Active Directory

How to Get Security Group Members List in Active Directory

A small mistake, like adding a regular employee to a high-privilege security group, can expose your Active Directory to threats and attacks. That’s why monitoring security group memberships is essential to prevent unauthorized access, catch misconfigurations early, and reduce security risks. In this guide, we’ll show you how to get all security groups and members in Active Directory to maintain proper access control!

List Security Group Members Using ADUC

Active Directory Permission Required

Account Operators Least Privilege

Administrators Most Privilege

Open the Active Directory Users and Computers console and click the Find icon.
In the ‘Find’ drop-down menu, select Custom Search, and in the 'In' field, choose the domain you want to search.
Navigate to the Advanced tab, enter the following LDAP query, and click Find Now to find all security groups.

(&(objectCategory=Group)(groupType:1.2.840.113556.1.4.803:=2147483648))

To view a security group’s members, double-click it and go to the Members tab.

Export the List of Security Group Members Using PowerShell

Active Directory Permission Required

Account Operators Least Privilege

Administrators Most Privilege

To find the members of a specific security group, run the following PowerShell cmdlet after replacing <SecurityGroupName> with the group’s name.
Windows PowerShell
```
 Get-ADGroupMember -Identity '<SecurityGroupName>'| Select-Object Name, DistinguishedName, ObjectClass, SamAccountName, ObjectGUID | Format-Table
```

To export all security group members to a CSV file in Active Directory, run the following cmdlet, replacing <FilePath> with the desired output path.

Windows PowerShell

 Get-ADGroup -Filter {GroupCategory -eq "Security"} | ForEach-Object {
$groupName = $_.Name 
Get-ADGroupMember -Identity $_.DistinguishedName | Select-Object @{Name="GroupName";Expression={$groupName}},Name,SamAccountName,ObjectClass
} | Export-Csv -Path "<FilePath>" -NoTypeInformation

This exports all AD security group members to a CSV file along with details such as group name, username, SAMAccountName, object class, object ID, and distinguished name.

Simple & Quick
Find All Security Group Members Using AdminDroid

AdminDroid Permission Required Delegated

Any user with report access delegated by the Super Admin.

Log in to the AdminDroid Active Directory portal.
Access the Security Group Membership report from the AD Reports»Groups »Group Membership.
This report provides a list of all Active Directory security group memberships with details such as group name, member email, member type, department, job title, etc.
Use the download option in the top-right corner to export the security group membership list in Active Directory.

Find All Security Group Members Using AdminDroid

AdminDroid Active Directory Reporter

Monitor Security Group Membership Changes to Identify Privilege Escalation

AdminDroid's Active Directory reporting tool allows you to track members in security groups, built-in groups, domain guest groups, distribution groups, and more. It also provides visibility into security group members across different scopes with dedicated reports on universal, domain local, and global group members. This helps ensure compliance, detect unauthorized changes, and maintain better control over your AD environment.

Get Alerts on Privileged Group Membership Changes

Stay informed about security group membership additions with the AdminDroid default alert template to track new admin inclusions and prevent excessive privileges.

Identify Users Not Members of Any Group to Prevent Access Gaps

Find users not in any Active Directory group to identify those who may have lost access by mistake and assign them the necessary permissions.

Manage Inactive Users in Security Groups Using AdminDroid

Identify inactive users who are members of security groups in Active Directory using AdminDroid’s easy filters to revoke unnecessary rights and enhance security.

Track Security Group Types for Better Membership Control

Monitor all security group type such as global, universal, and domain local, to manage memberships effectively and ensure optimal security group management.

Find Disabled User Accounts in Security Groups to Enhance Security

Use AdminDroid's advanced filters to find and remove disabled users from the security group to maintain a clean directory.

Manage Empty Security Groups to Maximize Resource Utilization

Analyze empty security groups in Active Directory, review their permissions, add members, and optimize resource usage to boost organizational efficiency.

In conclusion, the AdminDroid Active Directory management tool simplifies group membership management with its intuitive interface and advanced capabilities. Admins can easily monitor and control access, improve workflow, and boost overall security.

Explore a full range of reporting options

Download Live Demo

Important Tips

Avoid changing a user's primary group from Domain Users unless required, as it may impact permissions and security.

Implement role-based access control (RBAC) in Active Directory using security groups to streamline the onboarding/offboarding process and access management.

Use nested groups to inherit specific permissions instead of creating separate security groups, thereby simplifying permission management and ensuring consistent access control.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints while exporting and managing security group members in Active Directory.

Error Get-ADGroup : Invalid value: 'Global Security' specified for extended attribute: 'GroupCategory'

The error occurs due to an invalid value entered for the GroupCategory in Active Directory PowerShell.

Fix The GroupCategory parameter only accepts valid values, such as 'Security' or 'Distribution'. To retrieve security groups, ensure the value for the GroupCategory parameter is set to 'Security'.

Error Get-ADGroupMember : Cannot find an object with identity: 'security' under: ' 'DC=contoso,DC=com'.

The error occurs when the ‘Get-ADGroupMember' cmdlet is executed with a group name that doesn't exist in your directory.

Fix Verify the group name and spelling before execution. You can also check its existence using the cmdlet below.

Get-ADGroup -Filter * -Properties *

Error Built in groups cannot be added to other groups.

This error occurs when you try to add built-in security groups in Active Directory (found under the Built-in container) as members of other groups.

Fix Since system rules prevent nesting built-in security groups to avoid privilege escalation, create custom security groups with the needed permissions for group nesting instead.

Active Directory

Frequently Asked Questions

Manage and Monitor Active Directory Group Membership Changes to Minimize Unauthorized Access

How to add members to a security group in Active Directory?

How to remove members from a security group in Active Directory?

How to enable audit policies for tracking security group membership changes in AD?

