How to Export Active Directory Group Members Using PowerShell

Introduction

If you manage Active Directory (AD), you’ve probably been asked more than once: “Which groups is this user a part of?” or “Can you give me a list of everyone in this group?” While GUI tools exist, nothing beats the power and precision of PowerShell. In this guide, we’ll walk through practical scripts to fetch group memberships and user details—perfect for IT admins and helpdesk teams.

Why Group Membership Information Matters

Group memberships in AD directly control access to resources—files, folders, applications, and even cloud services via Azure AD sync. Understanding and documenting this information is key for:

• Security audits
• User onboarding/offboarding
• Compliance requirements
• Troubleshooting access issues

PowerShell to the Rescue

PowerShell offers native cmdlets like Get-ADGroupMember, Get-ADUser, and Get-ADPrincipalGroupMembership that allow easy and powerful querying of group data.

Before using these scripts, make sure you have the ActiveDirectory module imported:

Import-Module ActiveDirectory

Import-Module ActiveDirectory

Script 1: Export All Members of a Specific AD Group

Get-ADGroupMember -Identity "ADGroupName" |
Select-Object Name, ObjectClass, DistinguishedName |
Export-CSV -Path "C:\Users\Desktop\ADGroupMembers.csv"

Get-ADGroupMember -Identity "ADGroupName" |
Select-Object Name, ObjectClass, DistinguishedName |
Export-CSV -Path "C:\Users\Desktop\ADGroupMembers.csv"

Explanation:

• Get-ADGroupMember: Gets members of the specified group.
• Select-Object: Filters to only include name, type (user/computer), and full AD path.
• Export-CSV: Saves the result as a .CSV file.

Output Example:

Script 2: Export All Groups a User Belongs To

Get-ADPrincipalGroupMembership "username" |
Select Name, GroupScope |
Export-CSV -Path "C:\Users\Desktop\AllADGroups.csv"

Explanation:

• Get-ADPrincipalGroupMembership: Lists all groups (including nested) a user belongs to.
• GroupScope: Shows whether the group is Global, DomainLocal, or Universal.

Output Example:

Script 3: Detailed Member Info of an AD Group

Get-ADGroup "ADGroupName" -Properties * |
Select-Object -ExpandProperty Member |
Get-ADUser -Properties * |
Select-Object SamAccountName, Name, UserPrincipalName, Mail |
Export-Csv -NoTypeInformation -Append "C:\Users\Desktop\ADGroupMembersWithAdditionalDetails.csv"

Get-ADGroup "ADGroupName" -Properties * |
Select-Object -ExpandProperty Member |
Get-ADUser -Properties * |
Select-Object SamAccountName, Name, UserPrincipalName, Mail |
Export-Csv -NoTypeInformation -Append "C:\Users\Desktop\ADGroupMembersWithAdditionalDetails.csv"

Explanation:

• Expands group members and fetches user properties in depth.
• SamAccountName: Login ID.
• UserPrincipalName: Usually the email-style login.

Output Example:

Script 4: User’s Groups with ManagedBy, Description, Notes & OU

Get-ADPrincipalGroupMembership "username" |
Get-ADGroup -Properties Info, Description, ManagedBy, DistinguishedName |
Select Name, Info, Description, ManagedBy, DistinguishedName |
Export-CSV -Path "C:\Users\Desktop\ADGroupMembersWithAdditionalDetails.csv"

Get-ADPrincipalGroupMembership "username" |
Get-ADGroup -Properties Info, Description, ManagedBy, DistinguishedName |
Select Name, Info, Description, ManagedBy, DistinguishedName |
Export-CSV -Path "C:\Users\Desktop\ADGroupMembersWithAdditionalDetails.csv"

Explanation:

• Adds extra metadata: Notes (Info), Description, and Organizational Unit (OU).
• Good for audits and clarity on ownership.

Output Example:

Script 5: Enhanced Script with Error Handling & Formatted Output

$Username = "username"

$user = Get-ADUser -Filter "SamAccountName -eq '$Username'" -ErrorAction SilentlyContinue

if ($user) {
    $user | Get-ADPrincipalGroupMembership |
    Get-ADGroup -Properties Info, Description, ManagedBy, DistinguishedName |
    ForEach-Object {
        $manager = if ($_.ManagedBy) {
            (Get-ADUser -Identity $_.ManagedBy).Name
        } else {
            'Not set'
        }

        [PsCustomObject]@{
            Name        = $_.Name
            Description = $_.Description
            ManagedBy   = $manager
            Notes       = $_.Info
            DistinguishedName = $_.DistinguishedName
        }
    } | Export-Csv -Path (Join-Path -Path 'C:\Users\Desktop\' -ChildPath ("{0:yyyy-MM-dd}-{1}.csv" -f (Get-Date), $user.Name)) -NoTypeInformation
} else {
    Write-Warning "User '$Username' not found."
}

$Username = "username"

$user = Get-ADUser -Filter "SamAccountName -eq '$Username'" -ErrorAction SilentlyContinue

if ($user) {
    $user | Get-ADPrincipalGroupMembership |
    Get-ADGroup -Properties Info, Description, ManagedBy, DistinguishedName |
    ForEach-Object {
        $manager = if ($_.ManagedBy) {
            (Get-ADUser -Identity $_.ManagedBy).Name
        } else {
            'Not set'
        }

        [PsCustomObject]@{
            Name        = $_.Name
            Description = $_.Description
            ManagedBy   = $manager
            Notes       = $_.Info
            DistinguishedName = $_.DistinguishedName
        }
    } | Export-Csv -Path (Join-Path -Path 'C:\Users\Desktop\' -ChildPath ("{0:yyyy-MM-dd}-{1}.csv" -f (Get-Date), $user.Name)) -NoTypeInformation
} else {
    Write-Warning "User '$Username' not found."
}

Why this version is better:

• Checks if the user exists before proceeding.
• Fetches the human-readable name of the ManagedBy property.
• Adds timestamps to exported files for clarity.

Sample Output File Name

2025-06-24-JohnSmith.csv

Output Preview:

Final Thoughts

These PowerShell scripts not only simplify your AD group management tasks but also improve visibility and traceability across your organization. Whether you’re a system admin, security analyst, or auditor, exporting accurate AD group data is crucial.

Stay tuned for more advanced PowerShell automation tips and feel free to bookmark this blog if you found it helpful.

Don’t forget to share or comment below if these scripts saved you time!