Skip to main content

PowerShell to get all users in a specified Active Directory group.

function Get-ADGroupMembers {
    <#
    .SYNOPSIS
        Return all group members for specified groups.

    .FUNCTIONALITY
        Active Directory

    .DESCRIPTION
        Return all group members for specified groups.   Requires .NET 3.5, does not require RSAT

    .PARAMETER Group
        One or more Security Groups to enumerate

    .PARAMETER Recurse
        Whether to recurse groups.  Note that subgroups are NOT returned if this is true, only user accounts

        Default value is $True

    .EXAMPLE
        #Get all group members in Domain Admins or nested subgroups, only include samaccountname property
        Get-ADGroupMembers "Domain Admins" | Select-Object -ExpandProperty samaccountname

    .EXAMPLE
        #Get members for objects returned by Get-ADGroupMembers
        Get-ADGroupMembers -group "Domain Admins" | Get-Member
    #>
    [cmdletbinding()]
    Param(
        [Parameter(Position=0, ValueFromPipeline=$true)]
            [string[]]$group = 'Domain Admins',

            [bool]$Recurse = $true
    )

    Begin {
        #Add the .net type
            $type = 'System.DirectoryServices.AccountManagement'
            Try{
                Add-Type -AssemblyName $type -ErrorAction Stop
            }
            Catch {
                Throw "Could not load $type`: Confirm .NET 3.5 or later is installed"
                Break
            }

        #set up context type
        # use the 'Machine' ContextType if you want to retrieve local group members
        # http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.contexttype.aspx
            $ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
    }

    Process {
        #List group members
            foreach($GroupName in $group){
                Try {
                    $grp = [System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($ct,$GroupName)

                    #display results or warn if no results
                        if($grp){
                            $grp.GetMembers($Recurse)
                        }
                        else{
                            Write-Warning "Could not find group '$GroupName'"
                        }
                }
                Catch {
                    Write-Error "Could not obtain members for $GroupName`: $_"
                    Continue
                }
            }
    }
    End{
        #cleanup
            $ct = $grp = $null
    }
}