Finding AD Groups with PowerShell Wildcards


Managing a new app means documenting who has access. Let’s start with Active Directory groups, assuming the previous SysAdmin(s) consistently named AD groups for applications.

Get-ADGroup -filter {name -like "*foo*"}

This PowerShell command will return all the details for any AD groups containing the string “foo”. Replace foo with your app name.

Let’s break down the command:


This is the module we’re using to connect to the current user’s domain controller.


Only return results matching what’s in the brackets after the flag.

{name -like "*foo*"}

Return only AD groups whose name property matches the regular expression “*foo*”.

Assuming your security team (or your SysAdmin predecessor) has applied some level of common sense to naming their AD groups and are using RBAC standards, you should find some preliminary results to dig into further.

You’ll probably find more than one result with almost identical members. Maybe one is a retired group; maybe it’s for a different environment. These sorts of questions lead to helpful discussions with security and business SMEs in your organization.

Use the results to begin creating documentation on your application’s security. Auditors will love you for this. And the boss always wants to know about the security of your app at the worst possible moment. Having these groups documented will make you the hero of your team at one point or another. I’ve included a sample table to get started.

GroupDescriptionMembersLast Certified
app_x_adminsAdminstrators for app “X”domain\larry, domain\curly, domain\moe2020-01-02
app_x_group_a_usersUsers for feature “A”domain\tom,
app_x_group_b_usersUsers for feature “B”domain\jane,
Use the table above to document AD groups for your organization.

Find more details on using this PowerShell module in Microsoft’s official documentation.

Also published on Medium.


This site uses Akismet to reduce spam. Learn how your comment data is processed.