We may earn a commission if you make a purchase through the links on our website.

How To Export AD Group Members with PowerShell

How To Export AD Group Member with PowerShell

John Cirelly UPDATED: August 30, 2024

If you’re working in Active Directory as either an administrator or technician, chances are you'll need to export group members in Active Directory one day. Sometimes the request comes from HR, or maybe you just need this information for reporting.

If you do enough poking around you’ll find there is no GUI to export group members in Active Directory. Don’t fret, we’ve got you covered.

In this article, we’ll walk through how to export AD group members by using a few simple, but powerful PowerShell commands.

Launching PowerShell

Most servers will already have PowerShell installed. We can launch PowerShell by pressing Windows Key +R and typing ‘powershell’ without the quotes into the Run box and pressing enter.

If that command doesn’t work, you might not have the PowerShell module installed. You can download and install PowerShell from Microsoft’s GitHub account to install the PowerShell module for your environment if that is the case.

Alternatively, you can install PowerShell directly from Server Manager as a role by doing the following:

Open Server Manager then click on Add Roles and Features.

Click Next until you see the Features section.

Click on the Remote Server Administration Tools tab -> Role Administration Tools -> AD DS and AD LDS Tools.

Enable the Active Directory module for Windows PowerShell.

Next click on the Install button to begin the installation of PowerShell.

Finding The Active Directory Group Name

Next, you’ll need to find and list all of the groups in Active Directory. This helps you know exactly what your group is named so we can reference it later in our PowerShell command for export.

Run the command below to list all of the Active Directory groups on your server:

get-adgroup -filter * | sort name | select Name

You should see a list of different users groups. Keep in mind that many of these groups are already built into Active Directory so you might need to do a bit of searching before you find your group. Once you’ve identified the name of the group or groups you want, continue on.

Next, we’ll use the following command along with the name of the group to view all the members that are inside that group.

Get-AdGroupMember -identity "Your Group"

Below all of the names of the members of that group should be listed. You can use this on any group, and can always use the get-adgroup -filter * | sort name | select Name command to list out all of your groups.

powershell screenshot

Here you’ll also be able to see each user's SID, Distinguished Name, Object Class, GUID, and SAM account name.

If you don’t need this additional information you can use the following command to filter your results and only output their name:

Get-AdGroupMember -identity "Your Group" | select name

Exporting AD Group Members To CSV From PowerShell

You’ll likely want to get this into CSV format to clean it up, store it on a server, or email to another staff member. To save your results as CSV use the following command:

Get-AdGroupMember -identity "Your Group" | select name | Export-csv -path C:\groupmembers.csv -NoTypeInformation

Exporting AD Group Members To CSV From PowerShell

The above command takes the members from the “Your Group” AD group and exports those members to a CSV file named groupmembers.csv located in the root of your C drive.

Other Useful Commands

For further filtering in larger Active Directory environments, you can use additional filters to find certain types of accounts that might have been misplaced or not put into the proper group. For instance, accounts with administrative rights that are not in the traditional Administrator group.

The command below uses the GroupCategory parameter to limit the types of groups that get returned as only Security groups. This is useful for larger environments where you might not be 100% certain which group you’re looking for members in.

Get-ADGroup -Filter 'GroupCategory -eq "Security"'

If you have nested groups you may find that your results are showing the nested groups, instead of the members inside those groups. To fix this, we’ll need to add the -recursive parameter in order to enumerate all of the members and get them added to the list.

Your command would look like:

Get-ADGroupMember -identity “Your Group” -recursive | select name | Export-csv -path C:\groupmembers.csv -NoTypeInformation

A final helpful hint is if you save these commands you can always create a PowerShell script to run from a Scheduled Task to run automatically every month, quarter, or whatever your needs are. You can even set the export path to network drive where others can access the CSV as well.

Why Do We Need to Export AD Group Members?

Active Directory is mostly used within organizations for managing permissions and access to network resources. It even has built-in groups that organize and store all the data related to users, computers, and resources in a network of an organization. In AD, any object that is a member of a particular group is referred to as a group member.
Within a company, there are a number of significant uses for exporting Active Directory (AD) group members. The following are some of the major reasons why exporting AD group members is highly necessary:

  • Auditing and Compliance It becomes easier for organizations to keep track of who has access to what resources and sensitive information by exporting AD group members. For regulatory compliance with SOX, HIPAA, and GDPR regulations, this information is essential.
  • Security Review Security teams can examine and assess access rights on a regular basis by exporting AD group members. This makes it easier to spot any improper or unauthorized access and implement the necessary security risk-reducing measures. It even offers better visibility into specific resources, including files, directories, or network resources.
  • Access Control Management Administrators can precisely monitor and maintain access controls by exporting AD group members. To avoid security lapses and data leaks, they may quickly confirm that only authorized users have access to particular resources.
  • User Lifecycle Management Exporting group membership enables organizations to precisely update access rights if a user joins, moves within, or leaves the company. This lowers the chance that orphaned accounts will continue to have access while also promoting effective user lifecycle management.
  • Report Creation and Documentation Management and IT teams can also use exported data for reporting purposes. The reports will help team members better understand how access privileges are distributed throughout the company. For the purposes of troubleshooting, security audits, and compliance, this documentation is essential. It even offers better transparency and accountability.
  • Troubleshooting and Support A current updated list of group members can be extremely helpful when looking into access-related problems or offering technical support. This information helps organizations in swiftly locating and fixing issues.
  • Role-Based Access Control (RBAC) Exporting AD group members is crucial for enterprises implementing RBAC in order to define and validate roles and permissions for diverse job functions. This feature makes sure the appropriate individuals have access to the appropriate resources.
  • Migration and Consolidation Exporting AD group members assist in smooth transition planning and execution when there are changes to the IT infrastructure, such as mergers, acquisitions, or migrations. It makes certain that the accurate transfer of access permissions is made.
  • Historical Records The exported group member details can further be used as historical records for access management. With the help of this information, organizations are able to keep an eye on past trends in resource access and follow changes over time.
  • Compliance Audits Auditors frequently demand proof of rights and access controls during compliance audits. Members of exported AD groups offer the required proof of adherence to security regulations.
  • Data Governance Having knowledge as to who has access to sensitive data is essential for data governance and classification purposes. Members of AD groups can be exported to help with data security.
  • User Provisioning and Deprovisioning Exporting AD group members might be beneficial when bringing on new staff or removing departing ones. In order to prevent departed users from accessing resources they shouldn't, it makes sure that new users are added to the proper groups with the requisite rights and that departing users are deleted from those groups.
  • Backup and disaster recovery Keeping track of AD group memberships might be a component of a more comprehensive backup and recovery plan. This information can be used to roll back user and group configurations in the event of a system crash or data loss.

In order to ensure security, compliance, and effective user and resource management within an organization, it is essential for administrators to export AD group members. It helps troubleshoot issues and supports numerous administrative and compliance requirements while giving visibility into who has access to what.

Use a Third-Party Tool

ManageEngine ADManager Plus – FREE TRIAL

Not every administrator is comfortable with PowerShell. It is just easier to use a management package for Active Directory that has a graphical user interface. ManageEngine provides such a tool, which is called ADManager Plus.

ADManager Plus from ManageEngine

Here’s how to export AD group members with this system.

Steps to Export AD Group Members with ADManager Plus:

Log in to ADManager Plus:

  • Open your web browser and go to the ADManager Plus URL.
  • Enter your credentials and log in to the ADManager Plus console.

Navigate to the Reports Section:

  • Once logged in, find the “Reports” tab on the top menu and click on it.
  • In the left pane, you’ll see various categories of reports. Look for the “Group Reports” section.

Select the Group Members Report:

  • Under “Group Reports”, select “Group Members”. This report will allow you to view and export the members of specific Active Directory groups.
  • You can either run this report for a specific group or for multiple groups at once.

Choose the Group(s) to Export:

  • In the “Group Members” report configuration, you will be prompted to select the group or groups for which you want to export the members.
  • Use the search function or browse through the list to select the desired group(s).
  • After selecting the group(s), click on the “Generate” or “View” button to generate the report.

View the Report:

  • The report will display a list of all members within the selected group(s), showing details such as user name, display name, email, and other attributes.
  • Review the information to ensure it meets your requirements.

Export the Report:

  • Once the report is generated and you’ve reviewed the data, click on the “Export” button.
  • You can choose from various formats, such as PDF, CSV, Excel, or HTML, depending on your needs.
  • Select the desired format, and the file will be downloaded to your local system.

Save or Share the Exported File:

  • After exporting, you can save the file to your desired location or share it with other stakeholders as needed.

Automate the Process (Optional):

  • If you need to export group members regularly, you can automate this task by scheduling the report. Go to the “Schedule Reports” section in ADManager Plus, set the frequency, and specify the group(s) you want to monitor.
  • Scheduled reports can be sent automatically to designated email addresses in your preferred format.

By following these steps, you can easily export Active Directory group members using ManageEngine ADManager Plus, ensuring you have accurate and up-to-date information for reporting or administrative purposes. You can register for a 30-day free trial.

ManageEngine ADManager Plus Access a 30-day FREE Trial

Conclusion

PowerShell is an excellent tool if you know how to use it, and sometimes it’s the only tool for the job. If you know your way around PowerShell you can knock out tasks in AD much more quickly than through the GUI alone.

Export AD Group Members with PowerShell FAQs

Is there any way I can use the GUI in Active Directory to export group members?

No. While most tasks in AD can be performed via the graphical user interface, there are some commands and tasks that have to be run through PowerShell.

Is PowerShell free?

Yes, PowerShell is a free Windows utility.

Will this work if I’m running Window Server 2000/2008/XXXX?

Yes, so long as PowerShell is installed you should be able to run this command.

How do I export group members in Azure AD? 

You should be able to run this same command in the Azure Active Directory PowerShell tool.

How do I export my AD group members in PowerShell to Microsoft Excel?

You cannot save files directly to Microsoft Excel from PowerShell. Saving to CSV allows you to open them in Microsoft Excel, as well as other programs such as Open Office or Google Sheets.