🎉 Our Microsoft 365 Reporting & Management Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Active Directory

How to Find Active Directory Group Membership

Groups in Active Directory are essential for managing resource permissions and facilitating email communication. However, unauthorized access to these groups can pose security risks, like deletion of shared folders, unrestricted access to the domain, exposure to confidential emails, etc. This guide helps mitigate these risks by enabling you to track and manage AD group members and protect your organization’s assets.

Solution 1
Solution 2
Solution 3
Important Tips
Errors and Resolution Steps
FAQs

Check AD Group Membership Using Active Directory Users and Computers

Active Directory Permission Required
Domain Users Least Privilege
Administrators Most Privilege
  • Open the Server Manager and navigate to Tools»Active Directory Users and Computers.
  • Click the Filter icon and select 'Show only the following types of objects'. Then choose Groups and click OK.
  • After filtering, locate and right-click on the group whose members you wish to view.
  • Navigate to Properties»Members to list the respective group members.
Check AD Group Membership Using Active Directory Users and Computers

List All Group Members Using Active Directory PowerShell

Active Directory Permission Required
Domain Users Least Privilege
Administrators Most Privilege
  • Open the Windows PowerShell with an administrator account.
  • Ensure the Active Directory PowerShell module is imported in your environment. If not, import the AD module using the cmdlet below.
  • Windows PowerShell Windows PowerShell 
     Import-Module ActiveDirectory
  • Get the list of group members in AD using the following cmdlet.
  • Windows PowerShell Windows PowerShell 
     Get-ADGroupMember -Identity ‘<GroupName>’
  • Replace the <GroupName> with the targeted group name while running the cmdlet.
List All Group Members Using Active Directory PowerShell
  • Note: This cmdlet lists all group members in Active Directory, including users, computers, service principal accounts, and other groups, but excludes contacts in your organization.
You can retrieve the membership of contacts along with other group members using the PowerShell cmdlet below.
Windows PowerShell Windows PowerShell 
 (Get-ADGroup "<GroupName>" -Properties members).members
Replace the <GroupName> with the targeted group name while running the cmdlet.
AdminDroid Active Directory Group Membership Reporting

Seamless Group Membership Tracking with AdminDroid’s Advanced AD Reports!

Enhance your group membership management with AdminDroid’s Active Directory reporting tool. It offers detailed reports on AD group membership changes and provides dedicated reports for groups protected from accidental deletions, SID history, etc. By maintaining an audit trail of these reports, you can detect unauthorized changes and secure your Active Directory.

Track Groups Without Managers in AdminDroid to Prevent Permission Gaps

Identify AD groups without managers to facilitate timely assignment of administrative roles and prevent gaps in permission & communication.

Monitor Group Membership of Guests for Proper Access Management

Audit domain guest group membership changes using AdminDroid to ensure AD guest users are removed from the group once their access is no longer needed.

Manage Empty Groups using AdminDroid to Minimize Security Risks

Identify empty AD groups and remove their permissions or delete them entirely, which helps reduce exposure to unauthorized actions and enhance security.

Fine-Tune Reports to Highlight Inactive User Memberships

Use the inactive users report in AdminDroid to identify their group memberships and remove them from sensitive groups to restrict improper access.

Guard Against Nesting in Sensitive Active Directory Groups

Use AdminDroid to monitor nested group memberships and prevent unauthorized nesting, as users in nested groups inhert access levels from parent groups and receive emails sent to them.

Stay Updated on AD User Membership Reports for Easy Access

Schedule AdminDroid’s users group membership summary report and have them delivered directly to your inbox to highlight the most recent data for effective group management.

Say goodbye to complex PowerShell scripts with AdminDroid's AD management tool. Its user-friendly interface allows you to access all AD group reports in just a few clicks. This makes report retrieval effortless and frees up time for more strategic tasks.

Explore a full range of reporting options
Download Live Demo

Important Tips

Regularly review security group memberships in AD to ensure that only trusted members have extensive access to the domain.

Monitor Active Directory groups with managers to ensure the right user holds this responsibility, as they can manage the group members.

Enable the protect object from accidental deletion option for sensitive groups in Active Directory to prevent accidental removal.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints while finding the group membership of Active Directory objects.

Error Import-Module : The specified module 'ActiveDirectory' was not loaded because no valid module file was found in any module directory.

This error occurs in PowerShell when attempting to import the Active Directory module, but the module cannot be found in the specified directories.

