Get GroupMembers of nested Groups with PowerShell

Hi All,

I was recently tasked do figure out the GroupMembers of a nested Group.

It looks somehow like this:

• DemoGroupA has three Members
  • DemoGroupB (Group)
  • Simple Contact (Contact)
  • UserA (User)
• DemoGroupB has one Member
  • Email Contact (Mail Contact)
  • UserB (User)

The Get-ADGroupMember noes not return the Contact Object. But you can get it with the Member Property

Get-ADGroupMember -Identity DemoGroupA
Get-ADGroup -Identity DemoGroupA -Property Members
(Get-ADGroup -Identity DemoGroupA -Property Members).Members

Same applies for DemoGroupB

Get-ADGroupMember -Identity DemoGroupB
(Get-ADGroup -Identity DemoGroupB -Property Members).Members

The only Objects that are returned are eigher Users or Groups

Get-ADGroupMember -Identity DemoGroupA
Get-ADGroupMember -Identity DemoGroupB

Let’s use the -Recursive Parameter that does resolve the Members of nested Groups. This will only return User Objects but no Contacts

Get-ADGroupMember -Identity DemoGroupA -Recursive

If we look into the Documentation - everything gets more clear

MS Learn Get-ADGroupMember

The Get-ADGroupMember cmdlet gets the members of an Active Directory group. Members can be users, groups, and computers

MS Learn ADPrincipal Class

Only Accounts and Groups are returned. As a Contact Object is no Account (you can’t log in with that) it is not returned.

Let’s check if we can use the Exchange Commandlet’s to figure it out

Enable-DistributionGroup -Identity DemoGroupA
Enable-DistributionGroup -Identity DemoGroupB

Note: Enable-Distribution Groups can only be used on Groups with Group Scope = Universal

The Get-DistributionGroupMember returns even a Contact with no Emailaddress. But sadly here is no -Recursive Parameter available

Get-DistributionGroup DemoGroupA
Get-DistributionGroup DemoGroupB
Get-DistributionGroupMember DemoGroupA
Get-DistributionGroupMember DemoGroupB

Summary:

The best approach is to use the Get-ADGroup with the Members Property (if you need the Contact Objects). Otherwise just use the Get-ADGroupMember -Recursive.

Regards
Andres Bohren