Menu
Manage Engine

Funding for our platform is provided by our readers, and we may earn a commission when you make a purchase through the links on our site.

Export AD Group Members with PowerShell

/ Last Updated:

Export AD Group Members with PowerShell

Maybe you are trying to find a list of users that belong to the Administrator’s group, or you probably want to know who has access to which folder. Anyone from IT managers, security auditors, or even third-party services might want to get a list of Active Directory group members for several reasons.

Unfortunately, the built-in Active Directory Users and Computers (ADUC) tool does not give you an option to export lists of group members.

How do you get a list of users that belong to a particular Active Directory group?

Fortunately, you can export all the users in a group with a couple of simple PowerShell commands. All you need is PowerShell, the Power Shells’s “Active Directory” module, and a couple of simple commands.

In this Export AD Group Members tutorial, we’ll walk you step by step on the process of exporting AD group members into a CSV file using PowerShell.

1. Install and Verify PowerShell the Module

If you don't have PowerShell (PS), you can download its latest version from its GitHub repository. To use PowerShell for connecting and querying an Active Directory group, you’ll first need to install the AD module.

The Active Directory module is a package containing cmdlets, variables, functions, etc. It lets you run Active Directory commands from your PowerShell command session.

Bear in mind that; the installation process of the Active Directory module will vary according to different Powershell and Windows versions.

A. Verify the PowerShell Active Directory module is installed

First, let’s verify if you already have the AD module.

Get-Module -Listavailable

Verify the PowerShell Active Directory module is installed

As shown in the previous screenshot, if you do have the module installed, skip to part two. If you don’t have the Active Directory module, move on to the next section.

B. Install the PowerShell Active Directory module

For Windows 8, Windows 8.1, and Windows 10, you only need to have RSAT installed. The RSAT enables all tools by default, so you can use the AD module without installing it.

For Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016, follow the instructions below:

  1. Add the module as a feature from Server Manager.
  2. Open “Server Manager” and go to > “Add Roles and Features.”
  3. Click Next until you reach “Features.”
  4. Go to Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools.
  5. Find and enable “Active Directory Module for Windows PowerShell.”
  6. Click on “Install.”

Install the PowerShell Active Directory module

Alternatively, you can also install the AD module from the PowerShell console itself. Run the command:

Install-WindowsFeature RSAT-AD-PowerShell

To make sure that the AD is installed successfully and can be used from PowerShell, open the PowerShell console, and use the Get-Module -Listavailable command again.

2. Find the Active Directory Group Name

If you want to export Active Directory group members with PowerShell but don’t know the exact name of their groups, you can also export a list containing all group information in Active Directory with PowerShell.

To do this,  open your PowerShell console and run the following command: 

get-adgroup -filter * | sort name | select Name

Running this command without filters would result in a complete but complicated output.

Find the Active Directory Group Name

You should get a list of all your AD groups in your domain, similar to the screenshot above. This list should help you identify the correct name of the group that you want to export the members from.

3. Get a List of the Members of a Specific Group

Now that you already know all the available groups and their names using the “get-adgroup” command, you can specify the group you want to export members from. 

Use the following command to list all the members of a specific group:

Get-AdGroupMember -identity "Group Name"

Let’s use this command to get a list of all the members in the “Administrators” Group.

Get a List of the Members of a Specific Group

As you might notice from the screenshot above, the command Get-AdGroupMember -identity “Group Name” gives you more details on the group members than what you probably need. You can narrow down your search results with the help of the filter (| select name). You can use the same command as above but add a filter to list only specific member names.

For example,

Get-AdGroupMember -identity "Administrators" | select name

Get-AdGroupMember

4. Export AD Group Members to a CSV File

Now that you already have a complete filtered list of AD group members let’s go ahead and export these results to a CSV file. To do this, you only need to append “export-CSV” to the previous command “Get-ADGroupMember … ”.

So, now the command should look something like this: 

Get-ADGroupMember -identity “Administrators” | select name | Export-csv -path C:\AD Management\Administrators.csv -NoTypeInformation

Exporting a CSV file containing all member’s information can be very handy for large AD groups. Maybe you want to perform some automation tasks in bulk and need all the names from that specific group in a CSV file.