How to audit security group membership changes in Active Directory?

1. How to add members to a security group in Active Directory?

Managing membership in Active Directory security groups is crucial for ensuring that users have the appropriate level of access to resources and services. By adding users to security groups, admins can simplify access management and eliminate the need to assign permissions individually.

Add users to a security group in ADUC

Open the Active Directory Users and Computers console.
Right-click on the desired security group and select Properties.
Navigate to the Members tab and click Add.
Click Object Types to specify the type of object you want to add.
Use the Locations button to select the desired location.
Enter a username in the Enter the object names to select field, click Check Names, and choose the user. If you want to add more than one user, repeat this step to add all the required users.
After selecting the appropriate members, click OK.
Finally, click Apply and then OK to save your changes.

Managing security group members through ADUC is tedious and inefficient for bulk operations. PowerShell provides a faster and more reliable way to handle these tasks efficiently.

Add members to a security group with PowerShell in bulk

To add a member to a security group using PowerShell, run the following command. Replace <SecurityGroupName> with the name of the security group and <UsersSAMAccountName> with the name of the user or object you're adding.

Add-ADGroupMember -Identity '<SecurityGroupName>' -Members '<UserSAMAccountName>'

To add multiple users to a group, pass a list of usernames directly into the -Members parameter. For added convenience, especially when working with a CSV file containing user data, use the Import-Csv cmdlet to add dozens or even hundreds of users at once.

$users = Import-Csv "<FilePath>" 
Add-ADGroupMember -Identity "<SecurityGroupName>" -Members $users.<RespectiveColumnName>

Note: In addition to users, you can also add other objects such as groups, contacts, computers, and more as members of a security group in Active Directory.

2. How to remove members from a security group in Active Directory?

When an employee undergoes a role change, department transition, or project shift, it is crucial to promptly remove them from any security groups no longer relevant. Timely removal from security groups is vital to prevent unauthorized access to resources that are no longer within their new scope of work.

Here is how to remove members from an Active Directory security group:

Remove a member from a security group in Active Directory

In the Active Directory Users and Computers console, right-click on the desired security group and select Properties.
In the Members tab, select the member you wish to remove.
Click Remove, then Yes in the confirmation dialog box to proceed, and finally OK to save the changes.

Remove a security group member Using PowerShell

Execute the following command to remove a member from a security group using PowerShell.

Remove-ADGroupMember -Identity '<SecurityGroupName>' -Members '<MemberName>'

Replace <SecurityGroupName> with the security group’s name and <MemberName> with the name of the member you want to remove. When executing the cmdlet, a confirmation prompt will appear for the delete action. To bypass this prompt, append the -Confirm:$false flag to the cmdlet.

In scenarios where multiple users have departed, you can pass their usernames as comma-separated values in the -Members parameter to remove them all at once. Alternatively, you can use a CSV file with user data to simplify bulk removal.

Effortlessly manage security group members in AdminDroid 365 with instant add or remove actions—no complex navigation needed.

In addition to the robust reports on security groups, AdminDroid's management capabilities help you manage group membership directly from the report.
Just select More Actions in the security group members report to add or remove users, modify roles, and track changes—all in one place.

3. How to enable audit policies for tracking security group membership changes in AD?

To effectively monitor security group membership changes in Active Directory, it's crucial to enable the appropriate audit policies. This ensures you can track who is making changes, when they occur, and which groups are affected, providing better visibility into unauthorized modifications. Here’s how to enable the security group management audit policies in Active Directory.

Enable audit security group management policy using GPMSC:

Open the Group Policy Management Console by running gpmc.msc.
Right-click the target domain under Domains and select Create a GPO in this domain and Link it here.
Name the GPO and click OK. Next, select the newly created GPO, right-click on it, and choose Edit to configure the policy.
Alternatively, you can edit an existing Group Policy Object linked to domain controllers instead of creating a new one, based on your organization's needs.
Navigate to Computer Configuration»Policies»Windows Settings»Security Settings»Advanced Audit Policy Configuration.
Under the Advanced Audit Policy Configuration drop-down select Audit Policies»Account Management.
Ensure ‘Audit Security Group Management’ is set to include 'Success' and 'Failure' checkboxes.
Click OK to save the changes and run gpupdate /force in the PowerShell to immediately apply changes.

4. How to audit security group membership changes in Active Directory?

Auditing security group membership changes is essential to maintain secure access control and prevent unauthorized actions that could compromise sensitive systems. For example, unexpected user removal from security groups in role-based access management can disrupt operations and create security risks. By monitoring such changes, admins can identify who is altering group memberships.

Track security group membership changes via Event Viewer

Open Event Viewer»Windows Logs»Security.
Right-click on Security and select Filter Current Log.
Replace <All Event IDs> with the following Event IDs, separated by commas, and click OK to accurately track specific group membership changes.

Event ID

4728
4729
4732
4733
4756
4757

Description

A member was added to a security-enabled global group
A member was removed from a security-enabled global group
A member was added to a security-enabled local group
A member was removed from a security-enabled local group
A member was added to a security-enabled universal group
A member was removed from a security-enabled universal group

After applying the filter, you can view the respective action along with details such as the group name, group domain, member name, member domain, the person who performed the action, their logon ID, and more.

It is difficult to determine who modified security group membership and when, as you need to investigate each log separately in the Event Viewer. The audit becomes even harder in directories with multiple domain controllers since you must check each one separately.

Auditing security group membership changes is simplified with AdminDroid—no more querying across multiple domain controllers!

AdminDroid helps you bypass the complexities of tracking events across different DCs as it collects audit data from all your computers in one place.
Applying the filter 'GroupType = Security' in the 'Members Added' and ''Members Removed' reports helps you track these events separately for all security groups.

security-group-membership-changes-edited