Get one or more Active Directory groups.

      Get-ADGroup [-Identity] ADGroup
                [-AuthType {Negotiate | Basic}] [-Credential PSCredential]
                   [-Partition string] [-Properties string[]]
                      [-Server string] [CommonParameters]

      Get-ADGroup -Filter string [-ResultPageSize int]
         [-ResultSetSize Int32] [-SearchBase string]
            [-SearchScope {Base | OneLevel | Subtree}] 
                [-AuthType {Negotiate | Basic}] [-Credential PSCredential]
                   [-Partition string] [-Properties string[]]
                      [-Server string] [CommonParameters]

      Get-ADGroup -LDAPFilter string [-ResultPageSize int]
         [-ResultSetSize Int32] [-SearchBase string]
            [-SearchScope {Base | OneLevel | Subtree}]
                [-AuthType {Negotiate | Basic}] [-Credential PSCredential]
                   [-Partition string] [-Properties string[]]
                      [-Server string] [CommonParameters]

   -AuthType {Negotiate | Basic}
       The authentication method to use: Negotiate (or 0), Basic (or 1)
       A Secure Sockets Layer (SSL) connection is required for Basic authentication.

   -Credential PSCredential
       The user account credentials to use to perform this task.
       The default credentials are those of the currently logged on user unless the
       cmdlet is run from an Active Directory PowerShell provider drive.
       If the cmdlet is run from such a provider drive, the account associated with the drive is the default.

       Type a user name, such as "User64" or "Domain64\User64" or specify a
       PSCredential object such as one generated by Get-Credential 

       If a user name is specified, the cmdlet will prompt for a password.

   -Filter string
       A query string that retrieves Active Directory objects.
       This string uses the PowerShell Expression Language syntax:

       filter ::= "{" FilterComponentList"}"
       FilterComponentList ::= FilterComponent | FilterComponent JoinOperator FilterComponent | NotOperator FilterComponent
       FilterComponent ::= attr FilterOperator value | "(" FilterComponent")"
       FilterOperator ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike"
       JoinOperator ::= "-and" | "-or"
       NotOperator ::= "-not"
       attr ::= PropertyName | LDAP_Name_of_the_attribute
       value::= <compare this value with an attr by using the specified FilterOperator>

   -Identity ADGroup
       An AD group object. Most often this will be a Distinguished Name (e.g. CN=demogroup,OU=demo,DC=SS64,DC=com)
       The identity may also be given as a GUID, Security Identifier or sAMAccountName.

       The cmdlet searches the default naming context or partition to find the object.
       If two or more objects are found, the cmdlet returns a non-terminating error.

       The ADGroup object may also be passed through the pipeline or set via a variable.

   -LDAPFilter string
       An LDAP query string that is used to filter AD objects.
       Use this parameter to run existing LDAP queries. 
       See also Help about_ActiveDirectory_Filter.

       For example to search an OU for names beginning with "sara".
       -LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=demo,DC=SS64,DC=com"

   -Partition string
       The distinguished name of an AD partition.
       string must be one of the naming contexts on the current directory server.
       The cmdlet searches this partition to find the object defined by the -Identity parameter.
         -Partition "CN=Configuration,DC=Europe,DC=Test,DC=SS64,DC=com"
         -Partition "CN=Schema,CN=Configuration,DC=Europe,DC=Test,DC=SS64,DC=com"

       In many cases, a default value will be used for -Partition if no value is specified.

   -Properties string[]
       The properties of the output object to retrieve from the server (comma-separated list).
       Use this parameter to retrieve properties that are not included in the default set.

       To discover the properties available, use Get-Member
       To display all of the attributes that are set on the object, specify * (asterisk).

       Specify the property Name or for non default/extended properties, the LDAP provider Name of the attribute.

   -ResultPageSize int
       The number of objects to include in each page for an AD Domain Services query.
       default = 256

   -ResultSetSize Int32
       The maximum number of objects to return for an AD Domain Services query.
       To receive all objects, set this to $null. Ctrl+c will stop the query and return of objects.
       default = $null.

   -SearchBase string
       An Active Directory path to search under.
       -SearchBase "ou=training,dc=demo,dc=ss64,dc=com"

       The scope of an AD search.
       Possible values for this parameter are:
       Base or 0        Search only the current path or object.
       OneLevel or 1    Search the immediate children
       Subtree or 2     Search the current path/object and all children

   -Server string
       The AD Domain Services instance to connect to, this may be a Fully qualified domain name,
       NetBIOS name, Fully qualified directory server name (with or without port number)

Get-ADGroup gets a group or performs a search to retrieve multiple groups from an Active Directory.

The -Identity parameter specifies the Active Directory group to get. Identify a group by its distinguished name (DN), GUID, security identifier (SID), Security Accounts Manager (SAM) account name, or canonical name. Alternatively specify a group object variable.

