Using Active Directory PowerShell to Manage Groups and Members

I’m making an effort to teach myself PowerShell when the opportunity arises. Next week I will be reorganizing several VMware View desktop pools and the Active Directory Security Groups that are tied to them. Since I’ll be moving large groups of users around, I taught myself a few PowerShell one liners that should help.

Table of Contents

Get Members of a Group

List all users that belong to an Active Directory group. Helpful if you want to export a list of group members.

  • Get-ADGroupMember -Identity “Group-A” | Format-Table Name

Result

1
2
3
4
5
6
7
8
9
10
11
12
PS C:\> Get-ADGroupMember -Identity "Group-A" | Format-Table Name
 
Name
----
User1
User2
User3
User4
User5
User6
 
PS C:\>

Add Members of Group-A to Group-B

Copy all users that are members of one Active Directory group to another Active Directory group. Helpful if you want to copy all users of a Department Group to a Shared Folder or Applicaton group (to avoid too many levels of group-to-group nesting).

  • Get-ADGroupMember -Identity “Group-A” | Format-Table Name
  • Get-ADGroupMember -Identity “Group-B” | Format-Table Name
  • Get-ADGroupMember “Group-A” | Get-ADUser | ForEach-Object {Add-ADGroupMember -Identity “Group-B” -Members $_}
  • Get-ADGroupMember -Identity “Group-A” | Format-Table Name
  • Get-ADGroupMember -Identity “Group-B” | Format-Table Name

Result

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
PS C:\> Get-ADGroupMember -Identity "Group-A" | Format-Table Name
 
Name
----
User1
User2
User3
User4
User5
User6
 
PS C:\> Get-ADGroupMember -Identity "Group-B" | Format-Table Name
 
Name
----
User4
User5
User6
User7
User8
User9
 
PS C:\> Get-ADGroupMember "Group-A" | Get-ADUser | ForEach-Object {Add-ADGroupMember -Identity "Group-B" -Members $_}
 
PS C:\> Get-ADGroupMember -Identity "Group-A" | Format-Table Name
 
Name
----
User1
User2
User3
User4
User5
User6
 
PS C:\> Get-ADGroupMember -Identity "Group-B" | Format-Table Name
 
Name
----
User1
User2
User3
User4
User5
User6
User7
User8
User9
 
PS C:\>

Get all Groups that begin with “Group-“

List all Active Directory groups that begin with a prefix or similar naming convention. You could easily do the same for a suffix (name=-Security) or even similarities in the middle of a name (name=Department*). Helpful if similarly named groups are distributed among many organizational units.

  • Get-ADGroup -LDAPFilter “(name=Group-*)” | Format-Table

Result

1
2
3
4
5
6
7
8
9
10
PS C:\> Get-ADGroup -LDAPFilter "(name=Group-*)" | Format-Table
 
Distingui GroupCate GroupScop Name      ObjectCla ObjectGUI SamAccoun SID
shedName       gory         e           ss        D         tName
--------- --------- --------- ----      --------- --------- --------- ---
CN=Gro...  Security    Global Group-A   group     96a77c... Group-A   S-1-5-...
CN=Gro...  Security    Global Group-B   group     a7ceb5... Group-B   S-1-5-...
CN=Gro...  Security    Global Group-C   group     06dc9d... Group-C   S-1-5-...
 
PS C:\>

Get Members of all Groups that begin with “Group-“

List all Active Directory users that are members of all groups that being with a similar prefix or naming convention. Helpful way to create an aggregate list of users from similarly named groups.

  • Get-ADGroupMember -Identity “Group-A” | Format-Table Name
  • Get-ADGroupMember -Identity “Group-B” | Format-Table Name
  • Get-ADGroup -LDAPFilter “(name=Group-*)” | Get-ADGroupMember | Format-Table Name

Result

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
PS C:\> Get-ADGroupMember -Identity "Group-A" | Format-Table Name
 
Name
----
User1
User2
User3
User4
User5
User6
 
PS C:\> Get-ADGroupMember -Identity "Group-B" | Format-Table Name
 
Name
----
User4
User5
User6
User7
User8
User9
 
PS C:\> Get-ADGroup -LDAPFilter "(name=Group-*)" | Get-ADGroupMember | Format-Table Name
 
Name
----
User1
User2
User3
User4
User5
User6
User4
User5
User6
User7
User8
User9
 
PS C:\>

Get Members of a Group recursively

List all users that are members of a group or are nested members of any other child group. Helpful in finding all inheritable membership of a group by retrieving users who are members of child, grandchild, and soforth sub-groups.

