PowershellHow-ToBeginner · 2 min read

PowerShell Script to Get Users in Group

Use Get-ADGroupMember -Identity 'GroupName' -Recursive | Where-Object { $_.objectClass -eq 'user' } to get all users in a group in PowerShell.

📋

Examples

InputGroupName = 'HRTeam'

OutputDistinguishedName : CN=John Doe,OU=Users,DC=domain,DC=com Name : John Doe ObjectClass : user

InputGroupName = 'ITSupport'

OutputDistinguishedName : CN=Jane Smith,OU=Users,DC=domain,DC=com Name : Jane Smith ObjectClass : user DistinguishedName : CN=Mark Lee,OU=Users,DC=domain,DC=com Name : Mark Lee ObjectClass : user

InputGroupName = 'EmptyGroup'

Output

🧠

How to Think About It

To get users in a group, first find all members of the group. Then filter only those members whose type is 'user' because groups can contain other groups or computers. This ensures you list only actual user accounts.

📐

Algorithm

Get the group name as input.

Retrieve all members of the group including nested members.

Filter the members to keep only those with object class 'user'.

Return the filtered list of users.

💻

Code

powershell

Import-Module ActiveDirectory
$groupName = 'YourGroupName'
$users = Get-ADGroupMember -Identity $groupName -Recursive | Where-Object { $_.objectClass -eq 'user' }
$users | ForEach-Object { Write-Output $_.Name }

Output

John Doe Jane Smith Mark Lee

🔍

Dry Run

Let's trace getting users from group 'ITSupport' through the code

Set group name

$groupName = 'ITSupport'

Get all group members

Get-ADGroupMember returns 3 members: Jane Smith (user), Mark Lee (user), SupportGroup (group)

Filter only users

Keep Jane Smith and Mark Lee, remove SupportGroup

Member Name	ObjectClass	Included?
Jane Smith	user	Yes
Mark Lee	user	Yes
SupportGroup	group	No

💡

Why This Works

Step 1: Import Active Directory module

The Import-Module ActiveDirectory command loads the tools needed to query AD groups.

Step 2: Get group members recursively

Get-ADGroupMember -Recursive fetches all members including those in nested groups.

Step 3: Filter users only

Using Where-Object { $_.objectClass -eq 'user' } keeps only user accounts, excluding groups or computers.

🔄

Alternative Approaches

Using Get-ADGroupMember without recursion

powershell

Import-Module ActiveDirectory
$groupName = 'YourGroupName'
$users = Get-ADGroupMember -Identity $groupName | Where-Object { $_.objectClass -eq 'user' }
$users | ForEach-Object { Write-Output $_.Name }

This method does not include users in nested groups, so it may miss some users.

Using [ADSI] to query group members

powershell

$group = [ADSI]("LDAP://CN=YourGroupName,OU=Groups,DC=domain,DC=com")
$members = $group.member | ForEach-Object { [ADSI]"LDAP://$_" }
$users = $members | Where-Object { $_.objectClass -eq 'user' }
$users | ForEach-Object { $_.Name }

This method works without Active Directory module but requires full LDAP path and is more complex.

⚡

Complexity: O(n) time, O(n) space

Time Complexity

The script queries all members of the group, so time grows linearly with the number of members (n). Filtering is also linear.

Space Complexity

The script stores all group members in memory, so space grows linearly with n.

Which Approach is Fastest?

Using Get-ADGroupMember -Recursive is efficient and simple. ADSI method is slower and more complex.

Approach	Time	Space	Best For
Get-ADGroupMember -Recursive	O(n)	O(n)	Complete user list including nested groups
Get-ADGroupMember (no recursion)	O(n)	O(n)	Simple groups without nested members
ADSI Query	O(n)	O(n)	Environments without Active Directory module

💡

Use -Recursive with Get-ADGroupMember to include users in nested groups.

⚠️

Forgetting to filter by objectClass -eq 'user' and getting groups or computers in the output.