This is my personal blog. The opinions and views I express are my own. The information I provide is on an as-is basis. I make no representations as to accuracy, completeness, currentness, suitability, or validity of any information on this blog and will not be liable for any errors, omissions, or delays in this information or any losses, injuries or damages arising from its use.

Get the Members of all Security Groups in Active Directory w/ PowerShell

Update 4 May 2017:

I’ve been contacted by a few people that were having trouble running the code in the Get-GroupMember function. I have replicated the error on one of my DCs but another DC in a different domain the Get-GroupMember function works fine. I’m still not entirely sure why the code works for some but not other. Anyway, I’ve posted an alternate solution below. If anyone knows why the Get-GroupMember function doesn’t always work please let me know.

$Groups = Get-ADGroup -Filter {GroupScope -eq 'Global' -and Members -ne "NULL"}
$Users = foreach( $Group in $Groups ){
    Get-ADGroupMember -Identity $Group | foreach {
            Group = $Group.Name
            UserName = $_.SamAccountName
$Users | Export-CSV C:\scripts\groups.csv -NoTypeInformation



Have you ever taken over Active Directory Administration duties at an organization that has a fully functional AD architecture? In some cases this is great, just set down in the seat and watch it all work as normal. However, at some point in time, you will need to know what users have what access to what resources, what users are Domain Admins etc…

In a smaller organizational this may not be such a daunting task, simply clicking through ADUC might suffice. In larger organizational with 100’s and users and maybe 100’s of groups, clicking through ADUC is not going to cut it.

Using some PowerShell magic this task is pretty easy no matter what the size of Active Directory, the code and video below will walk you through the process.

Caution: In a large Active Directory environment this script could put a significant workload on Servers. USE AT YOUR OWN RISK.


	Get members of all the Global, Universal or DomainLocal groups in your Active Directory
    and output the data to a CSV file

	File Name: Get-GroupMember.ps1
	Author: David Hall
	Contact Info: 
		Website: www.signalwarrant.com
		Twitter: @signalwarrant
		Facebook: facebook.com/signalwarrant/
		Google +: plus.google.com/113307879414407675617
		YouTube Subscribe link: https://www.youtube.com/c/SignalWarrant1?sub_confirmation=1
	Requires: Appropriate AD permissions
	Tested: PowerShell Version 5, Windows 10 and Windows Server 2012 R2

    The available scope options are Global, Universal, and DomainLocal
     Get-GroupMember -Scope DomainLocal


# Scope options are Universal, DomainLocal,Global
# Get-GroupMember -Scope DomainLocal

Function Get-GroupMember{
    $Groups = Get-ADGroup -Filter {GroupScope -eq $scope -and Members -ne "NULL"} -Properties Name | 
                  Select-Object Name, @{Name="GroupMembers";Expression={(Get-ADGroupMember -Identity "$_" | 
              Select-Object -ExpandProperty SamAccountName) -join "`n"}}
        $Groups | Format-Table -AutoSize -Wrap
        $Groups | Out-GridView
        $Groups | Export-Csv C:\scripts\groups.csv -NoTypeInformation