In this guide, you will learn how to use PowerShell to get AD group members and export them to a CSV file.
As an Administrator, you often need to get a list of groups and group members from Active Directory. This may be requested as part of a security Audit, permissions review, or export and import into other systems.
How to Export Group Members to CSV with PowerShell
In this example, I’ll use the Get-ADGroupMember command to get members of an ad group and export to csv.
Step 1: Open PowerShell as Administrator.
Step 2: To get all group members use this command.
Get-ADGroupMember -Identity Administrators | Select-Object name, objectClass,distinguishedName
In this example, I get all members of the Administrators group.
Step 3. To export group members to CSV use this command.
Get-ADGroupMember -Identity Administrators | Select-Object name, objectClass,distinguishedName | export-csv c:\temp\admingroup.csv
Method #2 AD Group Management Tool
In this example, I’ll use the AD Group Management Tool that is included with the AD Pro Toolkit.
Step 1: Click “Run” to get all AD group members. Nested groups are included by default. To get members of a specific group or OU click the browse button.
Step 2. To export the list of groups click the “Export” button.
The Group Membership Report is 1 of 19 tools included in the AD Pro Toolkit.
PowerShell Get AD Group Members Details
In this first example, I’ll show you how to export Active Directory group members using the Get-ADGroupMember PowerShell cmdlet.
Step 1: Load the Active Directory Module
To connect and query an AD group with PowerShell the Active Directory module needs to be loaded.
The Active Directory module can be installed with the following methods:
- RSAT tools installed
- Windows Server 2008 R2 and above with the AD DS or AD LDS server roles
You can run the following command to see if you have installed
Get-Module -ListAvailable
As you can see I don’t have the module installed.
If you already have the module loaded then jump to step 2, if not then follow these instructions.
To get the Active Directory module installed on my Windows 10 PC, I will need to download and install the RSAT tools.
With the RSAT tools installed, I run the Get-Module -ListAvailable command again
Now I have the module installed, let’s move on to step 2.
RELATED: Tutorial on how to install PowerShell modules
Step 2: Find AD Group
If you already know the name of the group, then skip to step 3.
If you’re not sure what the group name is, you can issue the following command to list all Active Directory groups.
Get-ADGroup -filter * | sort name | select name
Above, is a screenshot of some of the groups listed in my domain. I had an HR group but wasn’t sure of its complete name, I can see it’s HR full. I’ll use that group in step 3 to list out the members.
Step 3: Use Get-AdGroupMember to list group members
The following command will list all members of my HR Full group
Get-ADGroupMember -identity "HR Full"
You can see the above command provides more details on the group members than I need.
We can filter out the results and just get the member name with this command
Get-ADGroupMember -identity "HR Full" | select name
Perfect, now I just need to export this to CSV.
Related: How to export all Users from Active Directory
Step 4: Export group members to CSV file
The last step is to export the results to a CSV file
This is done by adding Export-csv to our above commands. The full command looks like this
Get-ADGroupMember -identity "HR Full" | select name | Export-csv -path c:\it\filename.csv -Notypeinformation
Get-ADGroupMember -identity “HR Full” | select name | Export-csv -path C:\it\filename.csv -NoTypeInformation
Now I have a CSV file of all the members from the HR Full Active Directory group.
Pretty easy right?
Method 2: Export AD Group Members Using the AD Pro Toolkit
In this example, I’ll use the Group Membership Report Tool from the AD Pro Toolkit to get AD group members. This tool makes it very easy to get AD group membership from a single group or all domain groups. See the steps below.
Step 1. Download the AD Pro Toolkit
Click here to download a free trial
The tool is very easy to install, it can be installed on a workstation or server.
Step 2. Click on Group Membership Report
On the management tools page click on “Group Membership Report”.
Step 3. Choose Path and click Run
You can choose to get group members from the entire domain, select an OU or group, or search the domain for a specific group.
For this example, I’m going to select the entire domain.
Now click the run button to generate the report.
You will now have a list of all Active Directory groups and members.
The sAMAccountName column is the user or group account and the memberOf column is the group it is a member of.
Step 4. Export AD Group Members to CSV
To export the report, click the export button and select CSV, XLSX, or PDF.
The below screenshot is an example CSV export.
List only Security Group Members
With the GUI tool, you can easily filter on any of the columns. In this example, I’ll filter on the group type to list only security groups and members.
Click on the groupType column and select Security.
Now the tool will only display security groups and the group members.
Get Recursive AD Group Membership
By default, the GUI tool will get recursive group membership. This means if a group is a member of another group it will also list the nested group’s membership.
To see which groups are members of another group filter the objectclass column by group.
Below you can see the “Accounting_Local” group is a member of the “Accounting_printers group. The “HR_Local” group is a member of the “IT_Local” group.
Include Additional User Properties (attributes) in the Group Membership Report
To add additional user properties click the columns button and add or remove the attributes you need.
