How to report all security group members of an Active Directory organizational unit
Recently, a customer required a weekly report on security groups within a specific Active Directory organizational unit (OU) and their associated members. Oh, and they did NOT want to use PowerShell!
That got me thinking: How might admins report on an OU using Microsoft’s native tools versus a stress-free tool like sapio365? This article covers hybrid Active Directory + Entra scenarios, nested membership, and export/scheduling needs.
Solution 1: Using Microsoft Office 365 Built-in Tools
Managing security groups in an Active Directory organizational unit is pretty straightforward with built-in tools, but each has its limitations and a learning curve. Whether you use ADUC, the Microsoft 365 admin centers, or PowerShell, each gives you a different mix of control, ease, and complexity.
Active Directory Users and Computers (ADUC)
In Active Directory Users and Computers (ADUC), you can filter groups and export names, but not members, and you must open groups one by one; no nested resolution, and no export schema that auditors want.
Just head to your Active Directory organizational unit and:
- Apply a filter to list only groups in that OU.
- Look up each group’s properties manually to get its members.
This process can become tedious if your organizational unit includes many groups or nested structures.
Note that you can only export the list from the left-side panel.
Another caveat is that you won’t be able to export the list of members for each group. You’ll need PowerShell for that (see next section).
Microsoft 365 Admin Centers
If you’re just tracking security groups that sync to Entra from your Active Directory organizational unit, the Microsoft 365 admin centers can help.
However, expect a few caveats:
- Both the general Microsoft 365 admin center (A) and the Entra admin center (B) show a list of security groups, but do not include OU information.
- Only the Entra admin center lets you filter to show syncing security groups—but these filters skip mail-enabled security groups.
- In both admin centers, you must open a group to view its members.
PowerShell
Here are simple PowerShell cmdlets for listing security groups in the OU “Accounts” and each group’s members, with results shown in the image that follows:
- List all groups in the OU: Get-ADGroup -Filter * -SearchBase “OU=Accounts,DC=company,DC=com”
- List a group’s members: Get-ADGroupMember -Identity group.ID
For nested groups, see more parameter examples on Microsoft’s docs page .
Not everyone is comfortable using PowerShell, or simply doesn’t have the time to script. Lucky for them, sapio365 is an excellent alternative tool, as you’ll see in the next section.
Solution 2: Try sapio365 for Quick Reports
Let’s explore how sapio365 makes reporting on your Active Directory organizational unit completely painless. Gain a comprehensive view of all cloud and on-premises groups within your Active Directory organizational unit, including their associated properties. Filter just what you need and export member information in a snap.
See a global picture of all groups and their properties
sapio365 displays both cloud and on-premises groups in a unique way by reconciling 100 group properties in Entra and ALL group properties in Active Directory for each synced group. This comprehensive view enables you to quickly locate the information you’re looking for, including the sync status of groups, group type, OU, and other relevant details.
Isolate security groups and customize the view
sapio365’s filters make it easy to zoom in on security groups from your chosen OU. Save the perfect view for next time.
Here are 3 easy steps in sapio365 to list all the security groups in the OU ‘Accounts.’
The screenshot illustrates these steps in action:
- Filter security groups on the group type.
- Filter for the specific OU.
- Save this custom view to use for recurrent reporting on that OU.
List and export security group members
Once you’ve filtered the right OU groups in sapio365, simply:
- Select all groups and get the list of each group’s on-prem members.
- You can even expand any nested groups there to get the complete picture of all group members.
- (optional) Save the view or export it to an Excel file for a ready-to-send report.
I’ll show you shortcuts later to the views you’ve saved and how to use them in automated reports.
Fix, preview and save membership changes
Finally, if your group memberships need fixing along the way, you can remove or add members across various groups in Active Directory in just one click, and you can preview everything before saving (highlighted in green in the image below).
Set up security group weekly reports in sapio365
If you want regular reports for your Active Directory organizational unit, sapio365 lets you automate emails and scheduled reports based on your saved views.
The following image demonstrates sapio365’s reporting options:
- Generate or email real-time group membership data with one click.
- Schedule sapio365 to email the report every week.
As you can see, sapio365 makes group reporting (and fixing!) much easier. Here’s a quick comparison table between Microsoft native tools and sapio365.
| Feature | ADUC | Admin Centers | PowerShell | sapio365 |
|---|---|---|---|---|
| Filter by OU | Yes | Limited | Yes | Yes |
| Export Group List | Yes | Yes | Yes | Yes |
| Export Group Members | No | No | Yes | Yes |
| Handle Nested Groups | No | No | Yes (recursive) | Yes |
| Bulk Actions (Add/Remove Members) | No | No | Scripted | Yes |
| Custom Views with User Properties | No | No | Scripted | Yes |
| Scheduled/Automated Reports | No | No | Scripted | Yes |
| Ease of Use | Moderate | Easy | Advanced | Easy |
In summary, reporting on security groups within an Active Directory organizational unit is challenging with built-in tools, especially for large or complex setups. sapio365 makes life a lot easier. Take a few minutes to set up automated reports, and you’ll always have the info you need when you need it.
Ready to keep your environment secure and up-to-date? Try out sapio365 and see how quickly you can stay on top of your security group memberships.
Submit a comment