Some time ago, I was asked to provide a list of everyone with access to a specific system. After communicating with the client, it transpired that they were particularly interested in knowing who were the members of a set of Active Directory groups. While this can be done manually, I wanted to try my hand at building a PowerShell-script that returned the information the client was asking for, and which I could reuse at some later point, as such requests pop up with some regularity.
I started out with the Get-ADGroupMember command, followed by the group name in quotation marks, like so: Get-ADGroupMember "Active Directory Group Name". Due to a scheme involving nested groups to grant access, this only gives me the group at the top, so this doesn’t get me all the way there.
Next, then, we add the parameter -recursive, like so: Get-ADGroupMember "Active Directory Group Name" -recursive. This returns a list like this one:
distinguishedName : CN=Administrator,CN=Users,DC=Fabrikam,DC=com
name : Administrator
objectClass : user
objectGUID : 994f46e6-c62c-483f-a6cf-124197b6a959
SamAccountName : Administrator
SID : S-1-5-21-41432690-3719764436-1984117282-500
distinguishedName : CN=Sagiv Hadaya,CN=Users,DC=Fabrikam,DC=com
Example result from the Get-ADGroupMember PowerShell documentation
name : Sagiv Hadaya
objectClass : user
objectGUID : 64706230-f179-4fe4-b8c9-f0d334e66ab1
SamAccountName : SHadaya
SID : S-1-5-21-41432690-3719764436-1984117282-1158
In the naming scheme for the domain in question, the display name (see “name” in the list above) is set to be the same as their user name, so that is not super helpful. In addition, the only thing I need here is who the members are. As a result, I need to pipe the result of the command through a second command (Get-ADUser), returning the display name of each user. That looks like this:
Get-ADGroupMember "GROUPNAME" -recursive | Get-ADUser -property Displayname
Again, too much information is returned. In addition to the results originally returned, this search also returns the fields DisplayName, Enabled, GivenName, Surname, and UserPrincipalName. Let’s pipe it through a filter (select) to return only the display name. That command looks like this:
Get-ADGroupMember "GROUPNAME" -recursive | Get-ADUser -property Displayname | select Displayname
That returns the members of the group – in the PowerShell window, which looks like this:
DisplayName
Based on the above example result
———–
Administrator
Sagiv Hadaya
I would like to have the result output to a text file, and so add another command. Here’s what that looks like:
Get-ADGroupMember "GROUPNAME" -recursive | Get-ADUser -property Displayname | select Displayname | Out-File -FilePath .\PathOfFileHere.txt
At this point, we have the overview needed in a handy file. Note that -recursive does not return groups, only users.
By posting a comment, you consent to our collecting the information you enter. See privacy policy for more information.