To get AD Group Members from a SharePoint group can be quite a task.

In my SharePoint environment I like to use the security model where each SharePoint Group contains an AD Group and each AD group contains AD users.

The main issue I have with that model is that from within SharePoint  I can’t figure out which user is a member of which AD group. This makes the security difficult to control.

I now looked into a solution to get the members of an AD group by using PowerShell. I’m not querying AD directly as I want to know what SharerPoint thinks the members of an AD group are.

Get a list

First I’m getting my list

$webUrl =”

$web = Get-SPWeb $webUrl

$list = $web.Lists[“MyList”]

then the role assignments

$roleAssignment = $list.RoleAssignments

For simplicity sake I’m looking at the second role assignment and I’m only picking up my first User ( this is actually a AD Group)

$ADGroupName = $roleAssignment[1].Member.Users[0].Name

Get AD Group members

Getting the AD Group using the EnsureUser method. The same way you would do this with user accounts.

$ADGroup = $web.EnsureUser($ADGroupName)

Then now the magic commands:

$reachedMax = $false

$users = [Microsoft.SharePoint.Utilities.SPUtility]::GetPrincipalsInGroup($web, $ADGroup, 10, [ref]$reachedMax)

All my users in my AD group is in the $users variable.

By Pieter Veenstra

Business Applications and Office Apps & Services Microsoft MVP working as a Microsoft Productivity Principal Consultant at HybrIT Services. You can contact me using

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: