How can I list all members from AD group showing enable and disabled users?

active-directory windows-server-2012-r2 powershell-5.0

28,625

Solution 1

Did this way:

$groupname = "Domain Admins"
$users = Get-ADGroupMember -Identity $groupname | ? {$_.objectclass -eq "user"}
foreach ($activeusers in $users) { Get-ADUser -Identity $activeusers | ? {$_.enabled -eq $true} | select Name, SamAccountName, UserPrincipalName, Enabled }

If you want disabled just replace last cmdlet:

foreach ($activeusers in $users) { Get-ADUser -Identity $activeusers | ? {$_.enabled -eq $false} | select Name, SamAccountName, UserPrincipalName, Enabled }

Solution 2

using Marlon's answer above. if you want to output it as a list to text or CSV you can do this:

$groupname = "Domain Admins"
$users = Get-ADGroupMember -Identity $groupname | ? {$_.objectclass -eq "user"}
$result = @()
foreach ($activeusers in $users) { $result += (Get-ADUser -Identity $activeusers | ? {$_.enabled -eq $true} | select Name, SamAccountName, UserPrincipalName, Enabled) }
$result | Export-CSV  -NoTypeInformation .\active_domain_admins.csv

you can switch the last line to this, if you just want output to a text file:

$result | Out-File .\active_domain_admins.txt

28,625

Marlon

Enthusiastic about Devops tools, infrastructure and multicloud.

Updated on September 18, 2022

Comments

Marlon over 1 year
I'm trying get a list of all members from a AD Group showing active \ inactive users. The purpose is get all the members on the groups and list the ones with Admin privileges.

I did the following commands:
```
$GROUPNAME = "Domain Admins" 
Get-ADGroupMember -identity $GROUPNAME -Recursive | Select name, SamAccountName, objectclass | Sort-Object Name
```
Tried to combine with Get-ADUser -Filter {Enabled -eq $false} but I need the first cmdlet to output for me Users, so I can filter with Get-ADuser.

Tks in advance
- Ravindra Bawane over 6 years
  
  What about pulling the output from Get-ADGroupMember to a variable $USERS and then running a ForEach loop that pulls them through Get-ADUser to check for Enabled? I'm playing with this now modifying a script that is similar-ish, but haven't worked out the kinks yet.
- Marlon over 6 years
  
  @music2myear Seems that worked! Did the following: $GROUPNAME = 'Domain Admins' Get-ADGroupMember -identity $GROUPNAME -Recursive | Select name, SamAccountName, objectclass | Sort-Object Name foreach ($USERS in $USERS) { Get-ADUser -Filter {Enabled -eq $false } | Select Name, Enabled, SamAccountName, UserPrincipalName }
- Ravindra Bawane over 6 years
  
  Sweet, write that up as the answer. I may have pointed you in the right direction, but you solved it.
- Ravindra Bawane over 6 years
  
  Though, I'd personally leave off the Select and Sort-object off of the first line. Get-ADGroupMember is outputting objects which Get-ADUser should be able to handle just fine, and the Select command on the last line should be sufficient.
- Marlon over 6 years
  
  Did some tests here but seems that statement: Get-ADGroupMember -identity $GROUPNAME -Recursive is not getting all the members from Domain Admins group or whatever group on the cmdlet. With last cmdlet filtering results just show disabled users at general on AD.
- Ravindra Bawane over 6 years
  
  In the code you've posted it doesn't look as though you writing the contents of Domain Admins to a variable, and then you're just looping through every user account in the domain with Get-ADUser.
- Marlon over 6 years
  
  It seems that you doing the command Get-ADGroupMember -identity $GROUPNAME without recursive option shows the members. Just does not show a group inserted into the Domain Admins members.
- Marlon over 6 years
  
  @music2myear I tested these cmdlets and seems to be working now! Unfortunatelly I can't vote for my own reply, if you could do will be appreciate.
choudhury smrutiranjan parida over 5 years

How to add the export csv portion here?