Fix
  • If you are using a domain controller, the Active Directory module is included by default.
  • However, if you are on a domain-joined computer, the module is not installed by default and needs to be added manually.
  • To check if a module is available on your system, you can run the following command.
Get-Module -ListAvailable | Where-Object {$_.Name -eq "ActiveDirectory"}
If the module is not listed, you will need to install the RSAT (Remote Server Administration Tools) for Active Directory.

Error Get-ADPrincipalGroupMembership : Cannot find an object with identity: 'Will Jacks' under: 'DC=o365droid,DC=onmicrosoft,DC=com'.

This error may occur in PowerShell when the username provided does not match any names in Active Directory.

Fix Verify the provided sAMAccountName of the user. To check whether the name is correct, you can execute the following cmdlet: 
Get-ADUser -Filter * | Select-Object sAMAccountName

Error Get-ADGroupMember : The term 'Get-ADGroupMember' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of thename, or if a path was included, verify that the path is correct and try again.

This error may occur in PowerShell, which indicates that the Active Directory module is not loaded in your system.

Fix Connect to the Active Directory module using the following PowerShell command. 
Import-Module ActiveDirectory
Active Directory
Frequently Asked Questions

Manage Active Directory Groups Effectively for Seamless Access Control

What kind of objects can be added as Active Directory group members?
How to manage members in the Active Directory group?
How to get an Active Directory user group membership?
How to check the domain local group membership in the Active Directory?
How to find the group membership of contacts in Active Directory?

1. What kind of objects can be added as Active Directory group members?

When we think of an Active Directory group, the first thing that often comes to mind is a collection of users. However, groups in Active Directory are much more versatile than that. They can encompass not just user accounts but also computers and other objects. This broader understanding is essential, as it allows for more effective management of access and resources within the organization.

The various types of objects that can be added as a member of Active Directory groups

  • Users: Individual users within the organization are the most common AD group members. Adding users to AD groups allows you to manage access permissions for Active Directory users collectively. This makes it easier to control access to shared resources.
  • Computers: These are objects representing computers (workstations or servers) that are part of the Active Directory domain. Grouping computers makes it easier to manage policies for those systems, such as granting access to shared files and network printers.
  • Services: Service accounts in Active Directory are special accounts used by applications or services to interact with the network. Adding these accounts to groups ensures that specific services have the necessary permissions to access resources without exposing sensitive admin accounts.
  • Groups: Active Directory allows for groups to be members of other groups. This is known as group nesting. By nesting groups, you can manage permissions for multiple groups in a single place which reduces the need to assign permissions individually.
  • inetOrgPerson Objects: This object type is primarily used in directory services that follow the Lightweight Directory Access Protocol (LDAP) standard and can represent a user with specific attributes. Including this object in groups helps manage access for users with extended attributes or those outside the standard user account structure.
  • Contacts: Although not commonly used for access control, contacts are objects representing external people (e.g., vendors, partners) who may need to b e part of AD distribution lists. They are often added to email-enabled groups to facilitate communication.
  • Printers: Network printers can be added to Active Directory groups, allowing you to control which users or departments have access to specific printing devices.

By understanding the types of objects that can be added to AD groups, organizations can streamline access management and maintain better control over their resources.

2. How to manage members in the Active Directory group?

Adding new employees to the appropriate Active Directory groups is vital for granting access to resources and facilitating effective email communication with their teams. Conversely, when an employee leaves, it’s equally important to remove them from these groups to prevent unauthorized access to sensitive information. Thus, effectively managing AD group memberships is essential for both onboarding and offboarding processes.

To add members to an Active Directory group

  • Open the Server Manager and navigate to Tools»Active Directory Users and Computers.
  • Double-click on the group to which you wish to add users and go to the Members tab.
  • Click Add and enter the object’s name. Click Check Names to verify or search for the name.
  • After entering the name, click OK and then select Apply to save the changes.
add-members-to-ad-group

Note: Objects such as users, groups, computers, contacts, and service accounts can be added to the group in the same manner.

To remove members from an Active Directory group

  • Select the group from which you want to remove a member in ADUC.
  • Navigate to the Members tab and select the member.
  • Click Remove and confirm the removal by clicking Yes in the prompt.
  • Click Apply to save the changes.
to-remove-members-from-ad-group

Get a Clear Picture of All Membership Changes in Active Directory Groups with AdminDroid!

  • The group membership changes report provides a comprehensive audit of all membership changes across all Active Directory groups.
  • It details who made changes, members added or removed, group type, group scope, etc.
ad-group-membership-changes-droid

3. How to get an Active Directory user group membership?

To ensure users have the access they need, it’s vital to check whether they belong to all necessary groups. Instead of manually reviewing the membership of each group, you can streamline this process by directly identifying the groups they are member of. This approach simplifies access management and helps to maintain security by preventing unnecessary permissions.

