How to return the users in a domain local group in Powershell

Question

When I run the following command on a domain local group:

Get-ADGroupMember "Name of Group"

I get the following output:

Get-ADGroupMember : The operation completed successfully
At line:1 char:1
+ Get-ADGroupMember "Name of Group"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (Name of Group:ADGroup) [Get-ADGroupMember], ADException
    + FullyQualifiedErrorId : The operation completed successfully,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

When I run the command on a global group, I get the output of the users in the group. Is there a way to get the users from a domain local group?

Answer 1

If this doesn't work:

Get-ADGroup "Name of Group" | Get-ADGroupMember

Try the following:

$s = "LDAP://" + (Get-ADGroup "Name of Group").DistinguishedName
([ADSI]$s).member

Answer 2

if you want to export the users from a domain local group use this code:

$s = "LDAP://" + (Get-ADGroup "Name of Group").DistinguishedName

([ADSI]$s) | select -ExpandProperty member| select @{Name=’members‘;Expression={[string]::join(“;”, ($_))}} | export-csv C:\Path\File.csv -NoTypeInformation

Warning: if you have users from another domain in the domain local group they will appear as SIDs.

Answer 3

I ran into this error when looking at distribution groups. - I got no error, but the 4 members of the group were not listed. I was convinced it was because it was a domain local group.

I had set the recipient scope to the entire forest (Set-AdServerSettings -ViewEntireForest $true). For whatever reason, if you do that, you should use the DN (rather than alias or name) to get the members, and also include the switch -ReadFromDomainController. So, I had to use

Get-DistributionGroupMember -Identity DistinguishedName -ReadFromDomainController