In my SharePoint environment I like to use the security model where each SharePoint Group contains an AD Group and each AD group contains AD users.

The main issue I have with that model is that from within SharePoint  I can’t figure out which user is a member of which AD group. This makes the security difficult to control.

I now looked into a solution to get the members of an AD group by using PowerShell. I’m not querying AD directly as I want to know what SharerPoint thinks the members of an AD group are.

First I’m getting my list

$webUrl =”

$web = Get-SPWeb $webUrl

$list = $web.Lists[“MyList”]

then the role assignments

$roleAssignment = $list.RoleAssignments

For simplicity sake I’m looking at the second role assignment and I’m only picking up my first User ( this is actually a AD Group)

$ADGroupName = $roleAssignment[1].Member.Users[0].Name

Getting the AD Group using the EnsureUser method. The same way you would do this with user accounts.

$ADGroup = $web.EnsureUser($ADGroupName)

Then now the magic commands:

$reachedMax = $false

$users = [Microsoft.SharePoint.Utilities.SPUtility]::GetPrincipalsInGroup($web, $ADGroup, 10, [ref]$reachedMax)

All my users in my AD group is in the $users variable.