152

Is there a command line way to list all the users in a particular Active Directory group?

I can see who is in the group by going to Manage Computer --> Local User / Groups --> Groups and double clicking the group.

I just need a command line way to retrieve the data, so I can do some other automated tasks.

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24

9 Answers9

287

Here's another way from the command prompt, not sure how automatable though since you would have to parse the output:

If group is "global security group":

net group <your_groupname> /domain

If you are looking for "domain local security group":

net localgroup <your_groupname> /domain
Community
  • 1
  • 28
    not sure why this was downvoted... the output might require a little parsing, but it has the advantage of depending only on utilities that are part of the base windows install. – G-Wiz Jul 14 '11 at 16:07
  • 2
    But is there any way around the truncated group names? – deed02392 Oct 14 '13 at 11:19
  • 1
    This is great! Worked a treat. – WOPR May 11 '15 at 06:26
  • 2
    Note that this isn't recursive and doesn't list groups that are in a group. Not very helpful if you have nested or hierarchical groups. – Mark Jun 19 '15 at 20:05
  • This works perfectly for me (and goes nicely hand in hand with `net user /domain`). Thanks! – xan Mar 23 '16 at 20:05
  • 1
    For some reason I am getting error "The group name could not be found." for a group that I *know* exists. – tbone Apr 26 '16 at 17:45
  • This works perfectly for me >net user /domain – ravthiru Oct 29 '19 at 00:51
50

Here's a version of the ds command I found more typically useful, especially if you have a complex OU structure and don't necessarily know the full distinguished name of the group.

dsquery group -samid "Group_SAM_Account_Name" | dsget group -members -expand

or if you know the CN of the group, usually the same as the SAM ID, quoted in case there are spaces in the name:

dsquery group -name "Group Account Name" | dsget group -members -expand

As stated in the comments, by default the ds* commands (dsquery, dsget, dsadd, dsrm) are only available on a Domain Controller. However, you can install the Admin Tools pack from the Support Tools on the Windows Server installation media or download it from the Microsoft Download site.

You can also perform these queries using PowerShell. PowerShell is already available as an installable feature for Server 2008, 2008 R2, and Windows 7, but you'll need to download the WinRM Framework to install it on XP or Vista.

To get access to any AD-specific cmdlets in PowerShell you will ALSO need to perform at least one of the following installs:

Ryan Fisher
  • 2,218
  • 16
  • 13
  • I use the first query all the time – Jim B Aug 03 '09 at 20:29
  • 1
    Be aware that you have to run this command on the domain controler. – skolima Mar 24 '11 at 11:49
  • 9
    You *DO NOT* have to run this command on a Domain Controller. However, you *DO* need to have installed the Admin Support Pack .msi which is included in the Support Tools on the Windows 2003 Server CDROM. Or download it from http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&DisplayLang=en – Ryan Fisher Mar 24 '11 at 15:50
  • Regarding dsquery and Admin Tools pack, it's worth noting that "Starting with Windows 10 October 2018 Update, RSAT is included as a set of "Features on Demand" in Windows 10 itself.", see https://www.microsoft.com/en-za/download/details.aspx?id=45520 – W.Prins Jul 15 '21 at 08:35
39

try

dsget group "CN=GroupName,DC=domain,DC=name,DC=com" -members
pQd
  • 29,561
  • 5
  • 64
  • 106
  • 1
    You probably need to do a little more in order to resolve members and duplicate members in nested groups. – duffbeer703 Aug 09 '09 at 20:49
  • 1
    `dsget group "CN=GroupName,DC=domain,DC=name,DC=com" -members -expand` gets you the members in the nested groups, though it may not help with duplicates, and it gives you the full AD query string for the member, not just their CN. – jonnybot Jul 01 '14 at 19:08
  • 2
    Command not found on Win7 SP1. I'm guessing you need RSAT installed? – Iszi Nov 12 '14 at 19:54
  • 17
    'dsget' is not recognized as an internal or external command,etc.. – adolf garlic Nov 25 '15 at 09:56
  • 1
    @adolfgarlic - https://stackoverflow.com/questions/8514599/windows-7-powershell-cannot-find-dsquery-and-dsget – bchilders Jul 19 '17 at 19:24
29

For a PowerShell solution that doesn't require the Quest AD add-in, try the following

Import-Module ActiveDirectory

Get-ADGroupMember "Domain Admins" -recursive | Select-Object name

This will enumerate the nested groups as well. If you don't wish to do so, remove the -recursive switch.

pk.
  • 6,413
  • 1
  • 41
  • 63
  • 7
    You're correct that the ActiveDirectory module doesn't require the Quest ActiveRoles AD snap-in, but it does require that you have the RSAT tools installed and that your AD has at least one DC with either the Active Directory Web Service (for 2008 R2) or the Active Directory Management Gateway Service (for 2003, 2008 DCs) installed. See my answer above for details and links. – Ryan Fisher Oct 11 '11 at 19:36
18

A very easy way which works on servers and clients:

NET GROUP "YOURGROUPNAME" /DOMAIN | find /I /C "%USERNAME%"

Returns 1 if user is in group YOURGROUPNAME, else will return 0

You can then use the %ERRORLEVEL% value (0 if user in group, 1 if not) like

IF %ERRORLEVEL%==0 NET USE %LOGONSERVER%\YOURGROUPSHARE
user9517
  • 114,104
  • 20
  • 206
  • 289
deajan
  • 181
  • 1
  • 2
  • 2
    The "net group" command searches only domain (or domain tree) where the computer is joined. A more modern alternative is: `whoami /groups | find /I /C "YOURGROUPNAME"` – DavisNT Sep 15 '15 at 17:04
10

Using PowerShell and Quest Software's Free ActiveRoles Management Shell for Active Directory, you can use:

(Get-QADGroup "GroupName").Members

http://www.quest.com/powershell/activeroles-server.aspx

Gordon Bell
  • 338
  • 2
  • 12
8

The answers here using dsget and dsquery will only work on server versions of Windows as those command's aren't shipped on other versions of Windows (e.g. Windows 7). On machines without those commands you can get the information you want using the AdFind command.

Here's an example query for getting group membership:

AdFind.exe -default -f name="Domain Admins" member -list
markshep
  • 222
  • 2
  • 3
  • 4
    ADFind.exe is a third party tool you have to install anyway. The ds* commands are installable via the Admin Tools pack. – Ryan Fisher Oct 11 '11 at 19:37
4

For display members of the UserGroup1 try:

dsquery group -name UserGroup1 | dsget group -members | dsget user -display
jscott
  • 24,204
  • 8
  • 77
  • 99
vadim
  • 51
  • 1
  • 1
    Might want to point out what CLI utility you'd use this in. I don't think that's gonna work too well from `cmd`, for some reason. – HopelessN00b Oct 10 '12 at 09:01
  • @HopelessN00b: this works in cmd – Pete Nov 07 '12 at 20:42
  • @Pete Newp! `dsget failed:'Target object for this command' is missing.` – HopelessN00b Nov 07 '12 at 20:53
  • @HopelessN00b: I get error if UserGroup1 doesn't exist, try something like "Accounting*" – Pete Nov 07 '12 at 21:48
  • @Pete: HopelessN00b is right, this requires a set of tools that are not coming with every version of windows. – petrosmm Apr 07 '21 at 16:39
  • @petrosmm This is an old post, and perhaps "this works in cmd (if you have the right tools installed)" would have been a more complete comment. I get your point, but in this case Hopelessn00b is wrong. The command works in cmd. He has this tool installed, otherwise he wouldn't get an error from dsget. His dsget is failing because his dsquery isnt piping in a valid group. – Pete Apr 07 '21 at 17:26
4

How to list local groups and users?

Use the following powershell script to list the local groups and members of those groups.

$server="YourServerName"
$computer = [ADSI]"WinNT://$server,computer"

$computer.psbase.children | where { 

$_.psbase.schemaClassName -eq 'group' } | foreach {
    write-host $_.name
    write-host "------"
    $group =[ADSI]$_.psbase.Path
    $group.psbase.Invoke("Members") | foreach {
$_.GetType().InvokeMember("Name", 'GetProperty', 

$null, $_, $null)}
    write-host
}

Copy the text above in to notepad and save as filename.ps1. Then run the file. I should display the Groups and Users in each group, or you can just run this from powershell.

peterh
  • 4,914
  • 13
  • 29
  • 44
Sysadmin
  • 41
  • 1
  • I get, `cmdlet ForEach-Object at command pipeline position 1. Supply values for the following parameters:` and then in asks for input, `Process[0]` – Mike S Mar 18 '16 at 13:55
  • @MikeS ... Something like this perhaps: `$computer.psbase.children | ? {$_.psbase.schemaClassName -eq 'group'} | ? {$_.Name -eq 'Group Name 123'} | % {$group =[ADSI]$_.psbase.Path;$group.psbase.Invoke("Members") | % {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null) | % {"$_@domain.com"}}};` – Pimp Juice IT Oct 22 '21 at 19:15