A colleague contacted me yesterday. 

He said “Oh Great and Wonderful Wizard of the Shell, bequeath to the me the guidance to navigate the mystery that is Powershell so that I can easily produce a report of just WHO is in my Groups…”

Well no, he didn’t say it QUITE that way.  It was more, “Sean, you know Powershell, can we easily pull out a report, something in CSV or Excel that show’s members of Groups in Active Directory?”

The only tricky part about that question was this.  “Would you like that in one line or two?”

In truth, thanks to the new Active Directory Modules in Server 2008R2, life for the new Network Administrator in the Enterprise just got so much better thanks to GET-ADGROUPMEMBER

All you need to do to list members of a Group in Active Directory is


Done.   So You need to audit your Domain Admins or Enterprise Admins?  Piece of cake!


GET-ADGROUPMEMBER ‘Enterprise Admins’

How about a custom group you made called “Uber Secret Stuff We Won’t Share”?

You guessed it

GET-ADGROUPMEMBER ‘Uber Secret Stuff We Won’t Share’

Need that in something Excel can use?

GET-ADGROUPMEMBER ‘Domain Admins’ | EXPORT-CSV C:ListOfPeople.csv

Now of course this may pull down too much information.   Generally we just want some basic details, Like Name, SAM Account, Possibly the DN.  Patch in a SELECT-OBJECT (which allows you to “SELECT” which “OBJECTs” you want from the PIPELINE from the previous CommandLet.   Then pass it along or view it.

GET-ADGROUPMEMBER ‘Domain Admins’ | SELECT-OBJECT Name, DistinguishedName, SamAccountName | EXPORT-CSV C:ListofPeople.csv

Now this is all fine, but I prefer making this into a useful Function I can add to my $PROFILE.  So let’s do that.   Instead of typing in all this, let’s make this into a Function that could be reused easily

function global:GET-GROUPAUDIT($GroupName, $Directory) {

# Check for Directory name.   If not given Default to the C:Reports folder
if ($Directory –eq $NULL) { $Directory=’C:Reports’ }
# Build $Filename for output.  Strip spaces from GroupNames for the
# Filename.   Add Default Directory to Path
$Filename=$Directory+””+$Groupname.Replace(‘ ‘,’’)+”.csv”
# Run GET-ADGROUPMEMBER in the default domain, Select three Objects
# Name, DistinguishedName, SamAccountName
# Export the results to a CSV file
GET-ADGROUPMEMBER $GroupName | SELECT-OBJECT Name, DistinguishedName, SamAccountName | EXPORT-CSV $Filename


Now this is a very basic function that “Assumes” you’re goinig to type in the Group name and the Directory.   But what it means if you need to report this on a regular basis?  Add that function to your $PROFILE, then in your Powershell Session you can type in

GET-GROUPAUDIT ‘DomainAdmins’ C:Reports

Or easily just pipe in a list of Groups to Query on a regular basis.   This Function has also been setup to do two slightly smart things.  One it will at least ASSUME a folder called C:Reports if you don’t type it in.  Second it will create a .CSV file matching each Group Name.

There you have it.   It wasn’t hard to play with with and even easier to build on!

The Power of Shell is in YOU

The Energized Tech