  • Get-ADGroupMember -Identity “Group-A” | Format-Table Name
  • Get-ADGroupMember -Identity “Group-B” | Format-Table Name
  • Get-ADGroupMember -Identity “Group-C” | Format-Table Name
  • Get-ADGroupMember -Identity “Group-A” -Recursive | Format-Table Name

Result

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
PS C:\> Get-ADGroupMember -Identity "Group-A" | Format-Table Name
 
Name
----
User1
User2
User3
Group-B
 
PS C:\> Get-ADGroupMember -Identity "Group-B" | Format-Table Name
 
Name
----
User4
User5
User6
Group-C
 
PS C:\> Get-ADGroupMember -Identity "Group-C" | Format-Table Name
 
Name
----
User7
User8
User9
 
PS C:\> Get-ADGroupMember -Identity "Group-A" -Recursive | Format-Table Name
 
Name
----
User1
User2
User3
User4
User5
User6
User7
User8
User9
 
PS C:\>

Add Members of Group-A recursively to Group-C

Recursively copy all users and nested/child users of one group to another group. Helpful in flattening out and simplifying group memberships.

  • Get-ADGroupMember -Identity “Group-A” | Format-Table Name
  • Get-ADGroupMember -Identity “Group-B” | Format-Table Name
  • Get-ADGroupMember -Identity “Group-C” | Format-Table Name
  • Get-ADGroupMember -Identity “Group-A” -Recursive | Get-ADUser | ForEach-Object {Add-ADGroupMember -Identity “Group-C” -Members $_}
  • Get-ADGroupMember -Identity “Group-C” | Format-Table Name

Result

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
PS C:\> Get-ADGroupMember -Identity "Group-A" | Format-Table Name
 
Name
----
User1
User2
User3
Group-B
 
PS C:\> Get-ADGroupMember -Identity "Group-B" | Format-Table Name
 
Name
----
User4
User5
User6
 
PS C:\> Get-ADGroupMember -Identity "Group-C" | Format-Table Name
 
Name
----
User7
User8
User9
 
PS C:\> Get-ADGroupMember -Identity "Group-A" -Recursive | Get-ADUser | ForEach-Object {Add-ADGroupMember -Identity "Group-C" -Members $_}
 
PS C:\> Get-ADGroupMember -Identity "Group-C" | Format-Table Name
 
Name
----
User1
User2
User3
User4
User5
User6
User7
User8
User9
 
PS C:\>

Remove Members of Group-A who are in Group-B

Remember users of one group who also belong to another group. Helpful if you want to ensure users uniquely belong to only type of security group.

  • Get-ADGroupMember -Identity “Group-A” | Format-Table Name
  • Get-ADGroupMember -Identity “Group-B” | Format-Table Name
  • Get-ADGroupMember -Identity “Group-B” | Get-ADUser | ForEach-Object {Remove-ADGroupMember -Identity “Group-A” -Members $_ -Confirm:$False}
  • Get-ADGroupMember -Identity “Group-A” | Format-Table Name
  • Get-ADGroupMember -Identity “Group-B” | Format-Table Name

Result

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
PS C:\> Get-ADGroupMember -Identity "Group-A" | Format-Table Name
 
Name
----
User1
User2
User3
User4
User5
User6
 
PS C:\> Get-ADGroupMember -Identity "Group-B" | Format-Table Name
 
Name
----
User4
User5
User6
User7
User8
User9
 
PS C:\> Get-ADGroupMember -Identity "Group-B" | Get-ADUser | ForEach-Object {Remove-ADGroupMember -Identity "Group-A" -Members $_ -Confirm:$False}
 
PS C:\> Get-ADGroupMember -Identity "Group-A" | Format-Table Name
 
Name
----
User1
User2
User3
 
PS C:\> Get-ADGroupMember -Identity "Group-B" | Format-Table Name
 
Name
----
User4
User5
User6
User7
User8
User9
 
PS C:\>

Get Members of Group-A whose accounts are Disabled

List all user accounts from a group that are disabled. Helpful at finding accounts that you might want to remove.

  • Get-ADGroupMember -Identity “Group-A” | Get-ADUser | Format-Table Enabled,SamAccountName
  • Get-ADGroupMember -Identity “Group-A” | Get-ADUser | Where-Object {$_.Enabled -eq $False} | Format-Table Enabled,SamAccountName

Result

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
PS C:\> Get-ADGroupMember -Identity "Group-A" | Get-ADUser | Format-Table Enabled,SamAccountName
 
Enabled SamAccountName
------- --------------
   True User1
  False User2
   True User3
  False User4
   True User5
  False User6
 
PS C:\> Get-ADGroupMember -Identity "Group-A" | Get-ADUser | Where-Object {$_.Enabled -eq $False} | Format-Table Enabled,SamAccountName
 
Enabled SamAccountName
------- --------------
  False User2
  False User4
  False User6
 
PS C:\>

Get Members of all Groups that begin with “Group-” that have Disabled accounts

List all disabled user accounts from all groups with a specific prefix. Helpful at finding accounts that you might want to remove.

