PowerShell – Domain Users Group Missing from PowerShell AD Query

active-directorygroupspowershell

I ran the following PowerShell script to compare a list of groups….

$dasMem = Get-ADUser -Server "<some-srv>" -Identity "<some-usr>" -Properties MemberOf | Select MemberOf
$blahx = $dasMem.MemberOf | % { $_ -replace "^CN=", "" } | % { $_ -replace ",.*$", "" } | sort
$blahx

When I got the list, I ended up with a missing group, Domain users which I believe is a standard default group. Is there any reason why it's missing when I pull the script?

To be clear I was able to see the group in Active Directory Users and Computers, but not from my script above.

Best Answer

As silly as it sounds, it's because Domain Users is not actually in the memberOf attribute. You can verify in ADUC by turning on View - Advanced Features, going to the Attributes tab on your object and opening the memberOf attribute (not the "Member Of" tab).

The "Member Of" tab you see on an object's properties in ADUC is actually a conglomeration of the memberOf attribute and the primaryGroupID attribute. By default, users in AD get their Domain Users membership via this primaryGroupID attribute rather than an entry in memberOf. Though it's possible to change the primaryGroupID, most people don't.

Related Solutions

Active Directory – How to List All Active Directory Users and Their Group Membership

Install the Quest CMDlets and then run this code:

Add-PSSnapin Quest.ActiveRoles.ADManagement
$memberships = @()

Get-QADGroup -SizeLimit 0 | Foreach-Object {
        $NameGroup = $_.Name
        Write-Host "Working with $NameGroup"
        $membership = Get-QADGroupMember $_.DN -Enabled -SizeLimit 0
        if ($membership -ne $null ) {
        $membership | Add-Member -type NoteProperty -name AuditGroupUserIsMemberOf -value $_.Name
        $memberships += $membership
        }
    }

$memberships | Select-Object AuditGroupUserIsMemberOf, NTAccountname | Export-Csv "GroupsWithUsers.csv"

This will give you a 1 record per group-user connection so expect multiple occurrences of users and groups. If you wan't other fields, you can just edit the Select-Object statement. Use $memberships | gm to see all the possibilities for the users. If you want more fields for the groups, use Get-QADGroup | gm, you will then need to add these by adding a new NoteProperty.

If you don't really care about more options, here is a one-liner you can just mash in the terminal:

Get-QADGroup -sizeLimit 0 | select @{name="Group";expression={$_.name}} -expand members | select Group,@{n='User';e={ (Get-QADObject $_).NTAccountName}} | Export-Csv "MyUsersAndGroups.csv"

Powershell query lastlogondate (lastlogontimestamp) returning mostly blank values (not matching the ADSIedit value for corresponding user attribute)

Adi was right, it is some sort of permissions issue. I actually resolved this just now when a coworker ran the query and got proper results, however he used his own login account. Im addition he "ran as administrator" to elevate the PS console. When I did this it worked correctly. I have no idea how I never had to do this in the past, and also I am a domain admin and therefore local admin on the DCs, but whatever. It now works using elevated PS prompt. For the record I went into ADSIedit with my regular using account and did not launch elevated session.....Strange but I'll take it.

Best Answer

Related Solutions

Active Directory – How to List All Active Directory Users and Their Group Membership

Powershell query lastlogondate (lastlogontimestamp) returning mostly blank values (not matching the ADSIedit value for corresponding user attribute)

Related Topic