How to List SAMIDs of Users in Sub Groups of a Group in Active Directory

I was looking for a script to list all the users in subgroups of a group in Active Directory. The directory structure is like this:

          |           |
          |            -User2

There are about 10 sub groups in the main group. Each subgroup has 10 to 20 users accounts. I just wanted to get a list of these user accounts’ SAMIDs. There are some articles about how to accomplish something similar to this using Powershell or other programming languages. Those examples are often complicated, and they are not exactly what I want.

I tried to do this in command prompt using the Directory Service command line tools on Windows server 2008. After some trial and error, I came up with this one-liner.

dsquery group -name MainGroup | dsget group -members | dsget group -members | dsget user -samid

If it suits your preference, you can also redirect the output to a file for further processing. You achieve this by adding ” > samid-list.txt” to the end of the command. The resul ts will be saved in a txt file called samid-list.txt. The command line tools (dsquery, dsget) are also available on Windows server 2003 and Windows 7.

  • This may be easier if you don’t know how many groups there are or what level of nesting:

    dsget “” -members -expand

    will give a full list of all members, subgroups and their members. For what i wanted i had to output to a file and manually delete out the group names, but it does the trick.

    You can pipe the output to another dsget to display -upn or -samid as required.