PowerShell scripts for Active Directory group and membership management, including queries, auditing, nested group analysis, and member additions and removals.
Use this file to discover all available pages before exploring further.
These scripts cover day-to-day group administration: querying membership, modifying members, analyzing nested groups, and generating audit reports. All examples use the standard ActiveDirectory module and are compatible with PowerShell 5.1 and later.
# Find a group by nameGet-ADGroup -Identity "Help Desk"# Search for groups matching a patternGet-ADGroup -Filter "Name -like 'Nursing*'"# Get all security groups in an OUGet-ADGroup -Filter "GroupCategory -eq 'Security'" ` -SearchBase "OU=Groups,DC=domain,DC=com"# Get group details including description and managed-byGet-ADGroup -Identity "Help Desk" -Properties Description, ManagedBy, GroupScope, GroupCategory
Use the -Recursive switch with Get-ADGroupMember to resolve nested group membership. Without it, you only see direct members — nested group members are not included.
# List all direct members of a groupGet-ADGroupMember -Identity "Help Desk"# List all members, including nested group membersGet-ADGroupMember -Identity "Help Desk" -Recursive# List only user members (exclude computers and groups)Get-ADGroupMember -Identity "Help Desk" | Where-Object { $_.objectClass -eq "user" }# Export group membership to CSVGet-ADGroupMember -Identity "Help Desk" -Recursive | Get-ADUser -Properties Department, Title | Select-Object Name, SamAccountName, Department, Title | Export-Csv -Path "C:\Reports\HelpDesk_Members.csv" -NoTypeInformation# Find which groups a user belongs toGet-ADUser -Identity jdoe -Properties MemberOf | Select-Object -ExpandProperty MemberOf# Recursive: find all groups a user belongs to (including nested)(Get-ADUser -Identity jdoe -Properties MemberOf).MemberOf | ForEach-Object { Get-ADGroup -Identity $_ -Properties MemberOf}
# Add a user to a groupAdd-ADGroupMember -Identity "Help Desk" -Members jdoe# Remove a user from a groupRemove-ADGroupMember -Identity "Help Desk" -Members jdoe -Confirm:$false# Add a computer to a groupAdd-ADGroupMember -Identity "Workstations" -Members (Get-ADComputer -Identity "PC01")
Export current group membership before making bulk changes. This lets you restore the original state if needed.
# Export current membership before changesGet-ADGroupMember -Identity "Help Desk" | Select-Object Name, SamAccountName, objectClass | Export-Csv -Path "C:\Reports\HelpDesk_Before.csv" -NoTypeInformation# Add multiple users from a CSV$members = Import-Csv -Path "C:\Imports\new_members.csv" # Column: SamAccountNameforeach ($member in $members) { Add-ADGroupMember -Identity "Help Desk" -Members $member.SamAccountName}# Add all users from one OU to a groupGet-ADUser -Filter * -SearchBase "OU=Nursing,DC=domain,DC=com" | ForEach-Object { Add-ADGroupMember -Identity "Clinical Staff" -Members $_}# Remove all members from a groupGet-ADGroupMember -Identity "Temp Contractors" | ForEach-Object { Remove-ADGroupMember -Identity "Temp Contractors" -Members $_ -Confirm:$false}
How do I find all groups a user belongs to, including nested groups?
The MemberOf attribute on a user only shows direct group memberships. To get all groups recursively, combine Get-ADUser with repeated Get-ADGroupMember -Recursive lookups, or use the Get-ADPrincipalGroupMembership cmdlet:
# Direct membershipsGet-ADPrincipalGroupMembership -Identity jdoe | Select-Object Name, GroupScope# All groups (direct and nested via token expansion)Get-ADUser -Identity jdoe -Properties TokenGroups | Select-Object -ExpandProperty TokenGroups | ForEach-Object { Get-ADGroup -Identity $_ -ErrorAction SilentlyContinue} | Select-Object Name, GroupScope, GroupCategory
How do I compare membership between two groups?
Export both groups’ membership and use Compare-Object:
$group1 = Get-ADGroupMember -Identity "Group A" | Select-Object -ExpandProperty SamAccountName$group2 = Get-ADGroupMember -Identity "Group B" | Select-Object -ExpandProperty SamAccountNameCompare-Object -ReferenceObject $group1 -DifferenceObject $group2 | Select-Object InputObject, @{ Name = "Status" Expression = { if ($_.SideIndicator -eq "<=") { "Only in Group A" } else { "Only in Group B" } } }
How do I remove a user from all groups at once?
Retrieve all of a user’s group memberships and loop through them. Be careful not to remove the user from their primary group or domain-required groups.
How do I find groups that haven't been used recently?
AD groups do not have a built-in last-used timestamp, but you can audit based on when membership last changed or whether any members have logged in recently:
# Groups modified more than 1 year ago$cutoff = (Get-Date).AddDays(-365)Get-ADGroup -Filter * -Properties WhenChanged | Where-Object { $_.WhenChanged -lt $cutoff } | Select-Object Name, WhenChanged, DistinguishedName | Sort-Object WhenChanged | Export-Csv -Path "C:\Reports\StaleGroups.csv" -NoTypeInformation
How do I sync group membership from a CSV file?
To make a group’s membership exactly match a list of users (adding missing members and removing unlisted ones):
