  • File Get-ADGroupMembers.ps1 — part of check-in [8b366a7556] at 2018-06-10 13:13:49 on branch trunk — This function returns an object that contains all the properties of a user object. This function works for small groups as well as groups in excess of 1000. (user: Jeff Patton size: 4586)

# encoding: ascii
# api: powershell
# title: Get-ADGroupMembers
# description: This function returns an object that contains all the properties of a user object. This function works for small groups as well as groups in excess of 1000.
# version: 0.1
# type: function
# author: Jeff Patton
# license: CC0
# function: Get-ADGroupMembers
# x-poshcode-id: 2658
# x-derived-from-id: 3746
# x-archived: 2015-06-22T16:56:34
# x-published: 2011-05-06T07:45:00
Function Get-ADGroupMembers
            Return a collection of users in an ActiveDirectory group.
            This function returns an object that contains all the properties of a user object. This function
            works for small groups as well as groups in excess of 1000.
        .PARAMETER UserGroup
            The name of the group to get membership from.
        .PARAMETER UserDomain
            The LDAP URL of the domain that the group resides in.
            Get-ADGroupMembers -UserGroup Managers |Format-Table -Property name, distinguishedName, cn

            name                             distinguishedName                cn                              
            ----                             -----------------                --                              
            {Steve Roberts}                  {CN=Steve Roberts,CN=Users,DC... {Steve Roberts}                 
            {S-1-5-21-57989841-1078081533... {CN=S-1-5-21-57989841-1078081... {S-1-5-21-57989841-1078081533...
            {S-1-5-21-57989841-1078081533... {CN=S-1-5-21-57989841-1078081... {S-1-5-21-57989841-1078081533...
            {Matt Temple}                    {CN=Matt Temple,CN=Users,DC=c... {Matt Temple}                   
            This example shows passing in a group name, but leaving the default domain name in place.
            The context under which this script is run must have rights to pull infromation from ActiveDirectory.
    $UserGroup = "Domain Users",
    [ADSI]$UserDomain = ("LDAP://DC=company,DC=com")

            $DirectoryEntry = New-Object System.DirectoryServices.DirectoryEntry($UserDomain.Path)
            $DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher

            $LDAPFilter = "(&(objectCategory=Group)(name=$($UserGroup)))"

            $DirectorySearcher.SearchRoot = $DirectoryEntry
            $DirectorySearcher.PageSize = 1000
            $DirectorySearcher.Filter = $LDAPFilter
            $DirectorySearcher.SearchScope = "Subtree"

            $SearchResult = $DirectorySearcher.FindAll()
            $UserAccounts = @()

            foreach ($Item in $SearchResult)
                $Group = $Item.GetDirectoryEntry()
                $Members = $Group.member
                If ($Members -ne $Null)
                    foreach ($User in $Members)
                        $UserObject = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$($User)")
                        If ($UserObject.objectCategory.Value.Contains("Group"))
                            $ThisUser = New-Object -TypeName PSObject -Property @{
                                cn = $UserObject.cn
                                distinguishedName = $UserObject.distinguishedName
                                name = $UserObject.name
                                nTSecurityDescriptor = $UserObject.nTSecurityDescriptor
                                objectCategory = $UserObject.objectCategory
                                objectClass = $UserObject.objectClass
                                objectGUID = $UserObject.objectGUID
                                objectSID = $UserObject.objectSID
                                showInAdvancedViewOnly = $UserObject.showInAdvancedViewOnly
                    $UserAccounts += $ThisUser

            Return $UserAccounts