How To Export AD Group Members with PowerShell

If you’re working in Active Directory as either an administrator or technician, chances are you'll need to export group members in Active Directory one day. Sometimes the request comes from HR, or maybe you just need this information for reporting.

If you do enough poking around you’ll find there is no GUI to export group members in Active Directory. Don’t fret, we’ve got you covered.

In this article, we’ll walk through how to export AD group members by using a few simple, but powerful PowerShell commands.

Launching PowerShell

Most servers will already have PowerShell installed. We can launch PowerShell by pressing Windows Key +R and typing ‘powershell’ without the quotes into the Run box and pressing enter.

If that command doesn’t work, you might not have the PowerShell module installed. You can download and install PowerShell from Microsoft’s GitHub account to install the PowerShell module for your environment if that is the case.

Alternatively, you can install PowerShell directly from Server Manager as a role by doing the following:

Open Server Manager then click on Add Roles and Features.

Click Next until you see the Features section.

Click on the Remote Server Administration Tools tab -> Role Administration Tools -> AD DS and AD LDS Tools.

Enable the Active Directory module for Windows PowerShell.

Next click on the Install button to begin the installation of PowerShell.

Finding The Active Directory Group Name

Next, you’ll need to find and list all of the groups in Active Directory. This helps you know exactly what your group is named so we can reference it later in our PowerShell command for export.

Run the command below to list all of the Active Directory groups on your server:

get-adgroup -filter * | sort name | select Name

You should see a list of different users groups. Keep in mind that many of these groups are already built into Active Directory so you might need to do a bit of searching before you find your group. Once you’ve identified the name of the group or groups you want, continue on.

Next, we’ll use the following command along with the name of the group to view all the members that are inside that group.

Get-AdGroupMember -identity "Your Group"

Below all of the names of the members of that group should be listed. You can use this on any group, and can always use the get-adgroup -filter * | sort name | select Name command to list out all of your groups.

Here you’ll also be able to see each user's SID, Distinguished Name, Object Class, GUID, and SAM account name.

If you don’t need this additional information you can use the following command to filter your results and only output their name:

Get-AdGroupMember -identity "Your Group" | select name

Exporting AD Group Members To CSV From PowerShell

You’ll likely want to get this into CSV format to clean it up, store it on a server, or email to another staff member. To save your results as CSV use the following command:

Get-AdGroupMember -identity "Your Group" | select name | Export-csv -path C:\groupmembers.csv -NoTypeInformation

The above command takes the members from the “Your Group” AD group and exports those members to a CSV file named groupmembers.csv located in the root of your C drive.

Other Useful Commands

For further filtering in larger Active Directory environments you can use additional filters to find certain types of accounts that might have been misplaced or not put into the proper group. For instance, accounts with administrative rights that are not in the traditional Administrator group.

The command below uses the GroupCategory parameter to limit the types of groups that get returned as only Security groups. This is useful for larger environments where you might not be 100% certain which group you’re looking for members in.

Get-ADGroup -Filter 'GroupCategory -eq "Security"'

If you have nested groups you may find that your results are showing the nested groups, instead of the members inside those groups. To fix this, we’ll need to add the -recursive parameter in order to enumerate all of the members and get them added to the list.

Your command would look like:

Get-ADGroupMember -identity “Your Group” -recursive | select name | Export-csv -path C:\groupmembers.csv -NoTypeInformation

A final helpful hint is if you save these commands you can always create a PowerShell script to run from a Scheduled Task to run automatically every month, quarter, or whatever your needs are. You can even set the export path to network drive where others can access the CSV as well.

Conclusion

PowerShell is an excellent tool if you know how to use it, and sometimes it’s the only tool for the job. If you know your way around PowerShell you can knock out tasks in AD much more quickly than through the GUI alone.

Alternatively, a great free tool that can manage users in AD is the Admin Bundle by SolarWinds. This handy tool can build network maps, help manage inactive accounts, and produce simple reports, just like the one we did in PowerShell

Export AD Group Members with PowerShell FAQs

Is there any way I can use the GUI in Active Directory to export group members?

No. While most tasks in AD can be performed via the graphical user interface, there are some commands and tasks that have to be run through PowerShell.

Is PowerShell free?

Yes, PowerShell is a free Windows utility.

Will this work if I’m running Window Server 2000/2008/XXXX?

Yes, so long as PowerShell is installed you should be able to run this command.

How do I export group members in Azure AD? 

You should be able to run this same command in the Azure Active Directory PowerShell tool.

How do I export my AD group members in PowerShell to Microsoft Excel?

You cannot save files directly to Microsoft Excel from PowerShell. Saving to CSV allows you to open them in Microsoft Excel, as well as other programs such as Open Office or Google Sheets.