Thank you for the net user suggestion - I have found that when running against everyone in the domain (or at least all I've tried) *except* those in the domain admins group, I get "System error 5 - access is denied" even though the account I'm running it from is a member of domain admins / enterprise admins. So now I'm really fascinated as to what is going on and how this domain is set up. The mystery deepens...
On Tue, Apr 25, 2017 at 4:46 AM, Melvin Backus <melvin.bac...@byers.com> wrote: > I’ve never had a problem with net user /domain or net group /domain > althought output format isn’t particularly handy if you’re trying to > manipulate the results. > > > > That said, are you sure you’re using the correct syntax? > > > > This will return the user info with no membership info > > Get-aduser –identity testuser –properties memberof > > > > But this will return the membership info as expected. > > $info = Get-aduser –identity testuser –properties memberof > > $info.memberOf > > > > > > -- > There are 10 kinds of people in the world... > those who understand binary and those who don't. > > > > *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists. > myitforum.com] *On Behalf Of *Russ > *Sent:* Tuesday, April 25, 2017 1:55 AM > *To:* ntsysadm@lists.myitforum.com > *Subject:* Re: [NTSysADM] Get group membership through powershell > > > > OK - is there a way that you know of to use a command line tool to pull > that information accurately? It seems like if a cmdlet is inaccurate, it > is pretty useless. > > > > On Mon, Apr 24, 2017 at 3:02 PM, Brian Desmond <br...@briandesmond.com> > wrote: > > MemberOf is a constructed attribute which the cmdlets may not be > requesting correctly or at all. ADUC makes specific calls to AD to get that > data. > > > > Thanks, > > Brian Desmond > > > > w – 312.625.1438 <(312)%20625-1438> | c – 312.731.3132 <(312)%20731-3132> > > > > *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists. > myitforum.com] *On Behalf Of *Russ > *Sent:* Monday, April 24, 2017 4:32 PM > *To:* ntsysadm@lists.myitforum.com > *Subject:* [NTSysADM] Get group membership through powershell > > > > I've often used powershell to get the groups that a user is a member of > by using get-adprincipalgroupmembership. It's always worked to my > knowledge. > > > > However, I've found one group which doesn't show up for anyone - so I was > curious if anyone has run into this before. If I run get-adgroupmember > for the group, everyone shows up who should be there, but if I try to run > the reverse on any of the users who are a member of the group, it doesn't > show up - it just returns "domain users". > > > > If I try get-aduser with -properties "memberof", nothing shows up for > that property at all. (not even domain users, but I think that's normal?). > > > > If you go into ADUC and look up the user, the two groups (this one, and > domain users) show up just fine. > > > > Does anyone know of a circumstance why this wouldn't return a value? > > >