Get AD Group members in SharePoint using PowerShell

To get AD Group Members from a SharePoint group can be quite a task.

In my SharePoint environment I like to use the security model where each SharePoint Group contains an AD Group and each AD group contains AD users.

The main issue I have with that model is that from within SharePoint  I can’t figure out which user is a member of which AD group. This makes the security difficult to control.

I now looked into a solution to get the members of an AD group by using PowerShell. I’m not querying AD directly as I want to know what SharerPoint thinks the members of an AD group are.

Get a list

First I’m getting my list

$webUrl =”

$web = Get-SPWeb $webUrl

$list = $web.Lists[“MyList”]

then the role assignments

$roleAssignment = $list.RoleAssignments

For simplicity sake I’m looking at the second role assignment and I’m only picking up my first User ( this is actually a AD Group)

$ADGroupName = $roleAssignment[1].Member.Users[0].Name

Get AD Group members

Getting the AD Group using the EnsureUser method. The same way you would do this with user accounts.

$ADGroup = $web.EnsureUser($ADGroupName)

Then now the magic commands:

$reachedMax = $false

$users = [Microsoft.SharePoint.Utilities.SPUtility]::GetPrincipalsInGroup($web, $ADGroup, 10, [ref]$reachedMax)

All my users in my AD group is in the $users variable.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 4,912 other subscribers

Recent Posts


Thank you for visiting SharePains

%d bloggers like this: