Identity Management
Automating Active Directory: Export All AD Groups and Members to CSV
Auditing Active Directory groups is a fundamental part of identity management. Whether you are performing a quarterly security review or preparing for a domain migration, knowing exactly who is in which group—and what the scope of those groups is—is essential.
This PowerShell script does more than just list group names; it iterates through every group in your domain, identifies the members (skipping disabled users to keep your data clean), and exports everything into a dated CSV file.
The PowerShell Script
Save this script as ADGroupsExport.ps1 in C:\Temp\ExportADgroups. Ensure you are running this from a machine with the RSAT (Remote Server Administration Tools) installed and logged in with a domain account that has read permissions.
# Get year and month for the filename$DateTime = Get-Date -f "yyyy-MM"# Set CSV file destination$CSVFile = "C:\Temp\ExportADgroups\AD_Groups_"+$DateTime+".csv"if (!(Test-Path "C:\Temp\ExportADgroups")) { New-Item -ItemType Directory -Path "C:\Temp\ExportADgroups" }$CSVOutput = @()# Fetch all AD groups$ADGroups = Get-ADGroup -Filter *$i = 0$tot = $ADGroups.countforeach ($ADGroup in $ADGroups) { $i++ $status = "{0:N0}" -f ($i / $tot * 100) Write-Progress -Activity "Exporting AD Groups" -status "Processing Group $i of $tot : $status% Completed" -PercentComplete ($i / $tot * 100) $Members = "" # Fetch members and filter for enabled objects $MembersArr = Get-ADGroup $ADGroup.DistinguishedName -Properties Member | Select-Object -ExpandProperty Member if ($MembersArr) { foreach ($Member in $MembersArr) { $ADObj = Get-ADObject -Filter "DistinguishedName -eq '$Member'" -Properties Enabled # Skip disabled users to keep the report relevant if ($ADObj.ObjectClass -eq "user" -and $ADObj.Enabled -eq $false) { continue } $Members = $Members + "," + $ADObj.Name } if ($Members) { $Members = $Members.Substring(1) } } # Create ordered hash table for clean CSV columns $HashTab = [ordered]@{ "Name" = $ADGroup.Name "Category" = $ADGroup.GroupCategory "Scope" = $ADGroup.GroupScope "Members" = $Members } $CSVOutput += New-Object PSObject -Property $HashTab}# Sort by name and export$CSVOutput | Sort-Object Name | Export-Csv $CSVFile -NoTypeInformationWrite-Host "Export Complete: $CSVFile" -ForegroundColor GreenKey Features of this Script
- Progress Bar: Since large domains can take a long time to process, the
Write-Progressbar gives you a real-time percentage of the completion. - Clean Membership Lists: The script concatenates all members into a single “Members” column, separated by commas, making it easy to read in Excel.
- Disabled User Filtering: It intelligently checks the
Enabledstatus of user objects. If a user is disabled, they are omitted from the report to focus on active security risks. - Scope & Category: Clearly identifies if a group is Security vs. Distribution and Global vs. Universal.
#ActiveDirectory #PowerShell #SysAdmin #ITAutomation #WindowsServer #IdentityManagement #LazyAdmin #TechTips #Reporting #CyberSecurity
Guide to the Entra ID Passkey Rollout (March 2026) | Lazy Admin Blog
How to avoid 500 helpdesk tickets by spending 10 minutes in the Admin Center today.
If you woke up this morning to find a new “Default Passkey Profile” in your Entra tenant, don’t panic. Microsoft is officially “encouraging” (read: forcing) the world toward phishing-resistant auth. As a Lazy Admin, your goal isn’t to fight the change—it’s to control it so it doesn’t control your weekend.
1. The Big Change: Passkey Profiles
Previously, FIDO2 was a simple “On/Off” switch. Now, we have Passkey Profiles.
- The Default Behavior: If you didn’t opt-in, Microsoft has created a “Default Profile” for you.
- The Trap: If you had “Enforce Attestation” set to No, Microsoft is now allowing Synced Passkeys (iCloud Keychain, Google Password Manager). This means users can put corporate credentials on their personal iPhones.
2. The “Lazy” Strategy: Tiered Security
Don’t treat your CEO and your Summer Intern the same way. Use the new Group-Based Profiles to save yourself the headache of “One Size Fits None.”
| User Group | Recommended Profile | Why? |
| IT Admins | Device-Bound Only | Requires a physical YubiKey or Windows Hello. No syncing to the cloud. |
| Standard Users | Synced & Device-Bound | Maximum convenience. If they lose their phone, iCloud/Google restores the key. Zero helpdesk calls. |
| Contractors | AAGUID Restricted | Only allow specific hardware models you’ve issued to them. |
3. Avoid the “Registration Deadlock”
Many admins are seeing “Helpdesk Hell” because their Conditional Access (CA) policies are too strict.
The Problem: You have a policy requiring “Phishing-Resistant MFA” to access “All Apps.” A user tries to register a passkey, but they can’t log in to the registration page because… they don’t have a passkey yet.
The Lazy Fix: Exclude the “Register security information” user action from your strictest CA policies, or better yet, issue a Temporary Access Pass (TAP) for 24 hours. A TAP satisfies the MFA requirement and lets them onboard themselves without calling you.
🛠️ The 5-Minute “Lazy Admin” Checklist
- [ ] Check your Attestation: Go to Security > Authentication Methods > Passkey (FIDO2). If you want to block personal iPhones, set Enforce Attestation to Yes.
- [ ] Kill the Nudges: If you aren’t ready for the rollout, disable the “Microsoft-managed” registration campaigns before they start bugging your users on Monday.
- [ ] Review AAGUIDs: If you only use YubiKeys, make sure their AAGUIDs are explicitly whitelisted in your Admin profile.
Bottom Line: Spend 10 minutes setting up your profiles today, or spend 10 hours resetting MFA sessions next week. Choose wisely.