PowerShell: Export Active Directory Group Members

In this guide, you will learn how to use PowerShell to get AD group members and export them to a CSV file.

As an Administrator, you often need to get a list of groups and group members from Active Directory. This may be requested as part of a security Audit, permissions review, or export and import into other systems.

How to Export Group Members to CSV with PowerShell

In this example, I’ll use the Get-ADGroupMember command to get members of an ad group and export to csv.

Step 1: Open PowerShell as Administrator.

Step 2: To get all group members use this command.

Get-ADGroupMember -Identity Administrators | Select-Object name, objectClass,distinguishedName

In this example, I get all members of the Administrators group.

Step 3. To export group members to CSV use this command.

Get-ADGroupMember -Identity Administrators | Select-Object name, objectClass,distinguishedName | export-csv c:\temp\admingroup.csv

Method #2 AD Group Management Tool

In this example, I’ll use the AD Group Management Tool that is included with the AD Pro Toolkit.

Step 1: Click “Run” to get all AD group members. Nested groups are included by default. To get members of a specific group or OU click the browse button.

Step 2. To export the list of groups click the “Export” button.

The Group Membership Report is 1 of 19 tools included in the AD Pro Toolkit.

PowerShell Get AD Group Members Details

In this first example, I’ll show you how to export Active Directory group members using the Get-ADGroupMember PowerShell cmdlet.

Step 1: Load the Active Directory Module

To connect and query an AD group with PowerShell the Active Directory module needs to be loaded.

The Active Directory module can be installed with the following methods:

  • RSAT tools installed
  • Windows Server 2008 R2 and above with the AD DS or AD LDS server roles

You can run the following command to see if you have installed

Get-Module -ListAvailable

As you can see I don’t have the module installed.

If you already have the module loaded then jump to step 2, if not then follow these instructions.

To get the Active Directory module installed on my Windows 10 PC, I will need to download and install the RSAT tools.

With the RSAT tools installed, I run the Get-Module -ListAvailable command again

Now I have the module installed, let’s move on to step 2.

RELATED: Tutorial on how to install PowerShell modules

Step 2: Find AD Group

If you already know the name of the group, then skip to step 3.

If you’re not sure what the group name is, you can issue the following command to list all Active Directory groups.

Get-ADGroup -filter * | sort name | select name

Above, is a screenshot of some of the groups listed in my domain. I had an HR group but wasn’t sure of its complete name, I can see it’s HR full. I’ll use that group in step 3 to list out the members.

Step 3: Use Get-AdGroupMember to list group members

The following command will list all members of my HR Full group

Get-ADGroupMember -identity "HR Full"

You can see the above command provides more details on the group members than I need.

We can filter out the results and just get the member name with this command

Get-ADGroupMember -identity "HR Full" | select name

Perfect, now I just need to export this to CSV.

Related: How to export all Users from Active Directory

Step 4: Export group members to CSV file

The last step is to export the results to a CSV file

This is done by adding Export-csv to our above commands. The full command looks like this

Get-ADGroupMember -identity "HR Full" | select name | Export-csv -path c:\it\filename.csv -Notypeinformation

Get-ADGroupMember -identity “HR Full” | select name | Export-csv -path C:\it\filename.csv -NoTypeInformation

Now I have a CSV file of all the members from the HR Full Active Directory group.

Pretty easy right?

Method 2: Export AD Group Members Using the AD Pro Toolkit

In this example, I’ll use the Group Membership Report Tool from the AD Pro Toolkit to get AD group members. This tool makes it very easy to get AD group membership from a single group or all domain groups. See the steps below.

Step 1. Download the AD Pro Toolkit

Click here to download a free trial

The tool is very easy to install, it can be installed on a workstation or server.

Step 2. Click on Group Membership Report

On the management tools page click on “Group Membership Report”.

Step 3. Choose Path and click Run

You can choose to get group members from the entire domain, select an OU or group, or search the domain for a specific group.

For this example, I’m going to select the entire domain.

Now click the run button to generate the report.

You will now have a list of all Active Directory groups and members.

The sAMAccountName column is the user or group account and the memberOf column is the group it is a member of.

Step 4. Export AD Group Members to CSV

To export the report, click the export button and select CSV, XLSX, or PDF.

The below screenshot is an example CSV export.

List only Security Group Members

With the GUI tool, you can easily filter on any of the columns. In this example, I’ll filter on the group type to list only security groups and members.

