So I have a question about strange PowerShell behavior with Get-ADGroup. If I use it on a group I created, I can get members just fine. But on some (not all) built in groups, including Domain Users, it returns nothing. See:
PS C:\> Get-ADGroup -Filter * -Properties * | Where {$_.name -eq "Iron Throne"} | Select -ExpandProperty members
CN=robert,OU=Baratheons,DC=seven-kingdoms,DC=local
CN=daenerys,OU=Targaryens,DC=seven-kingdoms,DC=local
CN=margaery,OU=Tyrells,DC=seven-kingdoms,DC=local
CN=joffrey,OU=Baratheons,DC=seven-kingdoms,DC=local
CN=Cersei Lannister,OU=Lannisters,DC=seven-kingdoms,DC=local
PS C:\> Get-ADGroup -Filter * -Properties * | Where {$_.name -eq "Domain Users"} | Select -ExpandProperty members
PS C:\>
They show up fine in Active Directory Users and Computers. This is on a Win2012R2 DC as Administrator. Anyone knows why?
Best Answer
A user's primary group will not be listed when querying
memberormemberOfwith many utilities. As "Domain Users" is the default primary group for domain users, often this group will appear empty to queries. You may consider querying theprimaryGroupIdattribute as well.See: Setting Primary Group Excludes the User from the Group Membership in Active Directory