Get AD user group membership using ADUC

  • Open Active Directory Users and Computers by navigating to Server Manager»Tools.
  • Double-click on the user's name and go to the Member Of tab.
  • Here, you can find out all the Active Directory groups a user is a member of.
ad-users-group-membership

Check the Active Directory group membership of a user using PowerShell

  • Open the Windows PowerShell with an administrator account.
  • Import the Active Directory Module using the cmdlet below if it is not already imported.
    Import-Module ActiveDirectory
  • Run the following cmdlet to get the group membership of a user.
    Get-ADPrincipalGroupMembership -Identity <Username>
ad-user-group-membership-powershell

Replace the <Username> with the sAMAccountName or the DistinguishedName of the Active Directory user for whom you want to retrieve group membership.

You can retrieve the sAMAccount name and Distinguished name of the user using the below cmdlet.

Get-ADUser -filter * | Select name, sAMAccountName, DistinguishedName

Identify Access Gaps with AdminDroid’s Insightful AD User’s Group Membership Report!

  • With the detailed users’ group membership report from AdminDroid, you can identify the group membership of all AD users in one centralized location.
  • This report details every group a user is a member of, along with relevant information such as group type, scope, and more.
users-group-membership-ad

Handy tip: AdminDroid empowers you to seamlessly export the report in various formats such as CSV, HTML, XLS, PDF, etc.

4. How to check the domain local group membership in the Active Directory?

Domain local groups are used to include users from any domain within the forest, making it essential to monitor their memberships. Managing external users who belong to thesegroups can be challenging without access to their home domains. Thus, regularly checking the membership of domain local groups ensures that all users in the groups are authorized, thereby maintaining secure access between domains.

Get the group membership of domain local groups using Active Directory PowerShell

You can use this method to list all the users who are members of the domain local groups in your Active Directory environment.

  • Open the Windows PowerShell with an Active Directory administrator account.
  • Execute the below cmdlet to retrieve the domain local group membership in AD.
domain-local-group-membership-ad 
 Get-ADGroup -Filter {GroupScope -eq "DomainLocal" -and GroupCategory -eq "<GroupType>"} | Get-ADGroupMember

Replace <GroupType> with the desired group type, such as ‘Security’ or ‘Distribution’. This will list the security domain local groups and distribution domain local groups respectively.

Pro tip: You can replace the "DomainLocal" with other group scopes such as Universal or Global in the PowerShell cmdlet to get the membership of a specified group scope.

Surpass Native Solutions with AdminDroid's Dedicated Group Reports!

  • AdminDroid provides group membership reports for each group type and scope, such security groups, domain local groups, global groups, and more. This offers clear insights into user memberships in Active Directory groups.
  • Unlike PowerShell, these reports include details like the specific group names each user belongs to within the respective group type or scope. It also lists details such as member type, distinguished name, and more.
ad-domain-local-group-membership-report

5. How to find the group membership of contacts in Active Directory?

Contacts in Active Directory represent external users whose contact information is stored solely in the directory for communication purposes, distinguishing them from guest users. Contacts are typically added to distribution groups, enabling effective communication within the organization. To prevent the unintentional sharing of confidential emails, it is essential to regularly monitor the group memberships of these contacts in Active Directory.

Note: The usual method for retrieving object memberships (GetADPrincipalGroupMembership) did not return the group memberships of contacts in Active Directory, as they are considered a separate object class from users, groups, and computers.

Retrieve the group memberships of all contacts using PowerShell

  • Open the Active Directory PowerShell with an administrator account.
  • Run the below cmdlet to get the group membership of Active Directory contacts in your environment.
ad-contacts-group-membership-using-powershell 
Get-ADObject -Filter {objectClass -eq "contact"} -Properties MemberOf | Select-Object Name, @{"Name=Groups"; Expression={ ($_."MemberOf" | ForEach-Object { (Get-ADGroup $_).Name}) -join ","}}

Instantly List the Group Memberships of Contacts in a Single Click with AdminDroid !

  • Utilize the contacts group membership report from AdminDroid to effectively monitor and manage the groups to which your contacts belong.
  • This report provides comprehensive details, including the group name, contact name, email address, department, and more.
contact-group-membership-report-droid

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Active Directory
How to Find Active Directory Group Membership
Active Directory Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo