PowerShell Problem Solver: Active Directory Group Members


Today’s PowerShell problem focuses on a very common IT task, which is grabbing members of an Active Directory group. Now, I’m already going to assume that you have the latest version of Remote Server Administration Tools (RSAT) installed and configured to use the Active Directory PowerShell module. Today’s problem is one I came across recently, where the goal of the task was to list members of an Active Directory group and show a few select user properties.

When you run Get-ADGroupMember, it looks like you get some user objects.

Listing AD Group Members with PowerShell (Image Credit: Jeff HIcks)
Listing AD Group Members with PowerShell (Image Credit: Jeff HIcks)

The original solution to get user details looks something like this:

Get-ADGroupMember -Identity "Chicago IT" |
Select samAccountName,Name,
@{Name="DisplayName";Expression={(Get-ADUser $_.distinguishedName -Properties Displayname).Displayname}},
@{Name="Title";Expression={(Get-ADUser $_.distinguishedName -Properties Title).title}}

On one hand I actually applaud this effort because it demonstrates using Select-Object to define properties from a completely separate source. And it works.

Sponsored Content

Maximize Value from Microsoft Defender

In this ebook, you’ll learn why Red Canary’s platform and expertise bring you the highest possible value from your Microsoft Defender for Endpoint investment, deployment, or migration.

A complicate Select-Object solution
A complicate Select-Object solution (Image Credit: Jeff HIcks)

But it is probably not the best solution. Let’s take a step back.

The first thing I would do in this situation is to see what type of object is coming from the Get-ADGroupMember cmdlet by piping the command to Get-Member.

Using Get-Member
Using Get-Member (Image Credit: Jeff Hicks)

One thing I might look for would be a property or method that I could use to get the information I’m after. In this particular case the ADPrincipal class appears to be a subset of the user object. So, I need the user object.

We already know we can use Get-ADUser. But is there a smarter way? Don’t guess. Read the help.

Reading cmdlet help
Reading cmdlet help (Image Credit: Jeff HIcks)

The Identity parameter needs some sort of identifier, such as the distinguished name or samAccountname. Even though the help file says the cmdlet accepts pipeline input by value, it also says above that you can set this parameter to an object instance. But let’s test.

Testing pipeline input
Testing pipeline input (Image Credit: Jeff Hicks)

How about that. Now let’s try with an object. My test group only has a few members so let’s save them to a variable.

$a = Get-ADGroupMember -Identity "Chicago IT"

We’ll try piping one of the objects to Get-ADUser. Remember this ADPrincipal object has several properties that we can use to get the user account, so I’m optimistic.

Testing a pipeline object
Testing a pipelined object (Image Credit: Jeff Hicks)

Excellent. I can now revise my original command to something a bit more streamlined and efficient.

Get-ADGroupMember -Identity "Chicago IT" | Get-ADUser -Properties Displayname,Title |
Select DistinguishedName,samAccountName,Name,Displayname,Title

A better pipelined solution
A better pipelined solution (Image Credit: Jeff Hicks)

As a bonus, I think this expression is also easier to understand. Now I have something that will work for any group. Although if you are only interested in user accounts, I might suggest one small addition:

Get-ADGroupMember -Identity "Chicago All Users" -Recursive |
Where objectclass -eq 'user' |
Get-ADUser -Properties Displayname,Title,Department |
Select DistinguishedName,samAccountName,Name,Displayname,Title,Department |
Export-CSV c:\work\ChicagoAll.csv

Active Directory groups can contain other groups, as well as computer accounts, so I’m adding a step to filter with Where-Object so that I only keep user objects. You could use similar techniques if you are reporting on group or computer objects.

But the main take away is the process of looking at objects with Get-Member from the first part of your expression and then trying to discover how you can hook that into the input for the next expression, and yes, you might have to read a little help and experiment. But once you get a handle on this it will become second nature, and you’ll be using PowerShell to accomplish all sorts of tasks you didn’t know you could do.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

Office 365 Coexistence for Mergers & Acquisitions: Don’t Panic! Make it SimpleLive Webinar on Tuesday, November 16, 2021 @ 1 pm ET

In this session, Microsoft MVPs Steve Goodman and Mike Weaver, and tenant migration expert Rich Dean, will cover the four most common steps toward Office 365 coexistence and explain the simplest route to project success.

  • Directory Sync/GAL Sync – How to prepare for access and awareness
  • Calendar Sharing – How to retrieve a user’s shared calendar, or a room’s free time
  • Email Routing – How to guarantee email is routed to the active mailbox before and after migration
  • Domain Sharing – How to accommodate both original and new SMTP domains at every stage

Aimed at IT Admins, Infrastructure Engineers and Project Managers, this session outlines both technical and project management considerations – giving you a great head start when faced with a tenant migration.the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

Sponsored by: