In this guide, you will learn how to use PowerShell to get AD group members and export them to a CSV file.
As an Administrator, you often need to get a list of groups and group members from Active Directory. This may be requested as part of a security Audit, permissions review, or export and import into other systems.
The problem is…
The built-in Active Directory Users and Computer console have no way to get all group members and export them.
To accomplish this we can use the PowerShell Get-ADGroupMember cmdlet. As an alternative to PowerShell, I’ll also show you how to create a group report using the AD Pro Toolkit.
Let’s get started.
How to Export Group Members to CSV with PowerShell
In this first example, I’ll show you how to export Active Directory group members using the Get-ADGroupMember PowerShell cmdlet.
Step 1: Load the Active Directory Module
To connect and query an AD group with PowerShell the Active Directory module needs to be loaded.
The Active Directory module can be installed with the following methods:
- RSAT tools installed
- Windows Server 2008 R2 and above with the AD DS or AD LDS server roles
You can run the following command to see if you have installed
As you can see I don’t have the module installed.
If you already have the module loaded then jump to step 2, if not then follow these instructions.
To get the Active Directory module installed on my Windows 10 PC, I will need to download and install the RSAT tools.
With the RSAT tools installed, I run the Get-Module -ListAvailable command again
Now I have the module installed, let’s move on to step 2.
Step 2: Find AD Group
If you already know the name of the group, then skip to step 3.
If you’re not sure what the group name is, you can issue the following command to list all Active Directory groups.
Get-ADGroup -filter * | sort name | select name
Above, is a screenshot of some of the groups listed in my domain. I had an HR group but wasn’t sure of its complete name, I can see it’s HR full. I’ll use that group in step 3 to list out the members.
Step 3: Use Get-AdGroupMember to list group members
The following command will list all members of my HR Full group
Get-ADGroupMember -identity "HR Full"
You can see the above command provides more details on the group members than I need.
We can filter out the results and just get the member name with this command
Get-ADGroupMember -identity "HR Full" | select name
Perfect, now I just need to export this to CSV.
Step 4: Export group members to CSV file
The last step is to export the results to a CSV file
This is done by adding Export-csv to our above commands. The full command looks like this
Get-ADGroupMember -identity "HR Full" | select name | Export-csv -path c:\it\filename.csv -Notypeinformation
Get-ADGroupMember -identity “HR Full” | select name | Export-csv -path C:\it\filename.csv -NoTypeInformation
Now I have a CSV file of all the members from the HR Full Active Directory group.
Pretty easy right?
Method 2: Export AD Group Members Using the AD Pro Toolkit
In this example, I’ll use the AD Group Membership Report Tool from the AD Pro Toolkit to get AD group members. This tool makes it very easy to get AD group membership from a single group or all domain groups. See the steps below.
Step 1: Download the AD Group Membership GUI Tool
The tool is very easy to install, it can be installed on a workstation or server.
Step 2: Click on Group Report
In the list of tools select group report.
Step 3: Choose Paths and click run
You can choose to get group members from the entire domain, select an OU or group or search the domain for a specific group.
For this example, I’m going to select the entire domain.
Now click the run button to generate the report.
You will now have a list of all Active Directory groups and members.
The sAMAccountName column is the user or group account and the memberOf column is the group it is a member of.
Step 4: Export AD Group Members to CSV
To export the report, click the export button and select CSV, XLSX, or PDF.
The below screenshot is an example CSV export.
List only Security Group Members
With the GUI tool, you can easily filter on any of the columns. In this example, I’ll filter on the group type to list only security groups and members.
Click on the groupType column and select Security.
Now the tool will only display security groups and the group members.
Get Recursive AD Group Membership
By default, the GUI tool will get recursive group membership. This means if a group is a member of another group it will also list the nested group’s membership.
To see which groups are members of another group filter the objectclass column by group.
Below you can see the “Accounting_Local” group is a member of the “Accounting_printers group. The “HR_Local” group is a member of the “IT_Local” group.
Include Additional User Properties (attributes) in the Group Membership Report
To add additional user properties click the columns button and add or remove the attributes you need.
Now re-run the report and it will display the user properties that you selected.
Get AD Group Members from an Organizational Unit
In this last example, I’ll get group members from a group in an OU instead of the entire domain.
Select OU or group and click the browse button.
Next, select the OU. You can select multiple OUs or groups. I’ve selected my HR OU.
Run the report and it will list the groups and members from your selection, In my case, it will get all groups in the HR OU.
The Group Membership Report Tool is a huge time saver and makes it so easy to report and export group membership. Click here to download a free trial.