Using the DSGET Active Directory command-line tool, I have scripted SAMIDGrpMbrs.bat to retrieve the members of a domain group.

The syntax for using SAMIDGrpMbrs.bat is:

\[call\] SAMIDGrpMbrs GroupID

Where GroupID is the sAMAccountName (SAMID) of the group.

To process the output in a script:

for /f "Tokens=1* Delims=;" %%a in ('SAMIDGrpMbrs GroupID') do (
 set UserDN=%%a
 set UserSAMID=%%b
 ...
 ...
)
NOTE: Imbedded domain groups are recursively expanded to arrive at a complete set of domain members.

NOTE: SAMIDGrpMbrs.bat usesĀ  DNGrpMbrs.bat.

SAMIDGrpMbrs.bat contains:

@echo off
if \{%1\}==\{\} @echo Syntax: SAMIDGrpMbrs GroupID&goto :EOF
setlocal enabledelayedexpansion
set samid=%1
set samid=%samid:"=%
set qry=dsquery * domainroot -filter "(&(objectCategory=Group)(objectClass=group)(sAMAccountName=%samid%))" -attr distinguishedName -Limit 0
for /f "Skip=1 Tokens=*" %%g in ('%qry%') do (
 set grp="%%g"
 set grp=!grp:  =!
 call DNGrpMbrs !grp!
)
endlocal