Get-ADGroupMember is a PowerShell cmdlet used to retrieve the members of an Active Directory group, including users, computers, and other groups. This command is essential for IT administrators managing group memberships, auditing security permissions, and ensuring proper access control across an organization's Active Directory environment.
While Get-ADGroupMember provides a straightforward way to list group members, it requires scripting knowledge and can become complex when dealing with nested groups or large environments. Additionally, retrieving Microsoft Entra ID group members requires a different approach, such as using Microsoft Graph PowerShell, which comes with its own challenges like throttling limits and authentication complexities.
For a more efficient and user-friendly solution, ManageEngine ADManager Plus offers an intuitive, no-code interface to retrieve and manage group memberships effortlessly. With pre-built reports and automation capabilities, administrators can streamline group management without the need for PowerShell scripting.
Export reports in various formats, like PDF, XLS, CSV, and HTML.
Perform on-the-fly management actions on the objects generated via the report.
Set up automated report generation.
Before running the Get-ADGroupMember cmdlet, ensure the following requirements are met:
Install-WindowsFeature -Name RSAT-AD-PowerShell
Import-Module ActiveDirectory
Use the Get-ADGroupMember cmdlet to get Active Directory group members. The syntax is as follows:
Get-ADGroupMember
[-AuthType <ADAuthType>]
[-Credential <PSCredential>]
[-Identity] <ADGroup>
[-Partition <String>]
[-Recursive]
[-Server <String>]
[<CommonParameters>]
Example 1: Get all members of a group
Get-ADGroupMember
cmdlet Get-ADGroupMember at command pipeline position 1
Supply values for the following parameters: (Type !? for Help.)
Identity: Administrators
distinguishedName : CN=Domain Admins,CN=Users,DC=Fabrikam,DC=com
name : Domain Admins
objectClass : group
objectGUID : 5ccc6037-c2c9-42be-8e92-c8f98afd0011
SamAccountName : Domain Admins
SID : S-1-5-21-41432690-3719764436-1984117282-512
distinguishedName : CN=Enterprise Admins,CN=Users,DC=Fabrikam,DC=com
name : Enterprise Admins
objectClass : group
objectGUID : 0215b0a5-aea1-40da-b598-720efe930ddf
SamAccountName : Enterprise Admins
SID : S-1-5-21-41432690-3719764436-1984117282-519
distinguishedName : CN=LabAdmin,CN=Users,DC=Fabrikam,DC=com
name : LabAdmin
objectClass : user
objectGUID : ab7c269d-aec5-4fcc-aebe-6cd1a2e6cd53
SamAccountName : LabAdmin
SID : S-1-5-21-41432690-3719764436-1984117282-1000
distinguishedName : CN=Administrator,CN=Users,DC=Fabrikam,DC=com
name : Administrator
objectClass : user
objectGUID : 994f46e6-c62c-483f-a6cf-124197b6a959
SamAccountName : Administrator
SID : S-1-5-21-41432690-3719764436-1984117282-500
Example 2: Get members of a group including the members of child groups
Get-ADGroupMember -Identity "Enterprise Admins" -Recursive
distinguishedName : CN=Administrator,CN=Users,DC=Fabrikam,DC=com
name : Administrator
objectClass : user
objectGUID : 994f46e6-c62c-483f-a6cf-124197b6a959
SamAccountName : Administrator
SID : S-1-5-21-41432690-3719764436-1984117282-500
distinguishedName : CN=Sagiv Hadaya,CN=Users,DC=Fabrikam,DC=com
name : Sagiv Hadaya
objectClass : user
objectGUID : 64706230-f179-4fe4-b8c9-f0d334e66ab1
SamAccountName : SHadaya
SID : S-1-5-21-41432690-3719764436-1984117282-1158
The table below lists key parameters that can be used with the Get-ADGroupMember cmdlet to efficiently retrieve members of Active Directory groups.
| Parameters | Description |
|---|---|
| -AuthType | Specifies the authentication method to use. |
| -Credential | Specifies the user account credentials to use to perform this task. |
| -Identity | Specifies the Active Directory group object by providing one of the following values:
|
| -Partition | Specifies the distinguished name of an Active Directory partition. |