Using Groups in your Active Directory (AD) can help you to keep your Active Directory organized and help you to work more efficiently. You can assign permissions or licenses to multiple users via an AD Group rather than having to assign them to individual users which makes network maintenance and administration easier by allowing the group to be managed as a single object.
Get-ADGroup
In PowerShell, the Get-ADGroup cmdlet enables you to search Active Directory for single or multiple groups. This is useful if you need to list all the groups in your Active Directory or you can use it to just find the location of one particular group that is hiding somewhere in an Organization Unit (OU).
The Get-ADGroup filter parameter allows you to search for a list of specific groups such as all global, universal, or domain local groups. You can also search Active Directory for groups by name or list all groups.
The Get-ADGroup cmdlet searches for some of the default properties of a group but to search for specific properties, use the Properties parameter.
The Syntax of Get-ADGroup cmdlet
The syntax of the cmdlet is as follows:
Get-ADGroup [-AuthType ] [-Credential ] [-Identity] -Filter -LDAPFilter [-Properties
The following parameters can be used with Get-ADGroup:
- Identity: Use this to find a group based on the group name. This will return only a single group
- Filter: Use this to retrieve multiple groups based on a filter query
- LDAPFilter: Use a LDAP query string to filter the group objects
- SearchBase: Specify the Active Directory path (OU) to search in
- SearchScope: Specify how deep you want to search (base level, one level, or complete subtree)
The most common way to get a group is by using the identity parameter. But to do this, you will need to know the name of the group. It will return a single group with the most important properties:
Get-ADGroup -identity Asia Marketing
The above command gets the group with the SAM account name of Asia Marketing
How to Use Get-ADGroup cmdlet
Use the following example to get a single group by its distinguished name. Make sure that the path is in quotes or you will get an error:
Get-ADGroup -Filter 'GroupCategory -eq "Security" -and GroupScope -ne "DomainLocal"'
To get all domain groups:
Get-ADGroup -filter *
To get all groups and display the group name, groupscope, and objectclass:
Get-ADGroup -filter * | select Name, groupscope, objectclass
To get all groups that start with Acc in the name:
Get-ADGroup -filter "Name -like 'Acc*'"
To get all groups from a specific OU and display the group name and distinguishedName:
Get-ADGroup -filter * -SearchBase "OU=ADPRO Groups,DC=ad,DC=activedirectorypro,DC=com" | select name, distinguishedName
To get all security groups and display the group name and GroupCategory:
Get-ADGroup -filter "GroupCategory -eq 'Security'" | select name, GroupCategory
To display all of the group properties add the -properties * option:
Get-ADGroup -identity Administrators -Properties *
To get groups by name using a wildcard search:
Get-ADGroup -Filter 'Name -like "*acc*" -or Name -like "*mar*"' | select name
By default, the Get-ADGroup command will only display the following eight group properties:
- DistinguishedName
- GroupCategory
- GroupScope
- Name
- ObjectClass
- ObjectGUID
- SamAccountName
- SID
How Lepide Helps
This method of finding group members using PowerShell is time-consuming and requires a good knowledge of PowerShell scripting. In addition, the results returned using this method are in a format that’s very hard to read and difficult to analyze.
A more straightforward approach is to use Lepide Auditor for Active Directory. The All Groups Report can be run to show all Active Directory groups:
To run this report:
- Click the User & Entity Behavior Analytics icon and select the All Groups Report from the Active Directory Reports
- Click Generate Report to run the report
- The report can be filtered to report on a particular Group Name and can be grouped to list all members by their group
- The report can be saved and exported to CSV, PDF or MHT format