Maybe you are trying to find a list of users that belong to the Administrator’s group, or you probably want to know who has access to which folder. Anyone from IT managers, security auditors, or even third-party services might want to get a list of Active Directory group members for several reasons.
Unfortunately, the built-in Active Directory Users and Computers (ADUC) tool does not give you an option to export lists of group members.
How do you get a list of users that belong to a particular Active Directory group?
Fortunately, you can export all the users in a group with a couple of simple PowerShell commands. All you need is PowerShell, the Power Shells’s “Active Directory” module, and a couple of simple commands.
In this Export AD Group Members tutorial, we’ll walk you step by step on the process of exporting AD group members into a CSV file using PowerShell.
1. Install and Verify PowerShell the Module
If you don't have PowerShell (PS), you can download its latest version from its GitHub repository. To use PowerShell for connecting and querying an Active Directory group, you’ll first need to install the AD module.
The Active Directory module is a package containing cmdlets, variables, functions, etc. It lets you run Active Directory commands from your PowerShell command session.
Bear in mind that; the installation process of the Active Directory module will vary according to different Powershell and Windows versions.
A. Verify the PowerShell Active Directory module is installed
First, let’s verify if you already have the AD module.
Get-Module -Listavailable
As shown in the previous screenshot, if you do have the module installed, skip to part two. If you don’t have the Active Directory module, move on to the next section.
B. Install the PowerShell Active Directory module
For Windows 8, Windows 8.1, and Windows 10, you only need to have RSAT installed. The RSAT enables all tools by default, so you can use the AD module without installing it.
For Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016, follow the instructions below:
- Add the module as a feature from Server Manager.
- Open “Server Manager” and go to > “Add Roles and Features.”
- Click Next until you reach “Features.”
- Go to Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools.
- Find and enable “Active Directory Module for Windows PowerShell.”
- Click on “Install.”
Alternatively, you can also install the AD module from the PowerShell console itself. Run the command:
Install-WindowsFeature RSAT-AD-PowerShell
To make sure that the AD is installed successfully and can be used from PowerShell, open the PowerShell console, and use the Get-Module -Listavailable command again.
2. Find the Active Directory Group Name
If you want to export Active Directory group members with PowerShell but don’t know the exact name of their groups, you can also export a list containing all group information in Active Directory with PowerShell.
To do this, open your PowerShell console and run the following command:
get-adgroup -filter * | sort name | select Name
Running this command without filters would result in a complete but complicated output.
You should get a list of all your AD groups in your domain, similar to the screenshot above. This list should help you identify the correct name of the group that you want to export the members from.
3. Get a List of the Members of a Specific Group
Now that you already know all the available groups and their names using the “get-adgroup” command, you can specify the group you want to export members from.
Use the following command to list all the members of a specific group:
Get-AdGroupMember -identity "Group Name"
Let’s use this command to get a list of all the members in the “Administrators” Group.
As you might notice from the screenshot above, the command Get-AdGroupMember -identity “Group Name” gives you more details on the group members than what you probably need. You can narrow down your search results with the help of the filter (| select name). You can use the same command as above but add a filter to list only specific member names.
For example,
Get-AdGroupMember -identity "Administrators" | select name
4. Export AD Group Members to a CSV File
Now that you already have a complete filtered list of AD group members let’s go ahead and export these results to a CSV file. To do this, you only need to append “export-CSV” to the previous command “Get-ADGroupMember … ”.
So, now the command should look something like this:
Get-ADGroupMember -identity “Administrators” | select name | Export-csv -path C:\AD Management\Administrators.csv -NoTypeInformation
Exporting a CSV file containing all member’s information can be very handy for large AD groups. Maybe you want to perform some automation tasks in bulk and need all the names from that specific group in a CSV file.
5. More AD Management?
You can use a third-party reporting tool and forget the need to write your own PowerShell scripts. For example, SolarWinds Access Rights Manager is full of utilities to manage, monitor, and secure Active Directory and it includes a reporting tool that will just generate out an XLSX format list of all the accounts in your domain controller.
SolarWinds Access Rights Manager – FREE TRIAL
Once you have your data in Excel, you can update it, filter it, search, it and export it again for insertion into another domain or back into the original instance.
Take a look at the Access Rights Manager with a 30-day free trial.
Conclusion
In this tutorial, we used a couple of simple PowerShell commands to export AD group members. But the truth is that PowerShell can do so much more. It is a fantastic tool for automating and simplifying a massive amount of Active Directory tasks.
Still, PowerShell is not for everyone. As the more you intend to do, the more overwhelming it can get. PowerShell requires scripting knowledge.
