You might be asking, how can I manage AD groups with PowerShell. Well, you are in luck! Our series of articles on PowerShell was created by Chris Odom of Microsoft’s Global Partner Group and shows you exactly how to do it. This resource will help you transition into the world of Windows 10 Active Directory management without too much work or risk.
The “powershell list ad groups” is a PowerShell script that can be used to manage AD Groups with PowerShell. The script will export the current AD Group memberships into a CSV file.
Working with Active Directory Directory Services is a common PowerShell application (AD). With AD objects, PowerShell can accomplish a lot of things that save time. You may save a lot of time by using the PowerShell Get-ADGroupMember cmdlet and other cmdlets.
With Specops’ 100% free Password Auditor Pro, you can find, report, and prevent unsafe Active Directory account passwords in your environment. Download it right now!
User accounts may be segmented using Active Directory groups. Admins may use groups to control resource access across several platforms.
Let’s use PowerShell to acquire AD group members and export AD group members in this post. You may then utilize this data to create a slew of fascinating reports.
Prerequisites
If you want to follow along with this post, make sure you have the following items on hand:
Learning the Fundamentals
Get-AdGroup and Get-AdGroupMember are two PowerShell cmdlets that you may use to query AD groups and group members.
Get-ADGroup asks a domain controller for AD group objects and returns them. Get-AdGroupMember examines each group’s contents and returns all user accounts, groups, contacts, and other objects.
Acquiring AD Groups
The Get-ADGroup cmdlet may be used to locate AD groups in PowerShell. Get-ADGroup will query AD and return all groups in a domain if no arguments are specified. Filter is a mandatory parameter. It exists to restrict the groups returned depending on a number of factors.
Use Get-ADGroup and give a wildcard (asterisk) for the Filter argument to discover all groups without respect to any criterion. Below is an illustration. If your domain has hundreds or even thousands of groups, scrolling through them all may take some time.
The Identity option may be used to locate a certain group.
All Active Directory PowerShell cmdlets have the Identity argument as a common parameter. It helps you to narrow down your search to a particular AD item. For example, if you wanted to see whether there was a group named HR, you might use the command below.
-Identity ‘HR’ Get-ADGroup
Obtaining Members for an AD Group
The Get-ADGroupMember cmdlet is required to list members of an AD group using PowerShell. This cmdlet retrieves a group’s user, group, and computer objects. You may need the assistance of all members of the Administrators group. In its most basic version, you’d just use the Identity option to define the group’s name, as seen below.
Get-ADGroupMember -Administrators -Identity
Get-AdGroupMember only provides user, group, and computer membership in groups. Other AD items, such as contacts, will not be returned.
Within Group Members, Counting Group Members
As you may know, AD groups may include not just user accounts but also other groups, which is known as nesting. When a group is nested inside of another group, the members of the nested group inherit the parent group’s rights.
The Get-AdGroupMember cmdlet in PowerShell does not return nested group members by default. You may use the Recursive argument to fix this. The Recursive argument, for example, might be used to locate members of groups nested within the HR group, as illustrated below.
-Recursive Get-ADGroupMember -Identity ‘HR’
Obtaining Multiple Groups/Members at the Same Time
A PowerShell foreach loop may be used to query AD for a large number of distinct groups or group members at once. For each item in a collection, a foreach loop executes a command or code. That collection will be a list of group names in this example.
You may need to locate all members of the HR, Accounting, and IT groups. You’d start by making a collection or array of these group names. The $groupNames collection is defined in the example below. Then, for each name in that collection, call Get-ADGroupMember with the Identity option set to the group’s name.
foreach ($group in $groupNames) $groupNames = ‘HR’,’Accounting’,’IT’ -Identity $group Get-ADGroupMember
To loop across groups, you may use the ForEach-Object cmdlet instead.
Using Alternative Identification
The AD group cmdlets, like many other PowerShell cmdlets, contain a Credential parameter. When you execute an AD group cmdlet by default, it queries Active Directory using your logged-in credentials. This behavior requires that you be signed in as an Active Directory user with authorization on a domain-joined machine.
But what if you’re on a workgroup machine and need to log in to Active Directory as a different user? In such situation, the Credential argument might be used. You may use this option to define a username and password for authentication.
Perhaps your user account lacks the necessary permissions to complete an AD operation. You have a service account that gives you more privileges. You may log in as a regular user and yet utilize the service account to authenticate, as illustrated below.
To generate a credential, the Get-Credential cmdlet asks for a username and password. This credential is then used to authenticate the Get-AdGroup cmdlet.
-Identity ‘HR’ Get-ADGroup -Credential (Get-Credential)
In PowerShell, the Credential argument is used to provide authentication credentials. Read Using the PowerShell Get-Credential cmdlet and all things credentials for additional details.
Using Get-ADGroup to get group members?
You may also acquire group members using the Get-ADGroup cmdlet, which may seem paradoxical.
Get-ADGroup turns out to return a property named members for each group. A group of AD items is represented by this collection.
For example, you might execute something like this to discover group members in the HR group without using Get-ADGroupMember:
-Identity ‘HR’ Get-ADGroup -Properties members
Why should you choose one strategy over another? The primary distinction is that the members attributes include all AD objects, not only users, computers, and other groups.
Perhaps you have connections inside several organizations. Those contacts would not appear when you ran Get-ADGroupMember. You may view the contacts if you instruct Get-ADGroup to return all members in that group and extend that collection as shown below.
-Identity ‘HR’ Get-ADGroup -Properties members | Select-Object -ExpandProperty members
Identifying Specific AD Characteristics
You just returned all groups and group members in the previous section. Only a subset of the AD properties associated with each kind of item are returned for each group and group member.
