Get AD Group Members Recursively

Many of us use PowerShell Active Directory Module and have been stumbled upon this issue as this module does not have option to get indirect membership.

I have utilized Quest Active Directory module a lot and that has nice option to get nested group membership with -indirect parameter.

Get-QADGroupMember -Identity “Test Nested Group members” -Indirect

How to achieve the same behavior with inbuilt Active Directory module without relying on Third-party?

You can use Get-ADGroupMember -Identity “Test Nested Group” but it will not extract the members recursively.

I have written a function to extract the members recursively from any group that has nested groups.

Get-ADGroupMembersRecursive -Groups “Test Nested Group”

You can even extract different properties apart from default by using below example cmdlet

Get-ADGroupMembersRecursive -Groups “Test Nested Group” -Properties employeeid

You can also extract members from multiple groups recursively at the same time.

Get-ADGroupMembersRecursive -Groups “Test Nested Group1″ ,”Test Nested Group2”

I have updated this function in the new version of vsadmin module

Here is the function code:

Function Get-ADGroupMembersRecursive{
Param(
[Parameter(Mandatory = $true,ValueFromPipeline=$true)]
[ValidateNotNullOrEmpty()]
[String[]]$Groups,
[ValidateNotNullOrEmpty()]
[String[]]$Properties
)
Begin{
$Results = @()
[String[]]$defaultproperties = "distinguishedName","name","objectClass","objectGUID","SamAccountName","SID"
$Properties+=$defaultproperties
$Properties = $Properties | Sort-Object -Unique
}
Process{
ForEach($adobj in $Groups){
$getgroupdn = (Get-ADGroup -identity $adobj).DistinguishedName
$findallgroups = Get-ADGroup -identity $getgroupdn -Properties members| Select-Object -ExpandProperty members | get-adobject | Where-Object{$_.objectClass -eq "Group"} |Select DistinguishedName
$Results+=$getgroupdn
ForEach($Object in $findallgroups){
Get-ADGroupMembersRecursive $Object.DistinguishedName -Properties $Properties
}
}
}
End{
$Results = $Results | Select-Object -Unique
$collgroupmembers=@()
foreach($item in $Results){
$arrgroupmembers =@()
$arrgroupmembers = Get-ADGroup -id $item -Properties members | Select-Object -ExpandProperty members |get-adobject | Where-Object{$_.objectClass -eq "user"} | Get-ADUser -properties $Properties | Select-Object $Properties
$collgroupmembers+=$arrgroupmembers
}
$collgroupmembers
}
} #Get-ADGroupMembersRecursive

Thanks for reading and utilizing it..

Tech Wizard

https://techwizard.cloud

https://syscloudpro.com/

8 thoughts on “Get AD Group Members Recursively”

Pingback: PowerShell System Admin Module | Tech Wizard

Pingback: Check If AD User Is Member Of Group | Tech Wizard

Can you please add group name into the result. If we are retrieving recursively then we want know member’s group also.

Tech Wizard (Sukhija Vikas) says:

January 24, 2021 at 5:42 pm

I may add in next version if many people want it..

Reply

Pingback: Get AD Group Members Recursively V2 | Tech Wizard

As far as I know this does nothing more than Get-ADGroupMember groupname -Recursive

I am hoping to find what subgroup they are in. We have large, nested groups and it gets to be tedious to figure out how they get access to items assigned with this large group.

Tech Wizard (Sukhija Vikas) says:

June 25, 2024 at 9:16 pm

It does more than that you can add user properties required to be exported and also you can know groups as well for users, check its parameters..

Reply
- Tech Wizard (Sukhija Vikas) says:
  
  June 25, 2024 at 9:18 pm
  
  Use vsadmin module for updated function