Hi,
I am trying to export group members using below Command :
$group = get-adgroup “distinguishedname of group” -members
$group.members |get-aduser|select samaccountname, enabled| ft
Now I also intend to get other attributes for each member like mail, whencreated.
Ummm…There is no -members parameter for Get-ADGroup. Anyway, I think this is what you’re trying to do. When you run Get-ADUser, it only returns a subset of properties for the user. In order to get others that aren’t included in that default subset, you have to use the -Properties parameter.
Get-ADGroupMember "DN of group" | Get-ADUser -Properties Mail,WhenCreated
Thanks Kevyn, but is it possible to get all the required information in one command?
Get-adgroupmember would not fetch more than 1000 members in one go if I am not wrong.
I’m still trying to get it done as group contains more than 10K users.
Required information : samaccountname, mail, enabled, whencreated
No. I’m basically doing what you’re doing in your code (You were using two commands: Get-ADGroup & Get-ADUser), but Get-ADGroup was not the right cmdlet to get the group members of the AD Group…Get-ADGroupMember was. What I provided is the most efficient way to do it. As for the required information, SamAccountName is one of the attributes returned in the original subset that AD returns. So, to have all of them, you just need to do the following:
Get-ADGroupMember "DN of group" | Get-ADUser -Properties Mail,Enabled,WhenCreated
If you just want the 4 properties shown on the screen, you can select them.
Get-ADGroupMember "DN of group" | Get-ADUser -Properties Mail,Enabled,WhenCreated | Select-Object -Property SamAccountName,Mail,Enabled,WhenCreated
Since there are only 4 properties, it will automatically display as a table.
Thanks Kevyn,
I will try the command and share the results with you.
But I doubt if get-adgroupmember will be able to fetch group members more than 1000 which is the reason I took the output in $group.
I know with Exchange commands (Ex: Get-Mailbox), the default number of objects returned is 1000. For that, you have the -ResultSize parameter that allows you to specify more (up to unlimited), or less. I don’t see anything like that for Get-ADGroupMember. In doing some research, I found the following which says that the default limit for the Get-ADGroupMember cmdlet is 5000 and that if you need to be able to have more items returned you have to add a value called MaxGroupOrMemberEntries in the c:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe.config file. To state the obvious, this would have to be done on all DCs/GCs. There is a warning mentioned in the article, you’ll want to make sure to read. Hope this helps.
http://mctexpert.blogspot.com/2013/07/how-to-exceed-maximum-number-of-allowed.html
You can get the member DNs from Get-ADGroup, and it may not suffer from the limit problem.
Get-ADGroup groupname -Properties members|select -expand members