Perhaps you’re looking for a user account’s email address, last login date, or another AD attribute? You’ll have to think outside the box to do this.
Perhaps you were able to locate all of the HR group members but want the email addresses for each user account?
$groupMembers = (-Identity ‘HR’ Get-ADGroup -Properties members).members $groupMembers | Select-Object -Property Name, @{Name=’Member’;exp={Get-AdUser -Identity $_.Name -Properties emailAddress,lastlogonDate}}
Results Filtering
You’ve located all groups and group members up to this point, but this is seldom necessary in a day-to-day work setting. It’s likely that you’ll only need a small amount of each item. There are a couple methods to do this with the AD group cmdlets.
Filtering Parameter
As mentioned earlier, both cmdlets have Filtering Parameter. This parameter allows you to limit what is returned in many different ways outside the scope of this article.
Using Filtering Parameter, you can limit results by any AD attribute such as name, group type, email address, last logon for users and so on.
For instance, suppose you simply want to locate security groups. In such situation, you’d use the GroupCategory property and a condition to limit the results to Security groups.
‘GroupCategory -eq “Security”‘ Get-ADGroup -Filter
You could wish to locate all security groups, but they can’t be domain local. Then, using the -ne operator, you’d add another condition to prohibit any domain local groups from being returned.
GroupCategory -eq “Security” -and GroupScope -ne “DomainLocal”‘ Get-ADGroup -Filter
Learning Active Directory and LDAP Filters in PowerShell is a good place to start if you want to learn how to construct query filters.
Organizational Unit Limiting Group Results (OU)
You could have many groups nested inside OUs. You don’t need to discover all groups; merely groups in a specified OU would suffice. In such situation, the SearchBase argument might be used.
The SearchBase option lets you to start searching for groups in an OU by specifying its distinguished name (DN). For instance, suppose you have a Locations OU at the root of your domain. Each location OU, such as Austin, NYC, and Los Angeles, is generated in the Locations OU. You just want to view groups in the NYC OU and don’t want to see anything else.
Below is an example of an AD OU structure. Other groups exist outside of the Locations OUs, as well.
Locations – Austin – NYC – Group 1 – Group 2 – Computers – Group 3 – Group 4 – Service Accounts – company.local
Maybe you need to locate all AD groups that are exclusive to the NYC OU. You’d use the SearchBase argument with the DN as shown below to narrow the query. The Locations OU returns all groups inside it.
Get-ADGroup -SearchBase ‘OU=Locations,OU=NYC,DC=company,DC=pri’ -Filter ‘*’
However, you must now locate all groups in all OUs inside the Locations OU. Get-ADGroup only returns groups from the Locations OU, not from the child OUs.
The SearchScope option may be used to return groups inside child OUs. In the same way that the Recursive parameter inspects child objects, this parameter does as well.
For example, select Subtree or 2 to locate all groups in any OU under the Locations OU. Get-ADGroup uses this value for SearchScope to recursively look at all children, grandchildren, and so on.
OU=Locations,DC=company,DC=pri’ -SearchBase ‘OU=Locations,DC=company,DC=pri’ -SearchScope 2 Get-ADGroup -Filter ‘*’ -SearchBase
Refer to the Get-ADGroup documentation for a comprehensive list of SearchScope parameter possibilities.
Exporting AD Members and Groups
So now you know how to query and get the groups and members you need. The PowerShell console receives all of this data. However, you must now convert this data into a CSV file or an Excel spreadsheet.
Now all you have to do is save all of that information to a file.
Creating a CSV file
A CSV file is a typical format for exporting AD data. Export-Csv is a PowerShell cmdlet that enables you to simply produce CSV files from PowerShell output.
By passing any command discussed in this article to Export-Csv, you may produce a CSV file. Using the example below, all output that Get-AdGroup would have sent to the console is instead directed to a CSV file.
OU=Locations,DC=company,DC=pri’ -SearchBase ‘OU=Locations,DC=company,DC=pri’ -SearchScope 2 Get-ADGroup -Filter ‘*’ -SearchBase | Export-Csv -Path ‘departmental_groups.csv’ -NoTypeInformation
Export-Csv: The PowerShell Way to Treat CSV Files as First-Class Citizens has further information on this useful cmdlet.
Creating an Excel spreadsheet
There is no native mechanism to export data from PowerShell to Excel. However, you can always use ImportExcel, a free community module. This module gives Excel spreadsheets CSV-like export capabilities. Run Install-Module ImportExcel -Scope CurrentUser to install the PowerShell module.
If you wanted to export the groups to an Excel worksheet instead of a CSV file, you’d use the Export-Excel cmdlet, as seen below.
Find leaked & unsafe passwords in your Active Directory by checking against the NCSC Password list.
OU=Locations,DC=company,DC=pri’ -SearchBase ‘OU=Locations,DC=company,DC=pri’ -SearchScope 2 Get-ADGroup -Filter ‘*’ -SearchBase | Export-Excel -Path ‘departmental_groups.csv’
The ImportExcel module contains a lot of Excel-related features. It probably includes a feature for you if you require a fancier worksheet.
Read this page for further information on how to use the ImportExcel module. It gives a good overview of some of the most typical use scenarios it can handle.
Conclusion
You can perform almost anything with AD groups with only two PowerShell cmdlets. This post provided only an overview of the features accessible to you. See what you can construct using the information you’ve gained here and some of the connections to further topic dives in the post.
The “powershell get ad group members export to csv” is a PowerShell command that allows users to manage AD groups with the tool. It exports the list of members of an AD group in CSV format.
Related Tags
- new-adgroup
- powershell list ad groups starting with
- get-adgroup
- add-adgroupmember
- powershell script to create groups in active directory
