members.

Here is a sample command that lists the members of the “Remote Writers” AD group with the Get-ADGroup PowerShell command.

Get-ADGroup -Identity "Remote Writers" -Properties members

As expected, the command lists the properties of the AD group member, including the group members. I have highlighted the members in the screenshot below.

To display the names of the group members only and discard other properties of the AD group, modify the command as shown below…

Get-ADGroup -Identity "Remote Writers" -Properties members | Select-Object -ExpandProperty Members

The command now lists the names of the distinguishedNames of users in the AD group. This is great, but we can make it even better by displaying the actual names of the group members.

Use The PowerShell Get-ADGroup Command To List AD Group Members

To extract the names of the group members (the CN of the DN value) from the result of the last command, add the Split operator (-Split) to the last command. Then, pipe the result of the command to ConvertFrom-StringData.

Finally, return the CN property from the command. Here is what the final command looks like.

((Get-ADGroup -Identity "Remote Writers" -Properties members | Select-Object -ExpandProperty Members) -split "," | ConvertFrom-StringData).CN

And here is the result in PowerShell…

Use The PowerShell Get-ADGroup Command To List AD Group Members

Option 3: Combine the Get-ADGroup and Get-ADGroupMember Commands

In the first two examples, I discussed how to use Get-ADGroup or Get-ADGroupMember PowerShell commands to list AD group members. This is great, but there may be coding scenarios where you need to find the name of the group, then list its members.

Even in some more complex situations, you may need to list the members of all ad groups in an AD GroupScope. For example, you may be required to list all users that belong to the DomainLocal group.

In the following sub-sections, you will learn how to list AD group members in the scenarios described above.

Example 1: Get the AD Group Name with Get-ADGroup and List its Members with Get-ADGroupMember

If you want to list the members of an AD group but do not know the full name of the group, you can use the Get-ADGroup PowerShell command to find the name of the group.

Then, pipe the result to the Get-ADGroupMember. Finally, to select the properties of the group members you want to return, pipe the Get-ADGroupMember command to the Select-Object command.

Here is a sample command. In this command, I want to list the members of the AD group that contains Remote in its name.

If more than one group contains the name you have in the -Filter parameter of the Get-ADGroup command, the whole command will return an error. If you believe that your AD forest may have a group with multiple results for this command, pipe the Get-ADGroup into ForEach-Object as shown in the second command below.
Get-ADGroup -Filter {name -like "*Remote*"} | Get-ADGroupMember | Select-Object name, objectClass,SamAccountName,distinguishedName
Get-ADGroup -Filter {name -like "*Remote*"} | ForEach-Object { Get-ADGroupMember -identity $_.SamAccountName | Select-Object name, objectClass,SamAccountName,distinguishedName}

The last command works whether the Get-ADGroup portion of the command returns one or multiple results. Here is what the result looks like in PowerShell…

Example 2: Get AD GroupScope with Get-ADGroup and List its Members with Get-ADGroupMember

As I mentioned in the introduction of this section, you can also list the members of all groups in a group scope.

To do this, first list the groups in the AD group scope with the Get-ADGroup. Then, to list the group members in the groups in the scope, pipe the result to the Get-ADGroupMember PowerShell command.

Here is a sample command that lists all group members in the DomainLocal GroupScope.

Get-ADGroup -Filter {GroupScope -eq "DomainLocal"} | Get-ADGroupMember | Select-Object name, objectClass,SamAccountName,distinguishedName

Applications: Export AD Group Members to CSV or Text File

In the first three sections of this guide, I discussed how to display members of an AD group on the PowerShell console. But what if you need to send the result of your command as a text or CSV file?

I am glad to announce that it is as easy as pie. To export members of an AD group to a text file, pipe the result of any of the commands in the previous sections to the Out-File command.

How to Export AD Group Members to a Text File with PowerShell

Here is a modified version of the last command in the previous section. This command exports the members of the DomainLocal GroupScope to a text file.

I boldened the Out-File portion of the command to make it easy to spot.
Get-ADGroup -Filter {GroupScope -eq "DomainLocal"} | Get-ADGroupMember | Select-Object name, objectClass,SamAccountName,distinguishedName | Out-File C:\ADGroupMembership\DomainLocal.txt

The upper part of the screenshot below shows the above command in PowerShell. Meanwhile, the lower part of the command shows the result in a text file.

How to Export AD Group Members to a CSV File with PowerShell

Similar to the command in the last sub-section, I have piped the last command in the previous section to the Export-CSV command. See my sample command below…

Get-ADGroup -Filter {GroupScope -eq "DomainLocal"} | Get-ADGroupMember | Select-Object name, objectClass,SamAccountName,distinguishedName | Export-CSV C:\ADGroupMembership\DomainLocal.csv -NoTypeInformation

Frequently Asked Questions

1. How do I list members of an AD group in PowerShell?

The quickest way to list members of AD group in PowerShell is to run the Get-ADGroupMember command. For example, the command below lists the members of the “Remote Writers” AD group.

Get-ADGroupMember -Identity “Remote Writers”

2. How can I see the members of an AD group in CMD?

To see the members of an AD group in CMD, run the net group command. The same command below lists the members of the “Remote Writers” AD group.

net group /domain “Remote Writers”

3. How do I export a list of members of an AD group?

To export the members of an AD group to a text file, pipe the output of the Get-ADGroupMember command to the Out-File command.

For detailed steps, read this section of the guide – How To Export AD Group Members To A Text File With PowerShell.

However, if you chose to export AD group members to a CSV file, pipe Get-ADGroupMember command to the Export-csv command.

To read the full steps, navigate to How To Export AD Group Members To A CSV File With PowerShell section of this guide.

4. How do I get local group membership in PowerShell?

To get local group membership in PowerShell, run the Get-LocalGroup command.

5. How do I run qsquery?

To learn how to run Dsquery, run the command below:

Dsquery /?

The command lists all Dsquery command options. Here is the full list of the command options:
dsquery computer – finds computers in the directory.
dsquery contact – finds contacts in the directory.
dsquery subnet – finds subnets in the directory.
dsquery group – finds groups in the directory.
dsquery ou – finds organizational units in the directory.
dsquery site – finds sites in the directory.
dsquery server – finds AD DCs/LDS instances in the directory.
dsquery user – finds users in the directory.
dsquery quota – finds quota specifications in the directory.
dsquery partition – finds partitions in the directory.
dsquery * – finds any object in the directory by using a generic LDAP query.

Conclusion

Windows SysAdmins receive all kinds of requests, including sending all members of an AD group. If you know how to perform this task with PowerShell, it makes your life much easier.

Well, now that you’ve gone through this guide, I hope you’ve been able to send that report to your manager with some spring in your steps!

If this guide absolutely made your day, Feel free to share your thoughts by utilizing the “Leave a Reply” form located at the bottom of this page.

Alternatively, you can respond to the “Was this page helpful?” question below.

Finally, to even learn more ways to impress your boss with PowerShell, visit our Windows PowerShell How-To Guides or Windows PowerShell Explained pages.

We go the extra mile to deliver the highest quality content for our readers. Read our Content Writing, Content Review, and Anti-Plagiarism policies to learn more.

About the Author

Photo of author

Victor Ashiedu

Victor is the founder of InfoPress Media, publishers of Ilifeguides and Itechguides. With 20+ years of experience in IT infrastructure, his expertise spans Windows, Linux, and DevOps. Explore his contributions on Itechguides.com for insightful how-to guides and product reviews.

Related Articles

Get in Touch

If this article does not meet your expectations, kindly let us know. We have various ways you can get in touch with us:

  1. Respond to "Was this page helpful?" above
  2. Leave a comment with the "Leave a Comment" form below
  3. Email us at [email protected] or via the Contact Us page.

Leave a comment

Send this to a friend