It can get very complex to figure out just who has access to a particular group or folder when the security groups become nested. Having one security group with other security groups inside as members and then each of those groups possibly having even more groups inside them, gets messy fast.
To list all the members of an Active Directory group, including nested groups, you can use the Get-ADGroupMember cmdlet in PowerShell. This command retrieves users, groups, and computers that are part of the specified group.
Get-ADGroupMember -Identity "YourGroupName" -Recursive | ft
and if you want to output it to a text file, so you can open it in Excel to sort and filter it, use
Get-ADGroupMember -Identity "YourGroupName" -Recursive | ft | Out-file c:\temp\Group.txt
Replace “YourGroupName” with the actual name of the Active Directory group you want to query.
-Recursive parameter ensures that nested groups are included in the results and
| FT tells PowerShell to output the results Formated as a Table.
This command will display a table with the members’ details, including their names, distinguished names, and object classes.
Here are some other details you may find useful if you are trying to export group names:
The basic syntax for
Get-ADGroupMember is as follows:
Get-ADGroupMember [-Identity] [-Properties ] [-Server ] [-ShowMemberTimeToLive]
- Identity: Specifies the Active Directory group to retrieve. You can use the group’s DN, GUID, SID, or SAM account name.
- Properties: Allows you to specify additional properties to retrieve for each member.
- Server: Specifies the domain controller to query.
- ShowMemberTimeToLive: Displays the time-to-live (TTL) for group membership.