How to List Active Directory Group Members Using Command Line Tools


3 views

The most efficient way to query Active Directory group members is through PowerShell. The ActiveDirectory module provides cmdlets specifically designed for this purpose:

# First, import the ActiveDirectory module
Import-Module ActiveDirectory

# Basic query for a single group
Get-ADGroupMember -Identity "GroupName" | Select-Object Name, SamAccountName

# More detailed output including email addresses
Get-ADGroupMember -Identity "Marketing" | Get-ADUser -Properties Mail | Select-Object Name, SamAccountName, Mail

For environments where PowerShell isn't available, you can use the built-in dsquery and dsget commands:

dsquery group -name "GroupName" | dsget group -members | dsget user -samid -fn -ln

PowerShell makes it easy to filter and export results for further processing:

# Export to CSV
Get-ADGroupMember -Identity "Finance" | 
    Get-ADUser -Properties * | 
    Select-Object Name, SamAccountName, Department, Title | 
    Export-Csv -Path "FinanceGroupMembers.csv" -NoTypeInformation

# Filter by specific attributes
Get-ADGroupMember -Identity "IT" | 
    Get-ADUser -Properties Enabled | 
    Where-Object {$_.Enabled -eq $true} |
    Select-Object Name, SamAccountName

For groups containing other groups, use the -Recursive parameter:

Get-ADGroupMember -Identity "EnterpriseAdmins" -Recursive | 
    Get-ADUser -Properties * | 
    Select-Object Name, Department

Combine PowerShell with batch scripting for scheduled tasks:

@echo off
powershell -command "Get-ADGroupMember -Identity 'BackupAdmins' | Select-Object Name | Out-File BackupAdmins.txt"

Always include error handling in production scripts:

try {
    $members = Get-ADGroupMember -Identity "NonExistentGroup" -ErrorAction Stop
    $members | Select-Object Name, SamAccountName
}
catch {
    Write-Host "Error occurred: $_"
}

When managing Windows Active Directory environments, administrators often need to programmatically retrieve group membership information. While the GUI method through Computer Management works, command-line solutions enable automation and integration with scripts.

The simplest method uses the built-in dsget command:

dsget group "CN=GroupName,OU=Groups,DC=domain,DC=com" -members

This returns distinguished names of all members. For a more readable output showing just usernames:

dsget group "CN=GroupName,OU=Groups,DC=domain,DC=com" -members | dsget user -samid

For more flexibility, PowerShell's Active Directory module provides better options:

Get-ADGroupMember -Identity "GroupName" | Select-Object Name, SamAccountName

To export results to CSV for further processing:

Get-ADGroupMember "GroupName" | Export-Csv -Path "C:\temp\group_members.csv" -NoTypeInformation

When you need to filter results or work across domains, LDAP queries are powerful:

dsquery * "OU=Groups,DC=domain,DC=com" -filter "(&(objectCategory=group)(name=GroupName))" -attr member

Here's a complete PowerShell script that checks membership and performs an action:

$members = Get-ADGroupMember -Identity "FinanceTeam"
foreach ($user in $members) {
    $userDetails = Get-ADUser -Identity $user.SID -Properties EmailAddress
    Write-Output "$($user.Name) - $($userDetails.EmailAddress)"
}
  • Ensure you have RSAT tools installed for AD PowerShell commands
  • Run commands with elevated privileges when querying protected groups
  • Use -Server parameter to target specific domain controllers