Disclaimer
This is my personal blog. The opinions and views I express are my own. The information I provide is on an as-is basis. I make no representations as to accuracy, completeness, currentness, suitability, or validity of any information on this blog and will not be liable for any errors, omissions, or delays in this information or any losses, injuries or damages arising from its use.

Get the Members of all Security Groups in Active Directory w/ PowerShell

Update 4 May 2017:

I’ve been contacted by a few people that were having trouble running the code in the Get-GroupMember function. I have replicated the error on one of my DCs but another DC in a different domain the Get-GroupMember function works fine. I’m still not entirely sure why the code works for some but not other. Anyway, I’ve posted an alternate solution below. If anyone knows why the Get-GroupMember function doesn’t always work please let me know.

$Groups = Get-ADGroup -Filter {GroupScope -eq 'Global' -and Members -ne "NULL"}
$Users = foreach( $Group in $Groups ){
    Get-ADGroupMember -Identity $Group | foreach {
        [PSCustomObject]@{
            Group = $Group.Name
            UserName = $_.SamAccountName
        }
    }
}
$Users | Export-CSV C:\scripts\groups.csv -NoTypeInformation

 

 

Have you ever taken over Active Directory Administration duties at an organization that has a fully functional AD architecture? In some cases this is great, just set down in the seat and watch it all work as normal. However, at some point in time, you will need to know what users have what access to what resources, what users are Domain Admins etc…

In a smaller organizational this may not be such a daunting task, simply clicking through ADUC might suffice. In larger organizational with 100’s and users and maybe 100’s of groups, clicking through ADUC is not going to cut it.

Using some PowerShell magic this task is pretty easy no matter what the size of Active Directory, the code and video below will walk you through the process.

Caution: In a large Active Directory environment this script could put a significant workload on Servers. USE AT YOUR OWN RISK.

#  *** THIS SCRIPT IS PROVIDED WITHOUT WARRANTY, USE AT YOUR OWN RISK ***
<#

.DESCRIPTION
	Get members of all the Global, Universal or DomainLocal groups in your Active Directory
    and output the data to a CSV file

.NOTES
	File Name: Get-GroupMember.ps1
	Author: David Hall
	Contact Info: 
		Website: www.signalwarrant.com
		Twitter: @signalwarrant
		Facebook: facebook.com/signalwarrant/
		Google +: plus.google.com/113307879414407675617
		YouTube Subscribe link: https://www.youtube.com/c/SignalWarrant1?sub_confirmation=1
	Requires: Appropriate AD permissions
	Tested: PowerShell Version 5, Windows 10 and Windows Server 2012 R2

.PARAMETER Scope
    The available scope options are Global, Universal, and DomainLocal
		 
.EXAMPLE
     Get-GroupMember -Scope DomainLocal

#>

# Scope options are Universal, DomainLocal,Global
# Get-GroupMember -Scope DomainLocal

Function Get-GroupMember{
    Param(
        [parameter(Mandatory=$true)]
        [string]
        $scope
    )
    $Groups = Get-ADGroup -Filter {GroupScope -eq $scope -and Members -ne "NULL"} -Properties Name | 
                  Select-Object Name, @{Name="GroupMembers";Expression={(Get-ADGroupMember -Identity "$_" | 
              Select-Object -ExpandProperty SamAccountName) -join "`n"}}
}
        $Groups | Format-Table -AutoSize -Wrap
        $Groups | Out-GridView
        $Groups | Export-Csv C:\scripts\groups.csv -NoTypeInformation

 

1 Comment

  1. Mike Adams | | Reply

    I am new to powershell. I put in the script that you wrote for the get members of all AD groups with powershell.
    I put this script into my powershell window and it did not do anything, no errrors, nothing.
    Did I need to make any changes?
    Thanks,
    Mike

Leave a Reply to Mike Adams Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.