To get AD Group Members from a SharePoint group can be quite a task.

In my SharePoint environment I like to use the security model where each SharePoint Group contains an AD Group and each AD group contains AD users.

The main issue I have with that model is that from within SharePoint  I can’t figure out which user is a member of which AD group. This makes the security difficult to control.

I now looked into a solution to get the members of an AD group by using PowerShell. I’m not querying AD directly as I want to know what SharerPoint thinks the members of an AD group are.

Get a list

Table of Contents

First I’m getting my list

$webUrl =”

$web = Get-SPWeb $webUrl

$list = $web.Lists[“MyList”]

then the role assignments

$roleAssignment = $list.RoleAssignments

For simplicity sake I’m looking at the second role assignment and I’m only picking up my first User ( this is actually a AD Group)

$ADGroupName = $roleAssignment[1].Member.Users[0].Name

Get AD Group members

Getting the AD Group using the EnsureUser method. The same way you would do this with user accounts.

$ADGroup = $web.EnsureUser($ADGroupName)

Then now the magic commands:

$reachedMax = $false

$users = [Microsoft.SharePoint.Utilities.SPUtility]::GetPrincipalsInGroup($web, $ADGroup, 10, [ref]$reachedMax)

All my users in my AD group is in the $users variable.

Avatar for Pieter Veenstra

By Pieter Veenstra

Business Applications Microsoft MVP working as a Principal Architect at HybrIT Services Ltd. You can contact me using

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from SharePains by Microsoft MVP Pieter Veenstra

Subscribe now to keep reading and get access to the full archive.

Continue Reading

%d bloggers like this: