How to List Active Directory Groups in a Batch Script
In a Windows Active Directory environment, groups are the cornerstone of security and resource management. Administrators need to audit group memberships, find groups with specific names or purposes, and generate reports on who has access to what. While this can be done through the "Active Directory Users and Computers" GUI, automating this process from a script is essential for efficiency and regular reporting.
This guide will teach you how to use the powerful, built-in dsquery command-line utility to find and list groups in your Active Directory domain. You will learn how to perform basic queries, how to filter your results, and how to combine it with the dsget command to retrieve detailed information like group members.
CRITICAL NOTE: These commands are designed to be run on a domain-joined computer. To use them, you must either be on a Domain Controller or have the Remote Server Administration Tools (RSAT) for Active Directory installed. You must also run the script as a domain user with at least read permissions to Active Directory.
The Core Command: dsquery
The dsquery.exe (Directory Service Query) utility is the standard command-line tool for finding objects (like users, computers, or groups) in Active Directory. We specify that we are looking for groups by using the group object type.
Basic Syntax: dsquery group
Basic Example: Listing All Groups in the Domain
Running the command by itself will list every single group in the current domain.
C:\> dsquery group
The command returns the Distinguished Name (DN) for each group it finds. The DN is the full, unique path to the object in the Active Directory tree.
"CN=Domain Admins,CN=Users,DC=corp,DC=example,DC=com"
"CN=Domain Computers,CN=Users,DC=corp,DC=example,DC=com"
"CN=Administrators,CN=Builtin,DC=corp,DC=example,DC=com"
...
The Key to Power: Filtering Your Search
A list of all groups is rarely useful. The real power of dsquery comes from its ability to filter the results.
Find a Group by Name
The -name switch allows you to search for a group's name, and it supports wildcards (*).
This script finds all groups whose names start with "Admin".
@ECHO OFF
ECHO --- Finding all groups starting with "Admin" ---
dsquery group -name "Admin*"
Output:
"CN=Administrators,CN=Builtin,DC=corp,DC=example,DC=com"
"CN=Domain Admins,CN=Users,DC=corp,DC=example,DC=com"
"CN=Enterprise Admins,CN=Users,DC=corp,DC=example,DC=com"
Find Groups in a Specific OU
By default, dsquery searches the entire domain. To limit your search to a specific Organizational Unit (OU), you provide the OU's Distinguished Name as a starting point.
This script lists all groups that exist within the "Sales" OU.
@ECHO OFF
SET "SalesOU=OU=Sales,DC=corp,DC=example,DC=com"
ECHO --- Finding all groups in the Sales OU ---
dsquery group "%SalesOU%"
Getting More Details: Piping to dsget
The dsquery command is only for finding objects. Once you have found the groups you want, you can pipe the results to the dsget.exe (Directory Service Get) command to retrieve their properties, such as their members.
For example, let's see a script to Get Group Members. This is the most common use case and it finds a specific group and then lists all its members.
@ECHO OFF
ECHO --- Listing members of the "Domain Admins" group ---
dsquery group -name "Domain Admins" | dsget group -members
Output:
"CN=Administrator,CN=Users,DC=corp,DC=example,DC=com"
"CN=Enterprise Admins,CN=Users,DC=corp,DC=example,DC=com"
Common Pitfalls and How to Solve Them
-
"dsquery is not recognized...": This is the most common error. It means the Active Directory command-line tools are not installed on the client machine you are using.
- Solution: You must either run the script from a Domain Controller or install the Remote Server Administration Tools (RSAT) for Active Directory Domain Services on your Windows 10/11 client.
-
Output Limit of 100: By default,
dsquerywill only return the first 100 results it finds.- Solution: To get a complete list, you must add the
-limitswitch. Use-limit 0for an unlimited number of results.dsquery group -limit 0
- Solution: To get a complete list, you must add the
-
Permissions: While most domain users can perform basic
dsquerylookups, some attributes or OUs may be protected.- Solution: For a comprehensive audit, it is best to run the script as a Domain Admin.
Practical Example: A Group Membership Report Script
This script automates a common audit task. It finds all groups within a specific OU, and for each group, it lists its members, creating a clean report.
@ECHO OFF
SETLOCAL
SET "TargetOU=OU=Departments,DC=corp,DC=example,DC=com"
SET "ReportFile=Group_Membership_Report.txt"
ECHO --- Generating Group Membership Report ---
ECHO Report will be saved to: %ReportFile%
ECHO.
(
ECHO Group Membership Report for OU: %TargetOU%
ECHO Generated on %DATE% at %TIME%
ECHO =======================================================
) > "%ReportFile%"
REM --- The main loop ---
REM Use FOR /F to process the list of groups from dsquery.
FOR /F "delims=" %%G IN ('dsquery group "%TargetOU%" -limit 0') DO (
(
ECHO.
ECHO --- Group: %%~G ---
ECHO Members:
REM Pipe the found group to dsget to list its members.
dsget group %%G -members
) >> "%ReportFile%"
)
ECHO [SUCCESS] Report generated.
ENDLOCAL
Conclusion
The dsquery and dsget commands are the essential, built-in tools for listing and inspecting Active Directory groups from a batch script.
For effective scripting:
- Ensure your machine is a Domain Controller or has RSAT for Active Directory installed.
- Use
dsquery groupto find groups, and use its powerful filtering switches (-name,-desc, or an OU path) to narrow your search. - Use the
-limit 0switch to get more than 100 results. - Pipe the output of
dsquerytodsget group -membersto retrieve the membership list for the found groups.