Command line to list users in a Windows Active Directory group?
Solution 1:
Here's another way from the command prompt, not sure how automatable though since you would have to parse the output:
If group is "global security group":
net group <your_groupname> /domain
If you are looking for "domain local security group":
net localgroup <your_groupname> /domain
Solution 2:
Here's a version of the ds command I found more typically useful, especially if you have a complex OU structure and don't necessarily know the full distinguished name of the group.
dsquery group -samid "Group_SAM_Account_Name" | dsget group -members -expand
or if you know the CN of the group, usually the same as the SAM ID, quoted in case there are spaces in the name:
dsquery group -name "Group Account Name" | dsget group -members -expand
As stated in the comments, by default the ds* commands (dsquery, dsget, dsadd, dsrm) are only available on a Domain Controller. However, you can install the Admin Tools pack from the Support Tools on the Windows Server installation media or download it from the Microsoft Download site.
You can also perform these queries using PowerShell. PowerShell is already available as an installable feature for Server 2008, 2008 R2, and Windows 7, but you'll need to download the WinRM Framework to install it on XP or Vista.
To get access to any AD-specific cmdlets in PowerShell you will ALSO need to perform at least one of the following installs:
- For Win 7 and 2008 R2 clients, you can install the Remote Server Admin Tools. The RSAT also requires that you have installed the Active Directory Web Services feature on your Server 2008 R2 Domain Controllers, or the Active Directory Management Gateway Service for any Server 2003/2008 DCs.
- For any XP or higher client, download and install the Quest ActiveRoles Management Shell for Active Directory. The Quest tools do not require any additional changes to your DCs.
Solution 3:
try
dsget group "CN=GroupName,DC=domain,DC=name,DC=com" -members
Solution 4:
For a PowerShell solution that doesn't require the Quest AD add-in, try the following
Import-Module ActiveDirectory
Get-ADGroupMember "Domain Admins" -recursive | Select-Object name
This will enumerate the nested groups as well. If you don't wish to do so, remove the -recursive switch.
Solution 5:
A very easy way which works on servers and clients:
NET GROUP "YOURGROUPNAME" /DOMAIN | find /I /C "%USERNAME%"
Returns 1 if user is in group YOURGROUPNAME, else will return 0
You can then use the %ERRORLEVEL% value (0 if user in group, 1 if not) like
IF %ERRORLEVEL%==0 NET USE %LOGONSERVER%\YOURGROUPSHARE