Monday, August 16, 2010

AD Group Report - List Group Members in Active Directory–PowerShell Script

Updated Script -

Script #1

This script can be used to list group membership in Active Directory. Input – Group DN


As you can see on the following screenshot, this script uses an input file called Glist.csv which contains all group names.


You will see the output on the screen as well as in the GroupDetails.csv file.


You can download the script from the following locations.  Rename the file to .PS1

Script #2

Modified Script – This script will prompt you for the Group distinguishedName (DN). 


Script #3

$OutPutFile = New-Item -type file -force "D:\Scripts\GroupDetails.csv"

#update filter based on your requirement

# 2 Global distribution group

# 4 Domain local distribution group

# 8 Universal distribution group

# -2147483646 Global security group

# -2147483644 Domain local security group

# -2147483640 Universal security group

$ObjFilter = "(&(objectCategory=Group)(|(groupType=2)(groupType=4)(groupType=8)))"

$objSearch = New-Object System.DirectoryServices.DirectorySearcher

$objSearch.SearchRoot = "LDAP://OU=DLs,DC=Sivarajan,DC=com"

$objSearch.PageSize  = 10000

$objSearch.Filter = $ObjFilter

$Results = $objSearch.FindAll()

foreach ($Result in $Results){

    $Item = $Result.Properties

    Write-host $

$ | Out-File $OutPutFile -encoding ASCII -append

    foreach ($Member in $Item.member) {

               Write-host "$Member"

$Member | Out-File $OutPutFile -encoding ASCII -append



Script #4

Nested Group Report - This script will search AD for all security groups and generate a nested group  details. Output will contain only Groups.



$AllGroupNames = Get-ADGroup -Filter {(GroupCategory -eq 'security')} #-SearchBase 'DC=domain1,DC=com'
#Gnames - contins all Security group details
    foreach ($GNamet in $AllGroupNames)
    Write-Host "Parent Group Name -" $GNamet.Name, $GNamet.GroupScope
    #GNamet contins all Group properties
    $Gname = $GNamet.Name
    #$Gname contians only group names
    $AllGmembers = Get-ADGroupMember -identity $Gname
    #$AllGmembers - memeber details from each security group
        foreach ($GMemebr in $AllGmembers) #Loop for verifying each member type
                If ($GMemebr.objectClass -eq "Group") #verifying each member type. 
                    $ChildGroupProp = Get-ADGroup -Identity $GMemebr
                    Write-Host "Child Group Member(s)-" $, $ChildGroupProp.GroupScope -ForegroundColor Green




Output will contain parent and child group and group type.



Hi Santosh,

Do you have any disc.vouchers for MCTS 70-432 now? iam planning to finish it off this weekend.


Could you elaborate on the contents of Glist.csv? I have an AD with no OUs created and I am not sure what to put there.

Also, does the DC=local indicate the script is run on the DC? Should I put something else to run it remotely?

It is the DN (Distinguished Name) of the group. If you have Windows 2008 or R2, you can go to the properties of the group and select the “Attribute” Tab, you will see the Distinguished Name (DN) there.

DC is the domain name. In my example, my domain name is “Infralab.local”

“Test1” is the group name. It is inside the “Test” OU.

So the DN of the Group = “name of the group, name of OU, domain name”

Please let me know if you need more clarification.

How do I select the group only accounts enable

What do you mean by “group only accounts enable”? What are you trying to accomplish?

He wants to have only active accounts in the group.
'Where userAccountControl = 512'

Hi Santhosh,

I get this error when i run your script..Please help..i am a newbie to powershell

Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> $GFile = New-Item -type file -force "C:\Scripts\GroupDetails.csv"
PS C:\Windows\system32> Write-Host "Schema Admins" -ForegroundColor Red
Schema Admins
PS C:\Windows\system32> $GName = Read-Host
$group = [ADSI] "LDAP://$GName"
PS C:\Windows\system32> $
PS C:\Windows\system32> $ | Out-File $GFile -encoding ASCII -append
PS C:\Windows\system32> foreach ($member in $group.member)
>> {
>> $Uname = new-object directoryservices.directoryentry("LDAP://$member")
>> $
>> $Uname.samaccountname
>> $Uname.samaccountname $ | Out-File $GFile -encoding ASCII -append
>> }
Unexpected token 'Uname' in expression or statement.
At line:6 char:41
+ $Uname.samaccountname $Uname <<<< .cn | Out-File $GFile -encoding ASCII -append
+ CategoryInfo : ParserError: (Uname:String) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnexpectedToken

As you know, this script is not searching AD for “active” users. In that case, you need validate the Admin group result against AD.

Hi Santosh,

I am also getting the same error "Unexpected token 'Uname' in expression or statement"

What do you mean by "you need validate the Admin group result against AD"

Please post the complete script here.

Since this script is not searching or validating the result against AD, you need to compare the local admin member details against AD.

Very useful Santhosh, modified to automate the creation of the DN's file (could probably use an array, but I'm not there yet. Also modified the output to display additional fields.

<# from a list of group names (GroupName.txt), generate a list with the group's DN, (Glist.csv),
import this list and generate list of group members (GroupDetails.csv) for each group

$GroupsList = "C:\Glist.csv" #list with DN's
$GFile = New-Item -type file -force "C:\GroupDetails.csv" #list with group members

#original list with group names
foreach($item in (gc "C:\GroupName.txt")){

get-QADGroup $item | select DN | Export-Csv $GroupsList

Import-CSV $GroupsList | ForEach-Object {

# .DN - this is the header used for the list
$GName = $_.DN

# query group
$group = [ADSI] "LDAP://$GName"
$ | Out-File $GFile -encoding ASCII -append
foreach ($member in $group.member)
$Uname = new-object directoryservices.directoryentry("LDAP://$member")
$Outline = "`""
$Outline +=$Uname.sAMAccountName
$Outline += "`",`""
$Outline += $Uname.displayName
$Outline += "`",`""
$Outline += $Uname.userPrincipalName
$Outline += "`""

$Outline | Out-File $GFile -encoding ASCII -append

Thanks. It looks like you are using some Quest cmdlets also.

Thanks for sharing your version of the script.

Is there a way to limit output to just groups that are members, and not users or computers, is there a way to filter this output for that?

I'm trying Where {objectclass -eq 'group'} and getting nothing...


I am having difficulty with the GList. Can you offer some advice please?


Please post the error message here

Yes. You can. What is your actual requirement?

Great script that potentially can save my a lot of work. Just one questrion from a Powershell-virgin: Is there a way I can modify the script to only show the users that are members and not groups that are member of other groups?

I eventually got this script to work after much fuddling around. I comment that the script leaves out a LOT of preliminary knowledge and information. I work in a large enterprise environment and I only care about my Site's groups. So I used the old ldp.exe (from the Windows 2000 Server Resource Kit) to inspect the Distinguished Names of each of my groups. Then I used Active Directory Users and Computers "Export" function to dump my groups into text file which I opened in Excel. I then appended the necessary Distinguished Name information to create the GList.csv text file. It still bloody didn't work until I added the "GroupName" header at the top of the csv file. I then debugged it in Windows PowerShell Integrated Scripting Environment (ISE) program and finally got it to dump the desired text file of users. I thank the script authors but comment that they should expect the audience to be much less expert than themselves in respect of knowledge of LDAP DN paths, etc. and should provide step-by-step illustrated instructions for "aspiring" Systems Admins like myself seeking enlightenment.

Mr Maw is there any step-by-step tutorial to use for this procedure?

Is there anyway I can add the managedby field to the output of this script?



What do you mean by “of preliminary knowledge and information”? What are you expecting to see?

Hi thanks, I worked it out I needed $Uname.manager...however it returns the full distinguished name of the manager back, e.g. CN=Smith\, Steve,OU=Advanced Users,DC=DOMAIN,DC=ORG,DC=UK
Can I filter this so it just outputs the display name of the manager?

Thanks again

Yes. It was Manager (

There are many ways you can get the name or some other attribute values. Here is an example using the same logic:

Store manager value to a variable and get the CN.

$temp1 = $Uname.manager
$temp2 = [ADSI] "LDAP://$temp1"

$ will be display name

How do you get the output file to differentiate Groups and users? IE Upper for Groups or Comma infront of Users?

Is there any way to add some spaces in front of the users names so at a glance you can tell the difference between users and groups? i.e.

I think he is referring to the fact that it's easy for a person totally unfamiliar with Powershell to overlook the fact that the GList.csv file needs to be manually created and is just a reference point. Also that the file needs to have the exact information and format.

I'm totally new to powershell as well, and if I hadn't seen his post, I would probably still be lost.

I´ve made a little modification to your script in order to display :
Group ; User in the same line and easily filter with excel:

$GFile = New-Item -type file -force "C:\Scripts\GroupDetails.csv"
Import-CSV "C:\Scripts\GList.txt" | ForEach-Object {
$GName = $_.GroupName
$group = [ADSI] "LDAP://$GName"

$ | Out-File $GFile -encoding ASCII -append

foreach ($member in $group.member)
$data = $,";",$
$Uname = new-object directoryservices.directoryentry("LDAP://$member")
Write-Host $data
$ | Out-File $GFile -encoding ASCII -append


Thanks Carlos! Thanks for sharing this.

Hi Santosh

Thanks for the great scripts. I am currently running script 4 on one of my servers and as much i like the display of parent and child groups on screen is there anyway to export this to a file.

Please advise.


I am getting mentioned below error while running this script. Please help me

Unexpected token 'Uname' in expression or statement.
At C:\group.ps1:12 char:32
+ $Uname.samaccountname $Uname <<<< .cn | Out-File $GFile -encoding ASCII -append
+ CategoryInfo : ParserError: (Uname:String) [], ParseException
+ FullyQualifiedErrorId : UnexpectedToken

Could you elaborate on the contents of Glist.csv? I have an AD with no OUs created and I am not sure what to put there.

Also, does the DC=local indicate the script is run on the DC? Should I put something else to run it remotely?

- - - - Choi Minzi - - - -
1 800 273 8255 lyrics

I have to fetch All group membership of specific user in loop used in powershell from multiple domains

Hi senthosh
I get this error when I run your script..
Please help..i am a new to powershell

New-Item : A positional parameter cannot be found that accepts argument 'Import-CSV'.
At line:1 char:10
+ $GFile = New-Item -type file -force "C:\Scripts\GroupDetails.csv" Imp ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [New-Item], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.NewItemCommand

Post a Comment

Popular Posts


Twitter Delicious Facebook Digg Stumbleupon Favorites More