5. More AD Management?

You can use a third-party reporting tool and forget the need to write your own PowerShell scripts. For example, SolarWinds Access Rights Manager is full of utilities to manage, monitor, and secure Active Directory and it includes a reporting tool that will just generate out an XLSX format list of all the accounts in your domain controller. Alternatively, ManageEngine ADManager Plus helps administrators import, export, and modify AD objects and groups en masse with just a few clicks.

SolarWinds Access Rights Manager – FREE TRIAL

SolarWinds Access Rights Manager

Once you have your data in Excel, you can update it, filter it, search, it and export it again for insertion into another domain or back into the original instance.

Take a look at the Access Rights Manager with a 30-day free trial.

SolarWinds Access Rights Manager Start a 30-day FREE Trial

ManageEngine ADManager Plus – FREE TRIAL

ManageEngine ADManager Plus

ManageEngine ADManager Plus is a powerful Active Directory management and reporting solution that can prove invaluable for sysadmin managing large AD environments. IT administrators and technicians can create multiple security and distribution groups using smart templates and add or remove members in bulk, making it easier to manage groups with large numbers of members.

Key Features:

  • Bulk AD groups and object features
  • Out-of-the-box templates for quick management
  • Customizable reports and auditing capabilities

ADManager Plus allows for rule-based account creation and modification templates, which can simplify the process of managing AD groups and their members. The solution also offers built-in report libraries and customizable reports, making it easier to generate reports on AD group membership, among other things.

Pros:

  • Detailed reporting, can generate compliance reports for all major standards (PCI, HIPAA, ect)
  • Supports multiple domains
  • Supports delegation for NOC or helpdesk teams
  • Allows you to visually view share permissions and the details of security groups

Cons:

  • Is a comprehensive platform that takes time to fully explore

Overall, ADManager Plus is a comprehensive and user-friendly solution that can greatly streamline the management of Active Directory groups and their members.

You can try out ADManager Plus completely free through their 30-day free trial.

ManageEngine ADManager Plus Start a 30-day FREE Trial

Conclusion

In this tutorial, we used a couple of simple PowerShell commands to export AD group members. But the truth is that PowerShell can do so much more. It is a fantastic tool for automating and simplifying a massive amount of Active Directory tasks.

Still, PowerShell is not for everyone. As the more you intend to do, the more overwhelming it can get. PowerShell requires scripting knowledge.

Export AD Group Members with PowerShell FAQs

How can I export AD group members with PowerShell?

You can use the PowerShell cmdlet "Get-ADGroupMember" to retrieve the members of an AD group, and then export the results to a CSV file using the "Export-Csv" cmdlet. For example: "Get-ADGroupMember -Identity 'GroupName' | Export-Csv -Path 'C:\Temp\GroupMembers.csv' -NoTypeInformation"

What information is included in the exported CSV file?

By default, the CSV file includes the following information for each group member: Name, ObjectClass, DistinguishedName, Enabled, SamAccountName, SID, and UserPrincipalName. You can customize the output by selecting specific properties using the "Select-Object" cmdlet.

How can I filter the results to include only specific types of group members?

You can use the "-MemberType" parameter with the "Get-ADGroupMember" cmdlet to filter the results based on the object class of the group member. For example: "Get-ADGroupMember -Identity 'GroupName' -MemberType User | Export-Csv -Path 'C:\Temp\Users.csv' -NoTypeInformation" will only include users in the exported CSV file.

How can I export group members from multiple AD groups?

You can use a "foreach" loop to iterate over a list of AD group names, and then use the "Get-ADGroupMember" and "Export-Csv" cmdlets within the loop to export the group members to separate CSV files for each group.

How can I schedule the export of AD group members with PowerShell?

You can create a PowerShell script that exports AD group members and then use the Windows Task Scheduler to schedule the script to run at specified intervals.

Manage Engine
DMCA.com Protection Status