Learn how to use PowerShell to export information about the default groups in Active Directory, such as name, description, members, and member of.
Active Directory (AD) is a directory service that stores information about users, computers, groups, and other objects in a network. AD uses groups to organize objects and assign permissions and roles. Some groups are created automatically when you install a domain controller, and they are called default groups. These groups are located in the Builtin and Users containers, and they have predefined functions and privileges.
In this article, you will learn how to use PowerShell to export information about the default groups in AD, such as name, description, members, and member of. You will also learn how to use the Get-ADGroup cmdlet and the Filter, LDAPFilter, SearchBase, and SearchScope parameters to query and retrieve the groups. Finally, you will learn how to export the results to a CSV file for further analysis or reporting.
Table of Contents
Using the Get-ADGroup cmdlet
The Get-ADGroup cmdlet is a PowerShell command that allows you to get one or more AD groups or perform a search to retrieve multiple groups. You can use the Identity parameter to specify the group by its name, distinguished name (DN), GUID, security identifier (SID), or Security Accounts Manager (SAM) account name. For example, to get the Administrators group, you can use the following command:
Get-ADGroup -Identity Administrators
This command will return the basic properties of the group, such as name, group category, group scope, object class, object GUID, SAM account name, and SID. To get additional properties, such as description, members, and member of, you can use the Properties parameter and specify the attributes you want to see. For example, to get the description, members, and member of properties of the Administrators group, you can use the following command:
Get-ADGroup -Identity Administrators -Properties Description, Members, MemberOf
Using the Filter and LDAPFilter parameters
If you want to get more than one group, you can use the Filter or LDAPFilter parameters to specify a query string that matches the groups you want to retrieve. The Filter parameter uses the PowerShell Expression Language to write query strings for AD, while the LDAPFilter parameter uses the Lightweight Directory Access Protocol (LDAP) query syntax. For example, to get all the groups that have the word “Admin” in their name, you can use the following command:
Get-ADGroup -Filter {Name -like "*Admin*"}
To get the same result using the LDAPFilter parameter, you can use the following command:
Get-ADGroup -LDAPFilter "(name=*Admin*)"
Using the SearchBase and SearchScope parameters
By default, the Get-ADGroup cmdlet searches for groups in the entire domain. However, you can use the SearchBase and SearchScope parameters to limit the search to a specific container or organizational unit (OU) and to specify the depth of the search. The SearchBase parameter takes a DN of the container or OU where you want to start the search, while the SearchScope parameter takes one of the following values:
- Base: Searches only the specified container or OU.
- OneLevel: Searches the immediate children of the specified container or OU.
- Subtree: Searches the specified container or OU and all its descendants.
For example, to get all the groups in the Builtin container, you can use the following command:
Get-ADGroup -SearchBase "CN=Builtin,DC=contoso,DC=com" -SearchScope Base
To get all the groups in the Users container and its subcontainers, you can use the following command:
Get-ADGroup -SearchBase "CN=Users,DC=contoso,DC=com" -SearchScope Subtree
Exporting the results to a CSV file
After you get the groups you want, you can export the results to a CSV file for further analysis or reporting. To do this, you can use the Export-Csv cmdlet and specify the path and name of the CSV file. For example, to export all the groups in the domain and their properties to a file named ADGroups.csv, you can use the following command:
Get-ADGroup -Filter * -Properties * | Export-Csv -Path "C:\Temp\ADGroups.csv" -NoTypeInformation
The -NoTypeInformation parameter is used to omit the type information from the CSV file. You can open the CSV file with Excel or any other application that can read CSV files.
Frequently Asked Questions (FAQs)
Question: How can I get the group membership of a user or a computer?
Answer: You can use the Get-ADPrincipalGroupMembership cmdlet to get the groups that a user or a computer is a member of. For example, to get the groups that the user Alice is a member of, you can use the following command:
Get-ADPrincipalGroupMembership -Identity Alice
Question: How can I add or remove members from a group?
Answer: You can use the Add-ADGroupMember and Remove-ADGroupMember cmdlets to add or remove members from a group. For example, to add the user Bob to the Administrators group, you can use the following command:
Add-ADGroupMember -Identity Administrators -Members Bob
To remove the user Bob from the Administrators group, you can use the following command:
Remove-ADGroupMember -Identity Administrators -Members Bob -Confirm:$false
The -Confirm:$false parameter is used to suppress the confirmation prompt.
Question: How can I create or delete a group?
Answer: You can use the New-ADGroup and Remove-ADGroup cmdlets to create or delete a group. For example, to create a new group named TestGroup in the Users container, you can use the following command:
New-ADGroup -Name TestGroup -Path "CN=Users,DC=contoso,DC=com" -GroupScope Global -GroupCategory Security
To delete the group TestGroup, you can use the following command:
Remove-ADGroup -Identity TestGroup -Confirm:$false
Summary
In this article, you learned how to use PowerShell to export information about the default groups in AD, such as name, description, members, and member of. You also learned how to use the Get-ADGroup cmdlet and the Filter, LDAPFilter, SearchBase, and SearchScope parameters to query and retrieve the groups. Finally, you learned how to export the results to a CSV file for further analysis or reporting.
Disclaimer: The information in this article is provided “as is” without warranty of any kind. The author does not assume any liability or responsibility for the accuracy, completeness, or usefulness of the information. The author is not affiliated with Microsoft or any other company mentioned in this article. The commands and examples in this article are for illustration purposes only and should be tested and modified according to your environment and needs. Always backup your data and configuration before making any changes to your system.