To search for and retrieve more than one group, use the -Filter or -LDAPFilter parameters. The -Filter parameter uses the PowerShell Expression Language to write query strings for Active Directory. For more information about the Filter parameter syntax, see help about_ActiveDirectory_Filter
If you have existing LDAP query strings, you can use them with the -LDAPFilter parameter.

Recursive Membership:

The special '1941' LDAP filter 1.2.840.113556.1.4.1941 is called "matching rule in chain" and can be used to quickly find nested memberships. This can be processor intensive in large /complex directories. See examples below.


The Get-ADGroup cmdlet gets a default set of group object properties. To get additional properties use the -Properties parameter.

Default properties:
DistinguishedName, GroupCategory, GroupScope, Name, ObjectClass, ObjectGUID, SamAccountName, SID.

Additional properties:
CanonicalName, CN, Created, Deleted, Description, DisplayName, HomePage, LastKnownParent, ManagedBy, MemberOf, Members, Modified, ObjectCategory, ProtectedFromAccidentalDeletion, SIDHistory.


Retrieve the default properties for the Administrators group:

PS C:\> Get-ADGroup -Identity Administrators | Get-Member

Retrieve ALL properties for the Administrators group:

PS C:\> Get-ADGroup -Identity Administrators -Properties * | Get-Member

Retrieve the name and description for all groups:

PS C:\> Get-ADGroup -filter * -Properties name,description | export-csv C:\demo\adgroups.csv

Retrieve the name and notes/info for all groups which have a note entered:

PS C:\> Get-ADGroup -Filter {info -like '*'} -Properties name,info | Select name,info

Retrieve all the groups with a name starting with G-Sales:

PS C:\> Get-ADGroup -filter {name -like 'G-Sales*'} | Select name

Retrieve groups with a name starting with G-Sales, where the name also does not match the SAM Account Name (or pre-Windows 2000 name):

PS C:\> Get-ADGroup -filter {name -like 'G-Sales*'} | Select name,samaccountname | where {$ -ne $_.samaccountname}

Retrieve all members of the group "HugeGroup", this will return one object with many properties rather than a collection of member objects that you would get from Get-ADGroupMember:

PS C:\> $mygroup = Get-ADGroup -Identity "HugeGroup" -properties members
PS C:\> $mygroup.members
PS C:\> $mygroup.members.count

Retrieve the extended properties "OfficePhone" and "Organization" and the default properties for the user: TomJones:

PS C:\> GetADUser -Identity TomJones -Properties OfficePhone,Organization

Retrieve the properties with LDAP provider names of "otherTelephone" and "otherMobile", for the user: TomJones:

PS C:\> GetADUser -Identity TomJones -Properties otherTelephone, otherMobile |Get-Member

Find the age of the domain, by checking the creation date of the built in group 'Domain Admins':

PS C:\> Get-ADGroup "domain admins" -Properties * | select whencreated

Count the members of the AD group 'Group64':

PS C:\> (Get-ADgroup Group64 -properties *).Member.Count

List all members of the AD group 'Group64':

$DN = 'CN=Group64,OU=groupsOU,DC=SS64,DC=COM' 
$members = Get-ADUser -LDAPFilter "(memberOf:1.2.840.113556.1.4.1941:=$DN)"
ForEach ($Member In $members) {

Find all the groups that "User64" is a member of:

$DN = 'CN=User64, CN=users, DC=ss64,DC=com' 
$groups = Get-ADgroup -LDAPFilter "(member:1.2.840.113556.1.4.1941:=$DN)" 
ForEach ($group In $groups) {

Find all the users who are members of both 'group64' and 'group65', this enumerates the Member property:

$first = Get-ADGroup "group64" -Properties Member | Select-Object -ExpandProperty Member | Get-ADUser
$second = Get-ADGroup "group65" -Properties Member | Select-Object -ExpandProperty Member | Get-ADUser
compare-object ($first) ($second) -Property 'SamAccountName' -IncludeEqual -ExcludeDifferent >c:\batch\both.txt

List all the empty groups (no members) in the domain and export to a csv file:

PS C:\> Get-ADGroup -Filter * -Properties Members | where {-not $_.members} | select Name | Export-csv C:\demo\empty.csv –NoTypeInformation

"There is no off position on the genius switch” ~ David Letterman

Related PowerShell Cmdlets

New-ADGroup - Create an AD group.
Remove-ADGroup - Remove an AD group.
Set-ADGroup - Modify an AD group.
Get-Circular.ps1 - Find circular nested AD groups.
How-to: Built-In Groups - Built-In Users and Security Groups.
Q243330 - Well-known security identifiers (sids) in Windows operating systems.
Active Directory: LDAP Syntax Filters - TechNet (Richard Mueller).

Copyright © 1999-2024
Some rights reserved