If you’re working in Active Directory as either an administrator or technician, chances are you'll need to export group members in Active Directory one day. Sometimes the request comes from HR, or maybe you just need this information for reporting.
If you do enough poking around you’ll find there is no GUI to export group members in Active Directory. Don’t fret, we’ve got you covered.
In this article, we’ll walk through how to export AD group members by using a few simple, but powerful PowerShell commands.
Most servers will already have PowerShell installed. We can launch PowerShell by pressing Windows Key +R and typing ‘powershell’ without the quotes into the Run box and pressing enter.
If that command doesn’t work, you might not have the PowerShell module installed. You can download and install PowerShell from Microsoft’s GitHub account to install the PowerShell module for your environment if that is the case.
Alternatively, you can install PowerShell directly from Server Manager as a role by doing the following:
Open Server Manager then click on Add Roles and Features.
Click Next until you see the Features section.
Click on the Remote Server Administration Tools tab -> Role Administration Tools -> AD DS and AD LDS Tools.
Enable the Active Directory module for Windows PowerShell.
Next click on the Install button to begin the installation of PowerShell.
Finding The Active Directory Group Name
Next, you’ll need to find and list all of the groups in Active Directory. This helps you know exactly what your group is named so we can reference it later in our PowerShell command for export.
Run the command below to list all of the Active Directory groups on your server:
get-adgroup -filter * | sort name | select Name
You should see a list of different users groups. Keep in mind that many of these groups are already built into Active Directory so you might need to do a bit of searching before you find your group. Once you’ve identified the name of the group or groups you want, continue on.
Next, we’ll use the following command along with the name of the group to view all the members that are inside that group.
Get-AdGroupMember -identity "Your Group"
Below all of the names of the members of that group should be listed. You can use this on any group, and can always use the
get-adgroup -filter * | sort name | select Name command to list out all of your groups.
Here you’ll also be able to see each user's SID, Distinguished Name, Object Class, GUID, and SAM account name.
If you don’t need this additional information you can use the following command to filter your results and only output their name:
Get-AdGroupMember -identity "Your Group" | select name
Exporting AD Group Members To CSV From PowerShell
You’ll likely want to get this into CSV format to clean it up, store it on a server, or email to another staff member. To save your results as CSV use the following command:
Get-AdGroupMember -identity "Your Group" | select name | Export-csv -path C:\groupmembers.csv -NoTypeInformation
The above command takes the members from the “Your Group” AD group and exports those members to a CSV file named groupmembers.csv located in the root of your C drive.
Other Useful Commands
For further filtering in larger Active Directory environments, you can use additional filters to find certain types of accounts that might have been misplaced or not put into the proper group. For instance, accounts with administrative rights that are not in the traditional Administrator group.
The command below uses the GroupCategory parameter to limit the types of groups that get returned as only Security groups. This is useful for larger environments where you might not be 100% certain which group you’re looking for members in.
Get-ADGroup -Filter 'GroupCategory -eq "Security"'
If you have nested groups you may find that your results are showing the nested groups, instead of the members inside those groups. To fix this, we’ll need to add the -recursive parameter in order to enumerate all of the members and get them added to the list.
Your command would look like:
Get-ADGroupMember -identity “Your Group” -recursive | select name | Export-csv -path C:\groupmembers.csv -NoTypeInformation
A final helpful hint is if you save these commands you can always create a PowerShell script to run from a Scheduled Task to run automatically every month, quarter, or whatever your needs are. You can even set the export path to network drive where others can access the CSV as well.
Why Do We Need to Export AD Group Members?
Active Directory is mostly used within organizations for managing permissions and access to network resources. It even has built-in groups that organize and store all the data related to users, computers, and resources in a network of an organization. In AD, any object that is a member of a particular group is referred to as a group member.
