PowerShell Script to Find All Active Directory Groups in SharePoint

Requirement: Get the list of All AD Security groups used in SharePoint sites. We need to generate a report on AD groups that are being used in a SharePoint web application.

PowerShell script to find AD Groups in SharePoint:

Here is my PowerShell script to find and export Active Directory groups on all SharePoint sites with in the given web application.

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Change to your web application
$WebAppURL = "http://intranet.crescent.com" 

#Get Web Application
$WebApp = Get-SPWebApplication $WebAppURL

#variable for data collection
$ADGroupCollection= @()
$ReportPath ="C:\ADGroups.csv" 

foreach ($Site in $WebApp.Sites)
{
    Write-host -foregroundcolor green "Processing Site Collection: "$site.RootWeb.URL
    
    #Get all AD Security Groups from the site collection
    $ADGroups = Get-SPUser -Web $Site.Url -Limit ALL | Where { $_.IsDomainGroup -and $_.displayName -ne "Everyone" }

    #Iterate through each AD Group
    ForEach($Group in $ADGroups)
    {
            Write-host "Found AD Group:" $Group.DisplayName

            #Get Direct Permissions
            $Permissions = $Group.Roles | Where { $_.Name -ne "Limited Access" } | Select -ExpandProperty Name

            #Get SharePoint User Groups where the AD group is a member
            $SiteGroups = $Group.Groups | Select -ExpandProperty Name

            #Send Data to an object array
            $ADGroup = new-object psobject
            $ADGroup | add-member noteproperty -name "Site Collection" -value $Site.RootWeb.Title
            $ADGroup | add-member noteproperty -name "URL" -value $Site.Url
            $ADGroup | add-member noteproperty -name "Group Name" -value $Group.DisplayName
            $ADGroup | add-member noteproperty -name "Direct Permissions" -value ($Permissions -join ",")
            $ADGroup | add-member noteproperty -name "SharePoint Groups" -value ($SiteGroups -join ",")
            #Add to Array
            $ADGroupCollection+=$ADGroup           
    } 
}
#Export Data to CSV
$ADGroupCollection | export-csv $ReportPath -notypeinformation
Write-host "SharePoint Security Groups data exported to a CSV file at:"$ReportPath -ForegroundColor Cyan  

This script generates a CSV file report with output:

  • Site collection Name and URL
  • Active Directory group name
  • Permissions applied to the AD group either by direct permission level or via SharePoint groups.

Salaudeen Rajack

Salaudeen Rajack is a SharePoint Architect with Two decades of SharePoint Experience. He loves sharing his knowledge and experiences with the SharePoint community, through his real-world articles!

17 thoughts on “PowerShell Script to Find All Active Directory Groups in SharePoint

  • August 16, 2021 at 9:59 PM

    I keep getting an error “Get-SPWebapplication : The term ‘Get-SPWebapplication’ is not recognized as the name of a cmdlet”.

    Reply
  • June 4, 2021 at 7:23 AM

    THanks! saved me a lot of time!

    Reply
  • September 10, 2020 at 3:48 PM

    can any one help me with powershell script to get a specific security group from all site collections in sharepoint online

    Reply
  • June 26, 2020 at 12:03 PM

    What should be the script for MOSS 2007

    Reply
  • March 5, 2020 at 10:59 PM

    I am getting only limited groups alphabetically till C. How can i get all the groups?

    Reply
  • October 2, 2019 at 5:36 AM

    HI, is it possible to have a version of this for SharePoint Online?

    Reply
  • November 24, 2018 at 5:09 AM

    How to get the list with ad login name and not display name.i tried with login name property but there is no property ad such.please help.

    Reply
  • September 19, 2018 at 9:25 AM

    Hey Thanks Mate, this script really help me out.

    Reply
  • September 18, 2018 at 11:55 AM

    Hi

    I have issue with check permissions in SharePoint 2013 and i am unable to see user added ad groups.

    Can you please help me on this.

    Thank’s
    Abdul

    Reply
  • September 24, 2015 at 10:15 PM

    Hello, this script does not seems to loop site collection that has subsites.

    how do i do that ?

    Reply
    • September 26, 2015 at 7:43 AM

      No need to loop into subsites, because user accounts are stored at site collection level, even though subsite uses unique permissions.

      Reply
    • September 30, 2015 at 5:55 PM

      We have a site called /home/Dev and two subsite /home/dev/prop and /home/dev/health

      we give additional permissions to subsites that is different than than the main site. The script is able to pull the AD groups that i am using of the subsites but somehow says that the permissions is for the main site and does not pull the permissions. The direct permissions stays blank

      Reply

Leave a Reply