How to View Active Directory Groups Using DSGet Group ?

You can use the dsget programme to get information about Active Directory catalogue objects. We’ll show you how to use the dsget group command to get information about different groups in the AD domain in this article.

The Microsoft Windows Administration Tools Pack – Adminpak.msi (for Windows XP/Windows Server 2003 and earlier) or the Active Directory Domain Services (AD DS) Tools from the Remote Server Administration Tools (RSAT) package (in modern versions of Windows) must be installed on your computer before you can use the dsget command.

Without any parameters, the dsget group command returns a list of all groups in the Active Directory domain (if there are a large number of groups in the domain, the command will run for a rather long time). Run the following command to acquire the attributes of a certain AD group:

dsget group "CN=Domain Admins,CN=Users,DC=solutionviews,DC=com"

The DistinguishedName (DN) format must be used to specify the group name.

The group DN and its description are displayed by default.

The dsget group command has the following syntax and attributes:

dsget group [-dn] [-samid] [-sid] [-desc] [-secgrp] [-scope] [{-s | -d }] [-u ] [-p { | *}] [-c] [-q] [-l] [{-uc | -uco | -uci}] [-part [-qlimit] [-qused]] 

For example, to find out the group SID, run:

dsget group "CN=Domain Admins,CN=Users,DC=solutionviews,DC=com" -sid

To check the group type: Security (yes) or Distribution (no), run:

dsget group "CN=Domain Admins,CN=Users,DC=solutionviews,DC=com" -secgrp

To determine group membership allows another dsget group command optional parameters: -Members and -Memberof. The -Members parameter indicates which users and groups are included to this group, and the -Memberof parameter — which groups this group belongs to. Suppose you want to list current members of the Domain Admins group. Run the command:

dsget group "CN=Domain Admins,CN=Users,DC=solutionviews,DC=com" –members

To display a complete list of users, including nested groups (recursively), run:

dsget group "CN=Domain Admins,CN=Users,DC=solutionviews,DC=com" –members -expand

Similarly, you can get a list of groups in which this group consists:

dsget group "CN=Domain Admins,CN=Users,DC=solutionviews,DC=com" –memberof

As you can see, the last two instructions display the list of users/groups in DN format, which is inconvenient. As a result, you must use the command in conjunction with dsget user to get usernames (or other fields).

dsget group "CN=Domain Admins,CN=Users,DC=solutioviews,DC=com" -members | dsget user -samid -upn -desc

Remember that the distinguishedName format must be used to specify the group name for the dsget group command. You can use the dsget group command in conjunction with the dsquery command to avoid having to specify the group’s DN. Run the following command to retrieve a list of people in the ‘Domain Admins’ group and export it to a text file:

dsquery group -samid "Domain Admins" | dsget group -members > c:\ps\exportgoupmembers.txt

As you can see, now you do not need to specify the group DN.

If you do not know the exact name of the group, you can specify only part of the name. The wildcard character *is used. For example, you want to find all the groups whose names begin with NY:

dsquery group -name NY* | dsget group -dn -scope -secgrp

You can list, for example, all email addresses of people in a group and save the list to a CSV file in a similar way:

dsquery group -samid "Domain Admins" | dsget group -members | dsget user -email >admin_emails.csv

Leave a Reply

Your email address will not be published. Required fields are marked *

Enter Captcha Here :