Command line to list users in a Windows Active Directory group?
Is there a command line way to list all the users in a particular Active Directory group?
I can see who is in the group by going to Manage Computer --> Local User / Groups --> Groups and double clicking the group.
I just need a command line way to retrieve the data, so I can do some other automated tasks.
try
dsget group "CN=GroupName,DC=domain,DC=name,DC=com" -members
Here's another way from the command prompt, not sure how automatable though since you would have to parse the output:
If group is "global security group":
net group <your_groupname> /domain
If you are looking for "domain local security group":
net localgroup <your_groupname> /domain
Here's a version of the ds command I found more typically useful, especially if you have a complex OU structure and don't necessarily know the full distinguished name of the group.
dsquery group -samid "Group_SAM_Account_Name" | dsget group -members -expand
or if you know the CN of the group, usually the same as the SAM ID, quoted in case there are spaces in the name:
dsquery group -name "Group Account Name" | dsget group -members -expand
As stated in the comments, by default the ds* commands (dsquery, dsget, dsadd, dsrm) are only available on a Domain Controller. However, you can install the Admin Tools pack from the Support Tools on the Windows Server installation media or download it from the Microsoft Download site.
You can also perform these queries using PowerShell. PowerShell is already available as an installable feature for Server 2008, 2008 R2, and Windows 7, but you'll need to download the WinRM Framework to install it on XP or Vista.
To get access to any AD-specific cmdlets in PowerShell you will ALSO need to perform at least one of the following installs:
- For Win 7 and 2008 R2 clients, you can install the Remote Server Admin Tools. The RSAT also requires that you have installed the Active Directory Web Services feature on your Server 2008 R2 Domain Controllers, or the Active Directory Management Gateway Service for any Server 2003/2008 DCs.
- For any XP or higher client, download and install the Quest ActiveRoles Management Shell for Active Directory. The Quest tools do not require any additional changes to your DCs.
For a PowerShell solution that doesn't require the Quest AD add-in, try the following
Import-Module ActiveDirectory
Get-ADGroupMember "Domain Admins" -recursive | Select-Object name
This will enumerate the nested groups as well. If you don't wish to do so, remove the -recursive switch.