Enumerate an Active Directory Group w/ Get-AdGroupMember

When the need to list out the members of an active directory group arises, say management asks, who are the members of this group, and you dont have a third party utility or don’t want to pipe a few ds commands, you can use get-adgroupmember.

Here are the steps:

1. Make sure you computer has active directory users and computers installed.  One way to determine this is to run dsa.msc and see if ADUC opens.  If not install it from control panel > programs > Turn windows features on or off and add the RSAT utilities, if you dont see them, you might not be a meber of a domain

2. Open powershell as admin and verify that the Active Directory module is available for your session, by running get-module -listavailable

3. Import the module into your session by typing import-module activeDirectory

AdImport

4. type Get-AdgroupMember nameOfGroup  or Get-ADgroupMember “Name Of Group with Quotes if the group name has spaces”  e.g.

to use Get-AdgroupMember for a group named WSSAdmins, you could type

Get-AdgroupMember wssAdmins

 

If the group was named wss admins, you’d need to surround that with “double quotes”

Get-AdgroupMember "Wss Admins"

 

after you’ve got this working, you should pipe it to get-member, like this

Get-adgroupmember | get-member

 

This will show you all the properties and methods that are available for this commandlet.

You can then extract more or less information in your results by piping the cmdlet to Format-list,

For example,

 get-adgroupmember "EnterPrise Admins" | format-list name, Sid

 

Or, even cleaner, just a list of names

get-adgroupmember "EnterPrise Admins" | format-table name