How to List Active Directory Group Members Using Command Line Tools


12 views

The most efficient way to query Active Directory group members is through PowerShell. The ActiveDirectory module provides cmdlets specifically designed for this purpose:

# First, import the ActiveDirectory module
Import-Module ActiveDirectory

# Basic query for a single group
Get-ADGroupMember -Identity "GroupName" | Select-Object Name, SamAccountName

# More detailed output including email addresses
Get-ADGroupMember -Identity "Marketing" | Get-ADUser -Properties Mail | Select-Object Name, SamAccountName, Mail

For environments where PowerShell isn't available, you can use the built-in dsquery and dsget commands:

dsquery group -name "GroupName" | dsget group -members | dsget user -samid -fn -ln

PowerShell makes it easy to filter and export results for further processing:

# Export to CSV
Get-ADGroupMember -Identity "Finance" | 
    Get-ADUser -Properties * | 
    Select-Object Name, SamAccountName, Department, Title | 
    Export-Csv -Path "FinanceGroupMembers.csv" -NoTypeInformation

# Filter by specific attributes
Get-ADGroupMember -Identity "IT" | 
    Get-ADUser -Properties Enabled | 
    Where-Object {$_.Enabled -eq $true} |
    Select-Object Name, SamAccountName

For groups containing other groups, use the -Recursive parameter:

Get-ADGroupMember -Identity "EnterpriseAdmins" -Recursive | 
    Get-ADUser -Properties * | 
    Select-Object Name, Department

Combine PowerShell with batch scripting for scheduled tasks:

@echo off
powershell -command "Get-ADGroupMember -Identity 'BackupAdmins' | Select-Object Name | Out-File BackupAdmins.txt"

Always include error handling in production scripts:

try {
    $members = Get-ADGroupMember -Identity "NonExistentGroup" -ErrorAction Stop
    $members | Select-Object Name, SamAccountName
}
catch {
    Write-Host "Error occurred: $_"
}

When managing Windows Active Directory environments, administrators often need to programmatically retrieve group membership information. While the GUI method through Computer Management works, command-line solutions enable automation and integration with scripts.

The simplest method uses the built-in dsget command:

dsget group "CN=GroupName,OU=Groups,DC=domain,DC=com" -members

This returns distinguished names of all members. For a more readable output showing just usernames:

dsget group "CN=GroupName,OU=Groups,DC=domain,DC=com" -members | dsget user -samid

For more flexibility, PowerShell's Active Directory module provides better options:

Get-ADGroupMember -Identity "GroupName" | Select-Object Name, SamAccountName

To export results to CSV for further processing:

Get-ADGroupMember "GroupName" | Export-Csv -Path "C:\temp\group_members.csv" -NoTypeInformation

When you need to filter results or work across domains, LDAP queries are powerful:

dsquery * "OU=Groups,DC=domain,DC=com" -filter "(&(objectCategory=group)(name=GroupName))" -attr member

Here's a complete PowerShell script that checks membership and performs an action:

$members = Get-ADGroupMember -Identity "FinanceTeam"
foreach ($user in $members) {
    $userDetails = Get-ADUser -Identity $user.SID -Properties EmailAddress
    Write-Output "$($user.Name) - $($userDetails.EmailAddress)"
}
  • Ensure you have RSAT tools installed for AD PowerShell commands
  • Run commands with elevated privileges when querying protected groups
  • Use -Server parameter to target specific domain controllers