Command line to list users in a Windows Active Directory group?

Here's another way from the command prompt, not sure how automatable though since you would have to parse the output:

If group is "global security group":

net group <your_groupname> /domain

If you are looking for "domain local security group":

net localgroup <your_groupname> /domain

Here's a version of the ds command I found more typically useful, especially if you have a complex OU structure and don't necessarily know the full distinguished name of the group.

dsquery group -samid "Group_SAM_Account_Name" | dsget group -members -expand

or if you know the CN of the group, usually the same as the SAM ID, quoted in case there are spaces in the name:

dsquery group -name "Group Account Name" | dsget group -members -expand

As stated in the comments, by default the ds* commands (dsquery, dsget, dsadd, dsrm) are only available on a Domain Controller. However, you can install the Admin Tools pack from the Support Tools on the Windows Server installation media or download it from the Microsoft Download site.

You can also perform these queries using PowerShell. PowerShell is already available as an installable feature for Server 2008, 2008 R2, and Windows 7, but you'll need to download the WinRM Framework to install it on XP or Vista.

To get access to any AD-specific cmdlets in PowerShell you will ALSO need to perform at least one of the following installs:

• For Win 7 and 2008 R2 clients, you can install the Remote Server Admin Tools. The RSAT also requires that you have installed the Active Directory Web Services feature on your Server 2008 R2 Domain Controllers, or the Active Directory Management Gateway Service for any Server 2003/2008 DCs.
• For any XP or higher client, download and install the Quest ActiveRoles Management Shell for Active Directory. The Quest tools do not require any additional changes to your DCs.

try

dsget group "CN=GroupName,DC=domain,DC=name,DC=com" -members

For a PowerShell solution that doesn't require the Quest AD add-in, try the following

Import-Module ActiveDirectory

Get-ADGroupMember "Domain Admins" -recursive | Select-Object name

This will enumerate the nested groups as well. If you don't wish to do so, remove the -recursive switch.

A very easy way which works on servers and clients:

NET GROUP "YOURGROUPNAME" /DOMAIN | find /I /C "%USERNAME%"

Returns 1 if user is in group YOURGROUPNAME, else will return 0

You can then use the %ERRORLEVEL% value (0 if user in group, 1 if not) like

IF %ERRORLEVEL%==0 NET USE %LOGONSERVER%\YOURGROUPSHARE

Using PowerShell and Quest Software's Free ActiveRoles Management Shell for Active Directory, you can use:

(Get-QADGroup "GroupName").Members

http://www.quest.com/powershell/activeroles-server.aspx

The answers here using dsget and dsquery will only work on server versions of Windows as those command's aren't shipped on other versions of Windows (e.g. Windows 7). On machines without those commands you can get the information you want using the AdFind command.

Here's an example query for getting group membership:

AdFind.exe -default -f name="Domain Admins" member -list

For display members of the UserGroup1 try:

dsquery group -name UserGroup1 | dsget group -members | dsget user -display

How to list local groups and users?

Use the following powershell script to list the local groups and members of those groups.

$server="YourServerName"
$computer = [ADSI]"WinNT://$server,computer"

$computer.psbase.children | where { 

$_.psbase.schemaClassName -eq 'group' } | foreach {
    write-host $_.name
    write-host "------"
    $group =[ADSI]$_.psbase.Path
    $group.psbase.Invoke("Members") | foreach {
$_.GetType().InvokeMember("Name", 'GetProperty', 

$null, $_, $null)}
    write-host
}

Copy the text above in to notepad and save as filename.ps1. Then run the file. I should display the Groups and Users in each group, or you can just run this from powershell.