Get Active Directory Group Membership Report in CSV Format
Active Directory group membership report is required in almost every organization that uses an AD. With this type of report, it is a lot easier for administrators to find what groups are there in an organizational unit.
Moreover, it also forms a basis for many business-level decisions, like changing a user’s group/ adding new members, or splitting a group. The main problem is that many admins don’t wish to use the PowerShell script to get their AD group members list. It’s either too complicated or time-consuming and for some, it’s both.
Also to add to the confusion there are two approaches to visualize the membership data. One is to get AD group membership for user directly.
Here admins check on a user level to see which group a user belongs to.
Another and frankly better method is to search through the groups themselves and list out the users that are present in them.
No worries as this guide will show you how to list members of AD groups and export AD group members to CSV using various methods.
So that you can bypass any highly technical requirements. First, let’s see what are the contents of an AD group membership report.
Table of Contents
- What Does an AD Group Membership Report Contain?
- Make AD Group Membership Report With PowerShell
- Why PowerShell is Problematic
- Get AD Group Members List Using CMD
- Professionally Export AD Group Members to CSV without PowerShell
- Automated Steps to Use the Tool
- View Group Member List with ADUC
- Get the AD Group Report using Admin Center
- Check the Event Viewer
- Conclusion
- FAQs
What Does an Active Directory Group Membership Report Tell Us?
With this report, Admins get an overview of the employee distribution inside the OU groups. It also helps to find any inconsistencies in the group structure or membership count. So it is not a surprise that many regard this as the next logical step after admins check the Active Directory user login history for an OU.
It almost always contains the date on which a group was made thus helping to determine for how long has a particular group been active. Moreover, with the help of a modified date, it’s possible for the admins to figure out when exactly someone updated the group settings.
Group membership report also reveals if or not a group is of a special category like a security group or distribution list. All this is present in a tabular format for better readability.
It is not fair to outright reject the PowerShell method without first knowing what it is. After all, it is been a traditional way to make a report. So to get members of AD Group with PowerShell the following section is all that you require
Use PowerShell to List Users in AD Group
Here is a sample script:
# Get all groups in the Active Directory
$groups = Get-ADGroup -Filter *
Clear-Host
foreach ($group in $groups) {
# Get Active Directory group membership report of the current group
$members = Get-ADGroupMember -Identity $group
if ($members.Count -eq 0) {
# Empty group
Write-Host "Group: $($group.Name)" -ForegroundColor Yellow
} else {
# Group with members
Write-Host "Group: $($group.Name)" -ForegroundColor Cyan
}
# Output each member of the group
foreach ($member in $members) {
Write-Host " - Member: $($member.Name)" -ForegroundColor Green
}
}
Note that this is an example script and should be used only after modification from your end. An explanation for this script can be found below.
This script first fetches all the Group category objects from the Active Directory. After that, a loop runs through the acquired Groups individually and checks for members.
When, inside the loop, an if-else logic takes over which displays groups in specific color codes. All empty groups are printed in Yellow. Meanwhile, groups containing even a single member are listed in Cyan, and for the members we use Green.
You may add functionality like determining the Group type or exporting the list to CSV etc. on your end. As we did during the export list of disabled users from Active Directory task. However, be careful as it may break the original PowerShell script or end up permanently damaging your AD group structure.
Why do Admins Want to Export AD Group Members to CSV without PowerShell?
Problems don’t stop once you get the PowerShell script. On the contrary, it is not wrong to say that the real problems begin afterward.
PowerShell-oriented solutions are generalized scripts with little to no information about your exact AD environment.
Not to mention that these scripts often ignore any previous security considerations that admins should take. Like the one where the dsquery commands stop working in the normal Windows machines.
Even the machines with Windows Server need an AD DS to run this. That is why it is not possible to get members of AD Group with PowerShell in some AD environments.
Simply copy-pasting any random scripts of PowerShell to list users in a group is not going to provide you with the intended results.
Moreover, the even more dangerous scenario is when admins get false positive results. Combine this with no direct way of verifying the result. Admins may unknowingly submit/use the wrong data.
Therefore, many admins seek ways to export Active Directory group members to CSV without Powershell.
Moreover, even if you manage to get ad groups for user with PowerShell the source data for all intents and purposes near garbage. So the output it produces post-analysis is the same.
Having the script is one thing, but understanding what it does is different. If the script does not run and gets the Active Directory group membership report admins have to fix it manually.
In the worst-case scenario, it may trigger a domain-wide account lockout so admins have to check last password change in Active Directory environment.
This means more time is spent on troubleshooting the script than doing what’s required. PowerShell is not the only way to check group members in an AD, another somewhat unorthodox approach is to use the default command line.
How to Get AD Group Members List Using CMD?
Another less intrusive code-based method is the Command line. To open and use the command line module
- Press the Windows key + R.
- Type cmd in the run box
- Type the following query.
for /f "delims=" %G in ('dsquery group -limit 0') do @echo Group: %G & dsget group %G -members
This method to list members of AD group command line query works with the following logic which is similar to the one used by PowerShell to list users in a group.
The “dsquery group -limit 0” part loops through all groups in Active Directory. Next for every group we print “Group: “ followed by its name. At last, it then uses the “dsget group” tag to retrieve and display the members of each group.
This should get the required Active Directory group membership report. However, even with this easier approach, administrators don’t have the control that they desire.
Sometimes they need to be more sophisticated and detailed to work so admins with a non-tech background may fail to get accurate results. However, people with the right skill set can exploit these commands(with modifications of course) and get unauthorized access to your AD environment.
There is a sure-shot way to skip over these limitations and that too with a GUI-based software.
Automated Approach to Export AD Group Members to CSV without PowerShell
Hands down the best tool to create a full active directory group membership report is SysTools AD Reporting Tool. It gives the admin full control to view and extract the data about the members of a specific group. This tool allows you to easily show members of AD groups without relying on complex scripts.
The reporting can be categorized based on the current requirements of your organization. This means if admins want to see the group creation date they choose to get that. Moreover, more complex group membership requests like Distribution or Security groups are also available.
Also Read: Why you need ADMT Replacement for AD Migration
On top of that if admins want to verify whether or not any changes were made to the group. They have the Modified category for exactly this kind of scenario. Now that we have a basic overview of what the tools capabilities are lets see how to use it.
Steps to Get Active Directory Group Membership Report via the Tool
Step 1. Download, launch, and enter “administrator” in the space provided in the User ID and password entry box.
Step 2. Activate the tool that can list AD groups and press the “REGISTER DOMAIN CONTROLLER” icon.
Step 3. Type Domain Friendly Name and IP address for your AD hit Save & Continue.
Step 4. You arrive at the Domain details page where you have to put the Admin credentials for your domain and validate them.
Step 5. Go to the Report tab to view the reporting options. Select group as the workload and All as the subcategory.
Step 6. Using the breadcrumb-style filtering menu as the guide you can identify what report you are about to extract. Change the All category to unlock the duration picker.
Step 7. Select a time period out of 5, 7, 10, 30, 60, 90 days, or 1 year starting from the present date. With the custom option, you can set a starting and ending date yourself.
Step 8. Hit the preview button and make a column-wise segregation of Group membership. You can also see a total count of all Active Directory groups present in the list at the bottom part of your screen.
Step 9. Click on the arrow within the Download Report button and tap on CSV.
Step 10. Click on the Download option once again that appears inside the popup box.
Step 11. Browse for the location where you want to keep the report data and hit the Save icon in the Save as window.
Step 12. The CSV file counting the list of ad groups can be checked on any text editor.
There are some native GUI methods available in your AD. It would be unfair to skip these methods so here they are.
Active Directory Users and Computers Snap-in to View Group Member List
- Launch the ADUC, select a Domain, and click on the search button from the toolbar.
- In the Find Users, Contacts, and Groups window go to the Advanced tab.
- For the Field section hover over Group and select Members from the Context Menu.
- Then put the condition as “Present”, and click on Add > Find Now.
- Click on a Group from the list.
- Toggle the Members tab in its Properties box.
- This will show you all the users/objects that are part of this AD group.
To look at the member less groups all you have to do is change the “is present” condition to “Not Present”
After that follow the rest of the steps exactly like before, here when you toggle the Members tab you will see that it is empty.
In the ADUC find option, you can’t copy or export the results. So to get out of a preview-only mode there is another method in ADUC through which you can export AD groups and the list of members in that AD group to CSV format. For that:
- Toggle the “Set Filtering options” icon.
- Mark the radio button in front of “Show only the following types of objects“
- Select “Groups” and Click on OK.
- Now browse through the different OU’s and Containers. Every object that is not a Group is hidden from view so you only see the required items.
- Once you find a big enough list take your cursor to the Export button and click it.
- A window with the Export options opens, choose where, and in what format you want this AD group list to appear.
- Once done Hit Save.
The Admin Center Results can be put into an Excel sheet by copy-pasting. So some consider it a superior built-in option for admins.
Get the Active Directory Group Membership Report via the Admin Center
- Open ADAC.
- Click on Global Filter from the left-hand pane.
- Toggle the “Convert to LDAP” option.
- Paste the following command:
“(&(objectCategory=group)(objectClass=group)(member=*))”
- Click on Apply
- The first result should be automatically selected, to change the AD group whose member list is required simply select it.
- Then click on the properties option from the right-hand pane.
- Go to the Members tab and view the list.
To export the AD group membership data select all results press Ctrl + C, open a new Excel workbook, or Notepad, and Press Ctrl + V.
Moreover, if you want to get a list of AD Groups with no members in it, just make a small adjustment in the LDAP query. Which is:
“(&(objectCategory=group)(objectClass=group)(!(member=*)))”
The Exclamation mark in front of the member attribute negates it. Meaning that the query will now search for empty Groups.
To confirm check the member list of any of the Groups that appear inside the results in the same way we did for functioning groups.
Although it provides a member list admins still have no clue when each of these members became a part of the Group. Don’t worry your AD has got you covered thanks to Event Viewer. Let’s see how.
Check the Event Viewer and Bypass PowerShell to List Users in a Group
An unorthodox way to track user presence in an Active Directory Group is through the Event Viewer. Every user addition and removal task is logged inside the Event viewer with a corresponding Event ID. So admins can thus get a rough idea of the group membership by registering the entry and exit of members. Combining it with the group creation event can help filter out the Empty groups from the populated ones.
Here are the steps to use the Event Viewer for this task.
- Press the Windows and R keys together on your machine, wait for the Run module to appear, then type “eventvwr.msc” in the text box. Click OK or Press Enter.
- Once the Event Viewer module opens expand the Windows logs and Select Security from the left-hand pane.
Now scroll through the list till you see one or more of the following IDs.
4731: Registers every time after the formation of a new Security Group.
4732: The code for a member addition in an AD Security Group.
4733: You see this when admins remove members from a Security Group.
4749: Indicates a Distribution Group creation.
4751: Triggers when a member is added to a Security Disabled group.
4752: This is the ID that contains information on an object’s exit from a distribution group.
Source: Microsoft
You can use the Find parameter to save some time. Moreover, there is also an option to set a Custom Filter to introduce repeatability. We recommend to follow this practice as you most certainly have to check an AD group membership sometime again in the future. It can also act as a guide for another admin who takes over your role later.
Conclusion
In this guide, we explained how to get an Active Directory group membership report from scratch. Admins saw what complete group data from AD looks like. On top of that, we helped admins understand why PowerShell scripts are not the best approach for extracting group data. As an alternative, we introduced the best option on the market. Use it and free yourself from problematic PowerShell commands.
Frequently Asked Questions
Q. How to use PowerShell to get a security Group member list?
Apply a category filter in the same script under an if-else block.
$group.GroupCategory -eq 'Security'
This filter will restrict the search scope to only include security groups. The rest of the code remains as it is. If you find the process tough you can always use the tool as it comes with an inbuilt filtering option for both security and distribution groups.
Q. Is it possible to export user group membership to CSV for further analysis?
Yes, you can apply the export option to PowerShell, the command line module and ADUC also give you the provision to pull out a CSV file after filtering the results. Those who want to use the AD administrative center have to manually select, copy, and paste the results. No such manual intervention is necessary in the case of the tool as it generates a CSV ready for use.
Q. I believe I am unable to get members of the AD group via PowerShell or otherwise due to them being empty. Is it possible to know for sure?
The following PowerShell command extracts all empty groups and arranges them in a list Get-ADGroup -Filter * -Properties Members | Where-Object {-not $_.Members} | Select-Object Name
Q. Is it possible to check for nested group memberships in Active Directory?
Yes you have to make a few tweaks in the PowerShell here is a base script you can use
# Function to recursively get group members and nested groups with color coding
function Get-GroupMembers {
param (
[string]$GroupName,
[int]$Level = 0
)
# Retrieve group members once
$members = Get-ADGroupMember -Identity $GroupName -ErrorAction SilentlyContinue
# Indentation for the current level
$indent = (" " * ($Level * 4))
# Display the group name in Yellow
Write-Host "$indent+ Group: $GroupName" -ForegroundColor Yellow
# Loop through members of the group
foreach ($member in $members) {
if ($member.objectClass -eq "group") {
# If member is a group, recursively process nested group
Get-GroupMembers -GroupName $member.SamAccountName -Level ($Level + 1)
} elseif ($member.objectClass -eq "user") {
# If member is a user, display user name in Green
Write-Host "$indent- User: $($member.SamAccountName)" -ForegroundColor Green
}
}
}
# Main script to process all groups in AD
$groups = Get-ADGroup -Filter * -ErrorAction SilentlyContinue
foreach ($group in $groups) {
# Start with the top-level group and process
Write-Host "Processing Group: $($group.Name)" -ForegroundColor Cyan
Get-GroupMembers -GroupName $group.SamAccountName
Write-Host "--------------------------------------" -ForegroundColor DarkCyan
}