Click on the groupType column and select Security.

Now the tool will only display security groups and the group members.

Get Recursive AD Group Membership

By default, the GUI tool will get recursive group membership. This means if a group is a member of another group it will also list the nested group’s membership.

To see which groups are members of another group filter the objectclass column by group.

Below you can see the “Accounting_Local” group is a member of the “Accounting_printers group. The “HR_Local” group is a member of the “IT_Local” group.

Include Additional User Properties (attributes) in the Group Membership Report

To add additional user properties click the columns button and add or remove the attributes you need.

Now re-run the report and it will display the user properties that you selected.

Get AD Group Members from an Organizational Unit

In this last example, I’ll get group members from a group in an OU instead of the entire domain.

Select OU or group and click the browse button.

Next, select the OU. You can select multiple OUs or groups. I’ve selected my HR OU.

Run the report and it will list the groups and members from your selection, In my case, it will get all groups in the HR OU.

The Group Membership Report Tool is a huge time saver and makes it easy to report and export group membership. Click here to download a free trial.

129 thoughts on “PowerShell: Export Active Directory Group Members”

  1. This article is so clear and easy to follow. Thank you.
    It works for some groups and for others I see an error “Get-ADGroupMember : Cannot find an object with identity: ‘Pwa xxx’ under: ‘DC=abc,DC=abc,DC=abc’ “.
    I see this has been answered in a previous comment but how do I know the name of the server or domain controller for a particular group?

    Reply
  2. We have multiple domain controllers, how can we get the output for a group in a
    different DC

    Get-ADGroupMember : Cannot find an object with identity: ‘DC2XXYY-ABCD’ under:
    ‘DC=dc2,DC=int,DC=us’.

    the same command works for groups in dc1

    Reply
    • To get group members from a specific domain controller use the -server parameter.

      Get-ADGroupMember -server dc2 -identity “HR Full”

      Reply
  3. Hi Robert Allen,
    can you help please!
    I need a info with all local administrators on servers and computers ,but excluded Domain Admins Group

    Reply
  4. Hi,
    You did a great job!

    I would like to add few details at Step2 if you don’t see the groups, if the AD has azure information protection.
    First you will need to check the name of the group in AD then use the following command in PowerShell:
    Get-ADGroupMember -identity “Group_Name” | select name

    All the best,
    Alex Gheorghisoara

    Reply
  5. This is very clean and retrieves the information I need for a compliance report. However, I have been asked to transpose data such that the export is formatted such that each group becomes a column header, and the columns contains all members of the “header” group. Any help is greatly appreciated.

    Thank you!

    Reply
  6. Hi
    How do I get groups within a nested group please? So I have a parent group, then within that, I have nested groups. I wanted those nested groups (not users)

    Thanks

    Reply
  7. Hi Robert, thank you for sharing all these helpful commands and PS-Scripts.

    I am trying to create a script that will export all users with their manager name to a csv file. (i got this part done already), I used: get-aduser -Filter * -Properties Manager | Select-Object Name,sAMAccountName,Manager | export-csv C:\temp\UsersManagersExample.csv -notypeinformation.

    But also that shows all the membership groups for each user. I am not sure what is the best way to achieve this. Can you help? I am quite sure that there is a way to get this done using powershell.

    So I am trying to get a list of all managers and their reporties plus the membership assigned to each user.

    Thank you in advance!
    Best Regards,

    Fady

    Reply
  8. Thanks ,Its very useful for audit purpose, I have created around 24 .CSV file. How do I can add all in one excel in different tabs in sing excel.

    Thanks again
    Vaibhav Joshi

    Reply
  9. Hi Robert, how would I get a listing of all members in an AD group that has members from 2 different domains (universal group). Is this possible? Thanks.

    Reply
  10. Hi could you point me in the right direction? Any help would be appreciated. At step 3 I’m running into the following error….

    Get-AdGroupMember : An unspecified error has occurred
    At line:1 char:1
    + Get-AdGroupMember -identity GROUP-TESTA
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: GROUP-TESTA:ADGroup) [Get-ADGroupMember], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

    Reply
  11. Hi Robert, bit late to the party here. I am doing something similar but I wanted to be able to export only names that do not match part of a string to the CSV e.g names that do not match “admin*”. I can manipulate the CSV afterwards but would be great if I could do it as part of PS.

    Reply

Leave a Reply to Paul Cancel reply