Export Active Directory Security Groups with PowerShell

Table of Contents

Estimated reading time: 4 minutes

Managing Active Directory (AD) security groups is a core task for administrators. This PowerShell script provides a user-friendly way to browse AD security groups, display additional options, and export group details to a file. Before using the script, make sure you have the necessary prerequisites in place.

Prerequisites

To successfully run this script, ensure the following prerequisites are met:

Active Directory Module for Windows PowerShell:
- The Get-ADGroup cmdlet is part of the Active Directory module. Install it by:
  - Windows Server: Install the Active Directory Domain Services (AD DS) role to automatically include the PowerShell module.
  - Windows 10/11 or other client OS: Install the Remote Server Administration Tools (RSAT) for Active Directory. On recent versions, you can install RSAT with PowerShell by running:

Add-WindowsFeature -Name RSAT-AD-PowerShell

Ensure you have network access to the Active Directory domain.

Permissions:
- You need to have read access to the Active Directory domain to view groups. Typically, standard user accounts can read AD objects, but limited-access environments may require elevated privileges.
PowerShell Version:
- The script requires PowerShell 5.1 or later for compatibility with the Out-GridView cmdlet, which displays a graphical dialog to select groups. Note that Out-GridView is only available on Windows with the full GUI version of PowerShell.
Graphical User Interface:
- The script uses Out-GridView, which requires a graphical user interface (GUI) environment. It will not work on Windows Server Core installations or non-GUI Windows environments.

PowerShell Script for Browsing and Exporting AD Security Groups

Below is the full PowerShell script. Copy and paste it into PowerShell to run it.

# Function to browse for an Active Directory security group
function Browse-ADSecurityGroup {
    param (
        [string]$Domain
    )

    # Set the default domain if not provided
    if (-not $Domain) {
        $Domain = $env:USERDNSDOMAIN
    }

    # Display a dialog box to select an Active Directory group
    $selectedGroup = Get-ADGroup -Filter * -Server $Domain | Out-GridView -Title "Select an AD Security Group" -PassThru

    # Check if a group is selected
    if ($selectedGroup) {
        $selectedGroup | Format-Table -AutoSize

        # Display a menu for additional actions
        $menuOptions = @{
            '1' = 'Export selected data'
            '2' = 'Exit'
        }

        $choice = Show-Menu -Title 'Menu' -Options $menuOptions

        # Perform action based on the user's choice
        switch ($choice) {
            '1' {
                Export-SelectedData -Data $selectedGroup
            }
            '2' {
                Write-Host "Exiting..."
            }
        }
    } else {
        Write-Host "No group selected."
    }
}

# Function to display a menu
function Show-Menu {
    param (
        [string]$Title,
        [hashtable]$Options
    )

    Write-Host "`n$Title`n"

    foreach ($key in $Options.Keys) {
        Write-Host "$key. $($Options[$key])"
    }

    do {
        $choice = Read-Host "Enter choice"
    } while (-not $Options.ContainsKey($choice))

    return $choice
}

# Function to export selected data
function Export-SelectedData {
    param (
        [object]$Data
    )

    $exportPath = Join-Path -Path $env:TEMP -ChildPath "SelectedADGroup.txt"
    $Data | Select-Object Name, DistinguishedName | Out-File -FilePath $exportPath -Force

    Write-Host "Selected data exported to: $exportPath"
}

# Prompt for the domain to search
$selectedDomain = Read-Host -Prompt "Enter the domain to search (press Enter for the current domain)"

# Call the function with the selected domain
Browse-ADSecurityGroup -Domain $selectedDomain

Script Explanation

Browse-ADSecurityGroup: This function allows you to browse for an AD security group by displaying a list of groups in a graphical dialog box. Once you select a group, it presents options for additional actions.
Show-Menu: This function displays a simple menu with options, such as exporting the selected group’s data or exiting the script.

Export-SelectedData: This function exports the selected group’s information (like Name and DistinguishedName) to a text file in the temp folder.
Domain Selection: The script prompts you to specify the domain. If left blank, it defaults to the current domain.

How to Use This Script

Run PowerShell as Administrator (if necessary for AD access).

Copy and paste the script into your PowerShell console.
Specify the domain you wish to search (or press Enter to use the default).
Select a group from the dialog box.

Choose an action from the menu to either export the selected data or exit.

Exported Data Location

The selected data is saved to a file called SelectedADGroup.txt in the temporary directory (usually C:\Users\YourUsername\AppData\Local\Temp). The file includes the Name and DistinguishedName of the selected group.

Conclusion

This script is a useful tool for AD administrators who need a quick way to browse, view, and export security group information from Active Directory. With simple adjustments, you can modify the functions to include more group attributes or additional actions.

Let us know if you have any questions or if you’d like further customization!

Click to rate this post!

[Total: 1 Average: 5]

Share this content: