Command line to list users in a Windows Active Directory group?

windows active-directory

Is there a command line way to list all the users in a particular Active Directory group?

I can see who is in the group by going to Manage Computer --> Local User / Groups --> Groups and double clicking the group.

I just need a command line way to retrieve the data, so I can do some other automated tasks.


try

dsget group "CN=GroupName,DC=domain,DC=name,DC=com" -members

Here's another way from the command prompt, not sure how automatable though since you would have to parse the output:

If group is "global security group":

net group <your_groupname> /domain

If you are looking for "domain local security group":

net localgroup <your_groupname> /domain

Here's a version of the ds command I found more typically useful, especially if you have a complex OU structure and don't necessarily know the full distinguished name of the group.

dsquery group -samid "Group_SAM_Account_Name" | dsget group -members -expand

or if you know the CN of the group, usually the same as the SAM ID, quoted in case there are spaces in the name:

dsquery group -name "Group Account Name" | dsget group -members -expand

As stated in the comments, by default the ds* commands (dsquery, dsget, dsadd, dsrm) are only available on a Domain Controller. However, you can install the Admin Tools pack from the Support Tools on the Windows Server installation media or download it from the Microsoft Download site.

You can also perform these queries using PowerShell. PowerShell is already available as an installable feature for Server 2008, 2008 R2, and Windows 7, but you'll need to download the WinRM Framework to install it on XP or Vista.

To get access to any AD-specific cmdlets in PowerShell you will ALSO need to perform at least one of the following installs:

  • For Win 7 and 2008 R2 clients, you can install the Remote Server Admin Tools. The RSAT also requires that you have installed the Active Directory Web Services feature on your Server 2008 R2 Domain Controllers, or the Active Directory Management Gateway Service for any Server 2003/2008 DCs.
  • For any XP or higher client, download and install the Quest ActiveRoles Management Shell for Active Directory. The Quest tools do not require any additional changes to your DCs.

For a PowerShell solution that doesn't require the Quest AD add-in, try the following

Import-Module ActiveDirectory

Get-ADGroupMember "Domain Admins" -recursive | Select-Object name

This will enumerate the nested groups as well. If you don't wish to do so, remove the -recursive switch.

Related

What is "-bash: !": event not found"
Filename length limits on linux?
What version of RHEL am I using?
What is the difference between authentication and authorization?
How can I read pcap files in a friendly format?
How to add dependency on a Windows Service AFTER the service is installed
What does Virtual memory size in top mean?
Run a .bat file in a scheduled task without a window
Find name of Active Directory domain controller
What is the difference between Load Balancer and Reverse Proxy?
What does 'set -e' do, and why might it be considered dangerous?
How do you validate fstab without rebooting?