How to Query LDAP for All Users in a Specific Active Directory Group Using PowerShell


5 views

When working with Active Directory groups, the memberOf attribute often behaves differently than developers expect. The most common issue occurs when trying to retrieve all users who are members of a particular group using direct LDAP filters.

The original attempt failed because:

Get-ADUser -LDAPFilter "(&(objectclass=user)(objectcategory=person)(memberOf=CN=MyGroup,OU=Users,DC=MyDomain,DC=com))"

This approach has two critical issues:

  • The memberOf attribute contains the full distinguishedName of the group
  • Active Directory doesn't maintain this attribute as a searchable index by default

Option 1: Using the Member Attribute (Recommended)

Query the group itself and expand its members:

$groupDN = "CN=MyGroup,OU=Users,DC=MyDomain,DC=com"
$members = Get-ADGroupMember -Identity $groupDN -Recursive | 
           Where-Object {$_.objectClass -eq "user"}

Option 2: LDAP_MATCHING_RULE_IN_CHAIN (For Complex Queries)

For large directories or nested groups:

Get-ADUser -LDAPFilter "(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=MyGroup,OU=Users,DC=MyDomain,DC=com))"

Option 3: Using the PrimaryGroupID (For Primary Groups)

If dealing with a primary group:

$group = Get-ADGroup -Identity "MyGroup"
Get-ADUser -Filter {PrimaryGroupID -eq $group.PrimaryGroupID}

Here's a complete script that handles nested groups and outputs to CSV:

$groupDN = "CN=SalesTeam,OU=Departments,DC=corp,DC=com"
$users = @()

# Get direct members
$members = Get-ADGroupMember -Identity $groupDN -Recursive
foreach ($member in $members) {
    if ($member.ObjectClass -eq "user") {
        $user = Get-ADUser -Identity $member.DistinguishedName -Properties *
        $users += $user
    }
}

$users | Select-Object Name,SamAccountName,EmailAddress |
         Export-Csv -Path "GroupMembers.csv" -NoTypeInformation

For large directories:

  • Use -SearchScope Subtree instead of recursive functions
  • Limit returned attributes with -Properties parameter
  • Consider using parallel processing for very large groups

When working with Active Directory groups in PowerShell, a common requirement is to retrieve all user members of a specific group. The standard approach using memberOf in an LDAP filter often fails to return expected results, particularly when dealing with groups in custom OUs.

The primary issues with your current approach:

# Problematic query example
Get-ADUser -LDAPFilter "(&(objectclass=user)(objectcategory=person)(memberOf=CN=MyGroup,OU=Users,DC=MyDomain,DC=com))"

1. The memberOf attribute requires the full distinguishedName of the group
2. Nested group memberships aren't automatically resolved
3. The DN format must be exact, including correct OU structure

Option 1: Using Get-ADGroupMember

The simplest PowerShell-native solution:


$groupMembers = Get-ADGroupMember -Identity "CN=MyGroup,OU=Users,DC=MyDomain,DC=com" -Recursive
$users = $groupMembers | Where-Object {$_.objectClass -eq 'user'}

Option 2: Expanded LDAP Filter Approach

For environments where you need pure LDAP:


$baseDN = "DC=MyDomain,DC=com"
$groupDN = "CN=MyGroup,OU=Users," + $baseDN

$filter = "(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=$groupDN))"
Get-ADUser -LDAPFilter $filter -SearchBase $baseDN

The magic number 1.2.840.113556.1.4.1941 enables recursive group membership checking.

Option 3: For Large Directories (Optimized Query)


$groupDN = "CN=MyGroup,OU=Users,DC=MyDomain,DC=com"
$searcher = [ADSISearcher]"(memberOf=$groupDN)"
$searcher.PropertiesToLoad.AddRange(@("samAccountName","displayName","mail"))
$searcher.FindAll() | ForEach-Object {
    [PSCustomObject]@{
        Username = $_.Properties["samAccountName"][0]
        Name = $_.Properties["displayName"][0]
        Email = $_.Properties["mail"][0]
    }
}
  • Case Sensitivity: DN values are case-insensitive, but typos in OU names will fail
  • Tokenization: Always use proper escaping for special characters in DNs
  • Performance: For groups with 5000+ members, consider paged queries

Before implementing in production scripts:

1. Validate the group DN exists:

Get-ADGroup -Identity "CN=MyGroup,OU=Users,DC=MyDomain,DC=com"

2. Check direct membership count:

(Get-ADGroupMember -Identity "CN=MyGroup,OU=Users,DC=MyDomain,DC=com").Count

3. Test recursive expansion works:

(Get-ADUser -LDAPFilter "(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=$groupDN))").Count