Within a company, there are a number of significant uses for exporting Active Directory (AD) group members. The following are some of the major reasons why exporting AD group members is highly necessary:
- Auditing and Compliance It becomes easier for organizations to keep track of who has access to what resources and sensitive information by exporting AD group members. For regulatory compliance with SOX, HIPAA, and GDPR regulations, this information is essential.
- Security Review Security teams can examine and assess access rights on a regular basis by exporting AD group members. This makes it easier to spot any improper or unauthorized access and implement the necessary security risk-reducing measures. It even offers better visibility into specific resources, including files, directories, or network resources.
- Access Control Management Administrators can precisely monitor and maintain access controls by exporting AD group members. To avoid security lapses and data leaks, they may quickly confirm that only authorized users have access to particular resources.
- User Lifecycle Management Exporting group membership enables organizations to precisely update access rights if a user joins, moves within, or leaves the company. This lowers the chance that orphaned accounts will continue to have access while also promoting effective user lifecycle management.
- Report Creation and Documentation Management and IT teams can also use exported data for reporting purposes. The reports will help team members better understand how access privileges are distributed throughout the company. For the purposes of troubleshooting, security audits, and compliance, this documentation is essential. It even offers better transparency and accountability.
- Troubleshooting and Support A current updated list of group members can be extremely helpful when looking into access-related problems or offering technical support. This information helps organizations in swiftly locating and fixing issues.
- Role-Based Access Control (RBAC) Exporting AD group members is crucial for enterprises implementing RBAC in order to define and validate roles and permissions for diverse job functions. This feature makes sure the appropriate individuals have access to the appropriate resources.
- Migration and Consolidation Exporting AD group members assist in smooth transition planning and execution when there are changes to the IT infrastructure, such as mergers, acquisitions, or migrations. It makes certain that the accurate transfer of access permissions is made.
- Historical Records The exported group member details can further be used as historical records for access management. With the help of this information, organizations are able to keep an eye on past trends in resource access and follow changes over time.
- Compliance Audits Auditors frequently demand proof of rights and access controls during compliance audits. Members of exported AD groups offer the required proof of adherence to security regulations.
- Data Governance Having knowledge as to who has access to sensitive data is essential for data governance and classification purposes. Members of AD groups can be exported to help with data security.
- User Provisioning and Deprovisioning Exporting AD group members might be beneficial when bringing on new staff or removing departing ones. In order to prevent departed users from accessing resources they shouldn't, it makes sure that new users are added to the proper groups with the requisite rights and that departing users are deleted from those groups.
- Backup and disaster recovery Keeping track of AD group memberships might be a component of a more comprehensive backup and recovery plan. This information can be used to roll back user and group configurations in the event of a system crash or data loss.
In order to ensure security, compliance, and effective user and resource management within an organization, it is essential for administrators to export AD group members. It helps troubleshoot issues and supports numerous administrative and compliance requirements while giving visibility into who has access to what.
PowerShell is an excellent tool if you know how to use it, and sometimes it’s the only tool for the job. If you know your way around PowerShell you can knock out tasks in AD much more quickly than through the GUI alone.
Alternatively, a great free tool that can manage users in AD is the Admin Bundle for Active Directory by SolarWinds. This handy tool can build network maps, help manage inactive accounts, and produce simple reports, just like the one we did in PowerShell
Export AD Group Members with PowerShell FAQs
Is there any way I can use the GUI in Active Directory to export group members?
No. While most tasks in AD can be performed via the graphical user interface, there are some commands and tasks that have to be run through PowerShell.
Is PowerShell free?
Yes, PowerShell is a free Windows utility.
Will this work if I’m running Window Server 2000/2008/XXXX?
Yes, so long as PowerShell is installed you should be able to run this command.
How do I export group members in Azure AD?
You should be able to run this same command in the Azure Active Directory PowerShell tool.
How do I export my AD group members in PowerShell to Microsoft Excel?
You cannot save files directly to Microsoft Excel from PowerShell. Saving to CSV allows you to open them in Microsoft Excel, as well as other programs such as Open Office or Google Sheets.