I recently needed to generate a report of all Domain Users which brought up a few interesting issues, the first is that members aren’t actually listed as members of the group which removes the ability to use a lot of the standard PowerShell commands to produce a report on it, plus the group had well over 5000 users which again limits the commands available to run.

The Solution

I won’t drag on about why this works but the commands below will generate a report of all active users of the Domain Users group regardless of how many users there are and will then show a count and save an CSV file to C:\temp\export.csv.

$group = Get-ADGroup -Identity 'Domain Users'

$users = Get-ADUser -Filter "PrimaryGroup -eq '$($group.DistinguishedName)'" | where {$_.enabled -eq "True"}

$users.count

$users | export-csv "c:\temp\export.csv"

Explanation

The explanation below is taken from a great answer by Ryan Bolger on StackExchange answering why the Domain Users group didn’t appear in a report ran by another user –

As silly as it sounds, it’s because Domain Users is not actually in the memberOf attribute. You can verify in ADUC by turning on View – Advanced Features, going to the Attributes tab on your object and opening the memberOf attribute (not the “Member Of” tab).

The “Member Of” tab you see on an object’s properties in ADUC is actually a conglomeration of the memberOf attribute and the primaryGroupID attribute. By default, users in AD get their Domain Users membership via this primaryGroupID attribute rather than an entry in memberOf. Though it’s possible to change the primaryGroupID, most people don’t.

Ryan Bolger – https://serverfault.com/questions/955721/why-is-the-domain-users-group-missing-from-this-powershell-ad-query