How to get-adgroup members by their Name or SamAccountName

Question

i would like to extract members from an AD Group that contains Members and security group.

Example, Group_A:
User1
User2
User3
Group_B

When I run my script, it shows:

CN=User1,OU=Users,DC=Contoso,DC=com CN=User2,OU=Users,DC=Contoso,DC=com CN=User3,OU=Users,DC=Contoso,DC=com CN=Group_B,OU=Users,DC=Contoso,DC=com

Is there another way to show their Name and/or SamAccountname?

$Groups = 
@"
GroupNames;
Group_A
"@ | ConvertFrom-Csv -Delimiter ';'



$ADGroups = 
Foreach ($Group in $Groups){ 
Get-ADGroup $Group.GroupNames -Server contoso.com -Properties Members }

$ADGroups.Members

You seem to have a input file where users and groups are mixed in a strange way.. This doesn't look like a csv file at all, where group names should be put in their own column. Please open to that file in notepad and copy the first 3 or 4 lines. Then edit your question and paste it in there as formatted text — Theo, Feb 09 '22 at 14:42

Santiago Squarzon · Accepted Answer · 2022-02-09T16:26:52.953

1

As the other helpful answers show, if you want to play safe, you can use Get-ADGroupMember to get the group membership, this would also be useful because you would be able to distinguish the ObjectClass of each member.

You could also do string manipulation over the elements (distinguishedName) of the member attribute of the AD Group by following this Q&A.

If the members of the group are on different Domains, this should work however it would be quite slow most likely.

foreach($group in $groups) {
    $membership = Get-ADGroup $Group -Properties Member
    $membership.Member | Group-Object { ($_ -split '(?=DC=)',2)[1] } |
    ForEach-Object {
        [adsi]$ldap = 'LDAP://{0}' -f $_.Name
        [string]$domain = $ldap.Name

        foreach($member in $_.Group) {
            $obj = Get-ADObject $member -Server $domain
            [pscustomobject]@{
                MemberOf       = $membership.Name
                Domain         = $domain
                SamAccountName = $obj.SamAccountName
                ObjectClass    = $obj.ObjectClass
            }
        }
    }
}

edited Feb 09 '22 at 16:26

answered Feb 09 '22 at 14:42

Santiago Squarzon

41,465
5
14
37

1

Just asking for clarification because I actually really don't know: In this usecase, is there a point to use get-adgroup? Since the OP wants the members only, is it not safe enough to use Get-ADGroupmember directly, since they both use the parameter "idendity", which is unique in both usecases? – Bowshock Feb 09 '22 at 14:51
1

@Bowshock No you're totally right, there is no need for `Get-ADGroup` in this case. As long as identity is a valid sam / upn / dn etc. – Santiago Squarzon Feb 09 '22 at 14:54
I think you're right. I do have nested groups though. Is this in good practice? – ak2595 Feb 09 '22 at 14:54
you might find [this function](https://github.com/santysq/Get-Hierarchy) I made for display group hierarchy @ak2595 – Santiago Squarzon Feb 09 '22 at 14:57
@SantiagoSquarzon If I have a user from another domain in this group it doesnt work. i have a trusted domain with all rights – ak2595 Feb 09 '22 at 14:57
@ak2595 i have updated on what could be done if the members are on different domains, it will likely be pretty slow but I think should work – Santiago Squarzon Feb 09 '22 at 15:12

score 1 · Answer 2 · answered Feb 09 '22 at 14:45

Get-ADGroupMember has two parameters you can use for that. samaccountname, and name.

Simply do the following:

Get-ADGroupMember -identity $ADGroup | select-object SamAccountName, Name

Or in your code snippet:

Foreach ($group in $groups) {
Get-AdGroup -identity $group | select-object Samaccountname, Name }

Of course you could add:

Get-AdGroup -identity $group | select-object Samaccountname, Name | export-csv C:\mypath\report.csv

score 1 · Answer 3 · answered Feb 09 '22 at 14:50

You could run a query against the returned values using Get-ADObject since it accepts DistinguishedNames as a value and isn't limited by object class:

foreach ($Group in $Groups)
{ 
    (Get-ADGroup $Group.GroupNames -Server contoso.com -Properties Members).Members | 
        ForEach-Object -Process {
            Get-ADObject -Identity $_ -Properties DisplayName | Select-Object -Property DisplayName
        }     
}

...or, you can split the results at the desired entry:

foreach ($Group in $Groups)
{ 
    (Get-ADGroup $Group.GroupNames -Server contoso.com -Properties Members).Members | 
        ForEach-Object -Process {
            $_.Split(',',2).Split("=")[1]
        }     
}

Disclaimer: I don't have the AD Module installed on my system so I can't confirm if this is all that is needed.

score 0 · Answer 4 · answered Feb 09 '22 at 14:55

0

The easiest way would be to expand the members property and in Get-ADGroup and then pipe it to Get-ADUser

$adUsers = Foreach ($Group in $Groups) {
    Get-ADGroup $Group.GroupNames -Server contoso.com -Properties Members | Select-Object -ExpandProperty Members | Get-aduser
}

answered Feb 09 '22 at 14:55

Brandon Spell

1

The problem is the fact that I also have users from another domain in this group... it will show only users from the current domain – ak2595 Feb 09 '22 at 15:03

How to get-adgroup members by their Name or SamAccountName

4 Answers4