Is there a command line way to list all the users in a particular Active Directory group?
I can see who is in the group by going to Manage Computer --> Local User / Groups --> Groups and double clicking the group.
I just need a command line way to retrieve the data, so I can do some other automated tasks.
Here's another way from the command prompt, not sure how automatable though since you would have to parse the output:
If group is "global security group":
net group <your_groupname> /domain
If you are looking for "domain local security group":
net localgroup <your_groupname> /domain
Here's a version of the ds command I found more typically useful, especially if you have a complex OU structure and don't necessarily know the full distinguished name of the group.
dsquery group -samid "Group_SAM_Account_Name" | dsget group -members -expand
or if you know the CN of the group, usually the same as the SAM ID, quoted in case there are spaces in the name:
dsquery group -name "Group Account Name" | dsget group -members -expand
As stated in the comments, by default the ds* commands (dsquery, dsget, dsadd, dsrm) are only available on a Domain Controller. However, you can install the Admin Tools pack from the Support Tools on the Windows Server installation media or download it from the Microsoft Download site.
You can also perform these queries using PowerShell. PowerShell is already available as an installable feature for Server 2008, 2008 R2, and Windows 7, but you'll need to download the WinRM Framework to install it on XP or Vista.
To get access to any AD-specific cmdlets in PowerShell you will ALSO need to perform at least one of the following installs:
For a PowerShell solution that doesn't require the Quest AD add-in, try the following
Import-Module ActiveDirectory
Get-ADGroupMember "Domain Admins" -recursive | Select-Object name
This will enumerate the nested groups as well. If you don't wish to do so, remove the -recursive switch.
A very easy way which works on servers and clients:
NET GROUP "YOURGROUPNAME" /DOMAIN | find /I /C "%USERNAME%"
Returns 1 if user is in group YOURGROUPNAME, else will return 0
You can then use the %ERRORLEVEL% value (0 if user in group, 1 if not) like
IF %ERRORLEVEL%==0 NET USE %LOGONSERVER%\YOURGROUPSHARE
Using PowerShell and Quest Software's Free ActiveRoles Management Shell for Active Directory, you can use:
(Get-QADGroup "GroupName").Members
The answers here using dsget and dsquery will only work on server versions of Windows as those command's aren't shipped on other versions of Windows (e.g. Windows 7). On machines without those commands you can get the information you want using the AdFind command.
Here's an example query for getting group membership:
AdFind.exe -default -f name="Domain Admins" member -list
How to list local groups and users?
Use the following powershell script to list the local groups and members of those groups.
$server="YourServerName"
$computer = [ADSI]"WinNT://$server,computer"
$computer.psbase.children | where {
$_.psbase.schemaClassName -eq 'group' } | foreach {
write-host $_.name
write-host "------"
$group =[ADSI]$_.psbase.Path
$group.psbase.Invoke("Members") | foreach {
$_.GetType().InvokeMember("Name", 'GetProperty',
$null, $_, $null)}
write-host
}
Copy the text above in to notepad and save as filename.ps1. Then run the file. I should display the Groups and Users in each group, or you can just run this from powershell.