Now re-run the report and it will display the user properties that you selected.
Get AD Group Members from an Organizational Unit
In this last example, I’ll get group members from a group in an OU instead of the entire domain.
Select OU or group and click the browse button.
Next, select the OU. You can select multiple OUs or groups. I’ve selected my HR OU.
Run the report and it will list the groups and members from your selection, In my case, it will get all groups in the HR OU.
The Group Membership Report Tool is a huge time saver and makes it easy to report and export group membership. Click here to download a free trial.
This article is so clear and easy to follow. Thank you.
It works for some groups and for others I see an error “Get-ADGroupMember : Cannot find an object with identity: ‘Pwa xxx’ under: ‘DC=abc,DC=abc,DC=abc’ “.
I see this has been answered in a previous comment but how do I know the name of the server or domain controller for a particular group?
We have multiple domain controllers, how can we get the output for a group in a
different DC
Get-ADGroupMember : Cannot find an object with identity: ‘DC2XXYY-ABCD’ under:
‘DC=dc2,DC=int,DC=us’.
the same command works for groups in dc1
To get group members from a specific domain controller use the -server parameter.
Get-ADGroupMember -server dc2 -identity “HR Full”
Hi,
Is it possible to to retrieve a list of deleted users for a particular group?
Thanks
I want the following command to search the entire directory
Get-ADGroupMember -identity “TEST_GROUP_NAME”
Hi Robert Allen,
can you help please!
I need a info with all local administrators on servers and computers ,but excluded Domain Admins Group
Hi,
See this article:
https://activedirectorypro.com/find-local-administrators-on-all-computers/
Also check out this tool”
https://activedirectorypro.com/local-admins-reporting-tool/
Hai Robert Allen,
How to get user groups names using logon name and password with power shell script and LDAP bind connection.
Can i get the full script which i can run in azure DevOps pipeline and get the details of all AD groups as well as group users.
Thanks Robert! Helped a lot
No problem!
Hi,
You did a great job!
I would like to add few details at Step2 if you don’t see the groups, if the AD has azure information protection.
First you will need to check the name of the group in AD then use the following command in PowerShell:
Get-ADGroupMember -identity “Group_Name” | select name
All the best,
Alex Gheorghisoara
This is very clean and retrieves the information I need for a compliance report. However, I have been asked to transpose data such that the export is formatted such that each group becomes a column header, and the columns contains all members of the “header” group. Any help is greatly appreciated.
Thank you!
Hi Robert,
this is great – any idea how to omit specific emails from results?
Thank you, this info was useful!
Hi
How to export the owners name for a list of service accounts from Powershell ?
Hi
How do I get groups within a nested group please? So I have a parent group, then within that, I have nested groups. I wanted those nested groups (not users)
Thanks
thank you so much. This blog helped me.
Hi ,
I have 120 dl names in one CSV file. How I can get the first member of that all dl using script
Hi Robert, thank you for sharing all these helpful commands and PS-Scripts.
I am trying to create a script that will export all users with their manager name to a csv file. (i got this part done already), I used: get-aduser -Filter * -Properties Manager | Select-Object Name,sAMAccountName,Manager | export-csv C:\temp\UsersManagersExample.csv -notypeinformation.
But also that shows all the membership groups for each user. I am not sure what is the best way to achieve this. Can you help? I am quite sure that there is a way to get this done using powershell.
So I am trying to get a list of all managers and their reporties plus the membership assigned to each user.
Thank you in advance!
Best Regards,
Fady
Thanks ,Its very useful for audit purpose, I have created around 24 .CSV file. How do I can add all in one excel in different tabs in sing excel.
Thanks again
Vaibhav Joshi
Hi Robert, how would I get a listing of all members in an AD group that has members from 2 different domains (universal group). Is this possible? Thanks.
How do we find the AD groups assigned to a Role?
Hi could you point me in the right direction? Any help would be appreciated. At step 3 I’m running into the following error….
Get-AdGroupMember : An unspecified error has occurred
At line:1 char:1
+ Get-AdGroupMember -identity GROUP-TESTA
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: GROUP-TESTA:ADGroup) [Get-ADGroupMember], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
Does the group have members from another domain? This command only works if the group members are all from the same domain.
How can I get properties like samaccountname, mail, etc for a group that has members from more than one domain?
I hate to ask this because I should know. How do I get it to export the AD username instead of Last, First?
Hi Robert, bit late to the party here. I am doing something similar but I wanted to be able to export only names that do not match part of a string to the CSV e.g names that do not match “admin*”. I can manipulate the CSV afterwards but would be great if I could do it as part of PS.
Exactly what i am looking for Thank you Robert. I mostly get all the required stuff from activedirectorypro.com
Thanks Kuldip. Glad you found what you needed.
i need an export for names, email addresses, title, location and department…. is that possible?
Yes. I have two tools that make this really easy. You can download a free trial of them both.
1. Active Directory Reporting Tool
2. AD User Export Tool