How can I use a command to list all the members of an Active Directory (AD) group?

A. The Windows Server 2003 Dsget command is useful for getting information about objects stored in AD, including groups. (See also, "Listing Members of an AD Group" and "How can I use a script to display members of an Active Directory (AD) group?").

When you use Dsget with the -members switch, it will output the distinguished names (DNs) of all the members of a group, as the following command and output shows:

dsget group "cn=Members,ou=Justice League,dc=savilltech,dc=com" -members"CN=Barry Allen,OU=Justice League,DC=savilltech,DC=com""CN=Kara Zor-El,OU=Justice League,DC=savilltech,DC=com""CN=Helena Bertinelli,OU=Justice League,DC=savilltech,DC=com""CN=Ted Kord,OU=Justice League,DC=savilltech,DC=com""CN=Jason Todd,OU=Justice League,DC=savilltech,DC=com""CN=Dick Grayson,OU=Justice League,DC=savilltech,DC=com"

If you want to display information other than the DN, you can use the piping ability of Windows, which is denoted by the pipe (|) character. This functionality lets you pass the output of one command as the input to another command. In this case, you can pipe the output of Dsget to another Dsget query to gather the desired user information. For example, if you want the SAM ID, User Principal Name (UPN), and description, you would use this command:

dsget group "cn=Members,ou=Justice League,dc=savilltech,dc=com" -members | dsget user -samid -upn -desc

Notice that the text after the pipe character in the command is the second Dsget command, which gathers the account detail displayed in the output:

desc        samid         upn            barry         [email protected]   Kara          [email protected]    Helena        [email protected] Beetle Ted           [email protected]            jason         [email protected]            dick          [email protected]