How to Export User Group Membership from Active Directory
AD admins often ask how to export user group membership from Active Directory using PowerShell or other methods. This is because knowing which users are in a group helps in permission assignment and resource distribution in the active directory.
Table of Contents
Whether you need to create a new group or put users in an existing group. Broadly speaking, administrators end up searching for user group relations in two ways
The first option: check the Groups for Members.
The second is looking at the User and getting all the Groups in which they present.
Both of these methods are possible via PowerShell.
How to Export User Group Membership from Active Directory With PowerShell
Similar to when users had to bulk add users to Active Directory. Open a PowerShell Module on your AD workstation and type.
Get-ADUser -Filter * -Properties memberOf | Select-Object Name, MemberOf
To view a group-side version of this type.
Clear-Host # To reset the screen Get-ADGroup -Filter * -Properties Members | Select-Object Name, Members
Apart from these cmdlets, you can try out the following script as well
# Get all groups in the Active Directory
$groups = Get-ADGroup -Filter *
foreach ($group in $groups) {
# Get all members of the current group
$members = Get-ADGroupMember -Identity $group
# Output the group name
Write-Output "Group: $($group.Name)"
# Output each member of the group, but only if it is a user
foreach ($member in $members) {
if ($member.objectClass -eq 'user') {
Write-Output " - Member: $($member.Name)"
}
}
Write-Output "--------------------------------------"
}
Another Script to Get the User’s Group List you can add additional lines of code and export all AD groups and members to CSV:
# Get all users in the Active Directory
$users = Get-ADUser -Filter * -Properties MemberOf
foreach ($user in $users) {
# Output the user's distinguished name
Write-Output "User: $($user.SamAccountName)"
# Check if the user is a member of any groups
if ($user.MemberOf.Count -gt 0) {
# Loop through each group the user is a member of
foreach ($group in $user.MemberOf) {
# Get the group object to get the group name
$groupObj = Get-ADGroup -Identity $group
Write-Output " - Group: $($groupObj.Name)"
}
} else {
Write-Output " - No group memberships found."
}
Write-Output "--------------------------------------"
}
Use Windows PowerShell ISE to save and run the script. PowerShell is not the only code-based Group membership finder there are a series of Command line tools available as well.
Command line Code to Methods to View Active Directory Group Membership
In the same way we used to disable multiple users in AD press Windows Key + R.
Put cmd in the Open dialog box Press Enter
Type
net user %username% | findstr /C:”Group”
This will list all the groups that the current user is part of
To see the group of any other user on the domain. Replace the “%username%” variable with that particular username.
If you do not want to repeat the process again and again use the dsquery method instead. However, neither of the command line methods can export all AD groups and members to CSV or otherwise.
Type cls on the command line instance to clear the screen. Then enter
dsquery group domainroot | dsget group -members -expand | findstr /C:”CN”
You can run the query without the findstr parameter, it will then show you all the Groups even the ones that have no users.
Your active directory has some prebuilt graphical interfaces that you may very well use to see user groups in AD.
Native way to Check AD Group Membership GUI
First up we have the well-known Active Directory Users and Computers portal. To use it.
- Open ADUC
- Go to Users whose Group list you want to view
- Right Click on User > Select Properties
- Select Member Of
- Every group that this user is part of will appear on your screen.
You can also check the groups themselves to see the member list. However, unlike the Users Container, the Groups don’t have a specific location so for finding the members, we employ the following approach:
- In the ADUC
- Click on your domain
- From the tool ribbon, open the Search Box
- Toggle Advanced
- Click on Field
- Hover on Group
- Select Members
- Click on Add > Find Now
- The entire member list of the Group can be seen.
ADUC is not the only GUI portal in your Active Directory. Moreover, in case the Users and Computer Snap-In is not available, admins have no choice but to use the AD Admin Center.
- In the Server Manager, Click on Tools
- Select Active Directory Admin Center
- Inside ADAC go to Users > Select One > Click on Properties.
- Toggle the Members Of tab.
In ADAC, you also you get the option to view members directly inside a particular group.
Use the Global Search to find the Group > Toggle Properties > Select Members.
But the problem is in both the traditional Active Directory GUI options, you are stuck on view only portal. Don’t worry, as there is a way to export user group membership results into a sharable format.
You just have to choose a professional solution that bypasses all the limitations of previously discussed traditional methods.
Best Way to Export User Group Membership from Active Directory
Use SysTools Active Directory Reporting Software. It combines the exporting ability of PowerShell with the ease of a GUI. Not only that but is faster and easier to setup too.
You can run the tool on any workstation, even if it does not host your AD. It can do so by making use of the admin permissions and IP address so you can track the Group membership status remotely in real-time.
Simple Steps to List User Groups in AD
- Launch the tool and press the login button.
- Click on Register Domain Controller
- Type the Domain Friendly name and IP then press Save & Continue
- Type your Admin credentials in the Domain Details page and Validate.
- Go to the Reports Tab and Select the Group Users option.
- Choose a default duration or set a custom date range.
- Click on Preview to see the results directly inside the tool’s dashboard.
- Press the Download button and select CSV.
- Save the output in an appropriate location.
Conclusion
With this tutorial, admins no longer have to worry about how to export user group membership from Active Directory. Moreover, if the native PowerShell commands feel overwhelming, we have included a bunch of other methods to get a list of ad groups a user is a member of. Out of all the available methods, the professional tool that is prescribed is the most optimal choice.
Frequently Asked Questions
Why would I export a group membership report from the Active Directory?
There are a multitude of reasons that seem to fit the cause. Like finding shared folders in AD. Resolving user access/policy control issues. Performing security checks to identify attack surfaces.
Why is it better to check the user’s group directly than to scan through the group member list?
Depending on the situation, any one of the approaches can be preferred. However, the user-side option has a slight edge as it can natively ignore all user-less groups while listing orphan users.
Can I Apply Filters to make the Group report more specific?
Most methods allow for filtering. However, for PowerShell, and command line methods, admins need to have a thorough understanding of the scripts. If they lack technical know-how, they can always switch to the automated utility.
Can I schedule to export the AD group membership report regularly?
Yes if you want you can combine the task scheduler application with the default script provided here it is possible to self-automate the reporting process. However, it requires a deep understanding of PowerShell scripts and the Windows operating system.
What is the maximum number of Groups that can exist inside a domain at any given time?
There isn’t a specific limit for the number of groups, it is bound by the overall maximum number of objects within a domain. That is 2.15 billion. This limit is shared among all object types (i.e. users, computers, and OU).
What is the membership threshold limit for AD Groups and how many groups can a user be part of?
For security groups, the membership count caps at 5000, while distributed groups can have up to 100,000 members. A single user cannot be part of more than 1015 groups (both security and distributed combined).