  • Get-ADGroupMember -Identity “Group-A” | Get-ADUser | Format-Table Enabled,SamAccountName
  • Get-ADGroupMember -Identity “Group-B” | Get-ADUser | Format-Table Enabled,SamAccountName
  • Get-ADGroup -LDAPFilter “(name=Group-*)” | Get-ADGroupMember | Get-ADUser | Where-Object {$_.Enabled -eq $False} | Format-Table Enabled,SamAccountName

Result

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
PS C:\> Get-ADGroupMember -Identity "Group-A" | Get-ADUser | Format-Table Enabled,SamAccountName
 
Enabled SamAccountName
------- --------------
   True User1
  False User2
   True User3
  False User4
   True User5
  False User6
 
PS C:\> Get-ADGroupMember -Identity "Group-B" | Get-ADUser | Format-Table Enabled,SamAccountName
 
Enabled SamAccountName
------- --------------
  False User4
   True User5
  False User6
   True User7
  False User8
   True User9
 
PS C:\> Get-ADGroup -LDAPFilter "(name=Group-*)" | Get-ADGroupMember | Get-ADUser | Where-Object {$_.Enabled -eq $False} | Format-Table Enabled,SamAccountName
 
Enabled SamAccountName
------- --------------
  False User2
  False User4
  False User6
  False User4
  False User6
  False User8
 
PS C:\>

Remove all user accounts from a group that are disabled. Helpful at cleaning up group memberships.

  • Get-ADGroupMember -Identity “Group-A” | Get-ADUser | Format-Table Enabled,SamAccountName
  • Get-ADGroupMember -Identity “Group-A” | Get-ADUser | Where-Object {$.Enabled -eq $False} | ForEach-Object {Remove-ADGroupMember -Identity “Group-A” -Members $ -Confirm:$False}
  • Get-ADGroupMember -Identity “Group-A” | Get-ADUser | Format-Table Enabled,SamAccountName

Result

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
PS C:\> Get-ADGroupMember -Identity "Group-A" | Get-ADUser | Format-Table Enabled,SamAccountName
 
Enabled SamAccountName
------- --------------
   True User1
  False User2
   True User3
  False User4
   True User5
  False User6
 
PS C:\> Get-ADGroupMember -Identity "Group-A" | Get-ADUser | Where-Object {$_.Enabled -eq $False} | ForEach-Object {Remove-ADGroupMember -Identity "Group-A" -Members $_ -Confirm:$False}
 
PS C:\> Get-ADGroupMember -Identity "Group-A" | Get-ADUser | Format-Table Enabled,SamAccountName
 
Enabled SamAccountName
------- --------------
   True User1
   True User3
   True User5
 
PS C:\>

5 replies on “Using Active Directory PowerShell to Manage Groups and Members”

  1. Hello Jason,

    Excellent post and very helpfull.

    I was wondering how I would be able to export all the users that belong to all groups that begin with GRP, in to a csv file. I would like them to be in seperate colums or in seperate csv files if possible.

    Can you help with this?

    Get-ADGroup -LDAPFilter “(name=grp-*)” | Get-ADGroupMember | Format-Table Name

    Maz

  2. @Mazhar –

    I’d suggest something along the lines of :

    $groups = Get-ADGroup -LDAPFilter “(name=grp-*)” $groups | ForEach-Object {$csvname = “membersof_” + $.name + “.csv”; get-adgroupmember $.distinguishedname | export-csv $csvname}

  3. In, my above post by the way, there is supposed to be a line break before the second “$groups”. The edit box decided to merge those two lines… :/

    So:

    $groups = Get-ADGroup -LDAPFilter “(name=grp-*)”

    $groups | ForEach-Object {$csvname = “membersof_” + $.name + “.csv”; get-adgroupmember $.distinguishedname | export-csv $csvname}

  4. Hi Jason

    Hope you can help. I would like a script that removes users from another Trusted domain. So I need to query our Current Domain for all groups and then remove users that belong to our other domain. This is so I can tidy up the groups. Users were added during the migration but not tidied up afterwards. So remove all users from all groups that belong to a specific domain.

    Thanks

Comments are closed.