SharePoint 2013 – Get AD Group members using PowerShell

In my SharePoint environment I like to use the security model where each SharePoint Group contains an AD Group and each AD group contains AD users.

The main issue I have with that model is that from within SharePoint  I can’t figure out which user is a member of which AD group. This makes the security difficult to control.

I now looked into a solution to get the members of an AD group by using PowerShell. I’m not querying AD directly as I want to know what SharerPoint thinks the members of an AD group are.

First I’m getting my list

$webUrl =”

$web = Get-SPWeb $webUrl

$list = $web.Lists[“MyList”]

then the role assignments

$roleAssignment = $list.RoleAssignments

For simplicity sake I’m looking at the second role assignment and I’m only picking up my first User ( this is actually a AD Group)

$ADGroupName = $roleAssignment[1].Member.Users[0].Name

Getting the AD Group using the EnsureUser method. The same way you would do this with user accounts.

$ADGroup = $web.EnsureUser($ADGroupName)

Then now the magic commands:

$reachedMax = $false

$users = [Microsoft.SharePoint.Utilities.SPUtility]::GetPrincipalsInGroup($web, $ADGroup, 10, [ref]$reachedMax)

All my users in my AD group is in the $users variable.



Please leave a comment or feedback

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.