Get the Members of all Security Groups in AD with PowerShell

Update 4 May 2017:

I’ve been contacted by a few people that were having trouble running the code in the Get-GroupMember function. I have replicated the error on one of my DCs but another DC in a different domain the Get-GroupMember function works fine. I’m still not entirely sure why the code works for some but not other. Anyway, I’ve posted an alternate solution below. If anyone knows why the Get-GroupMember function doesn’t always work please let me know.

 1$Groups = Get-ADGroup -Filter {GroupScope -eq 'Global' -and Members -ne "NULL"}
 2$Users = foreach( $Group in $Groups ){
 3    Get-ADGroupMember -Identity $Group | foreach {
 4        [PSCustomObject]@{
 5            Group = $Group.Name
 6            UserName = $_.SamAccountName
 7        }
 8    }
 9}
10$Users | Export-CSV C:\scripts\groups.csv -NoTypeInformation

Have you ever taken over Active Directory Administration duties at an organization that has a fully functional AD architecture? In some cases this is great, just set down in the seat and watch it all work as normal. However, at some point in time, you will need to know what users have what access to what resources, what users are Domain Admins etc…

In a smaller organizational this may not be such a daunting task, simply clicking through ADUC might suffice. In larger organizational with 100’s and users and maybe 100’s of groups, clicking through ADUC is not going to cut it.

Using some PowerShell magic this task is pretty easy no matter what the size of Active Directory, the code and video below will walk you through the process.

Caution: In a large Active Directory environment this script could put a significant workload on Servers. USE AT YOUR OWN RISK.