Re: [NTSysADM] Get group membership through powershell

2017-04-25 Thread Russ 
Thank you for the net user suggestion - I have found that when running
against everyone in the domain (or at least all I've tried) *except* those
in the domain admins group, I get "System error 5 - access is denied" even
though the account I'm running it from is a member of domain admins /
enterprise admins.  So now I'm really fascinated as to what is going on and
how this domain is set up.  The mystery deepens...

On Tue, Apr 25, 2017 at 4:46 AM, Melvin Backus <melvin.bac...@byers.com>
wrote:

> I’ve never had a problem with net user /domain or net group /domain
> althought output format isn’t particularly handy if you’re trying to
> manipulate the results.
>
>
>
> That said, are you sure you’re using the correct syntax?
>
>
>
> This will return the user info with no membership info
>
> Get-aduser –identity testuser –properties memberof
>
>
>
> But this will return the membership info as expected.
>
> $info = Get-aduser –identity testuser –properties memberof
>
> $info.memberOf
>
>
>
>
>
> --
> There are 10 kinds of people in the world...
>  those who understand binary and those who don't.
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Russ
> *Sent:* Tuesday, April 25, 2017 1:55 AM
> *To:* ntsysadm@lists.myitforum.com
> *Subject:* Re: [NTSysADM] Get group membership through powershell
>
>
>
> OK - is there a way that you know of to use a command line tool to pull
> that information accurately?  It seems like if a cmdlet is inaccurate, it
> is pretty useless.
>
>
>
> On Mon, Apr 24, 2017 at 3:02 PM, Brian Desmond <br...@briandesmond.com>
> wrote:
>
> MemberOf is a constructed attribute which the cmdlets may not be
> requesting correctly or at all. ADUC makes specific calls to AD to get that
> data.
>
>
>
> Thanks,
>
> Brian Desmond
>
>
>
> w – 312.625.1438 <(312)%20625-1438> | c – 312.731.3132 <(312)%20731-3132>
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Russ
> *Sent:* Monday, April 24, 2017 4:32 PM
> *To:* ntsysadm@lists.myitforum.com
> *Subject:* [NTSysADM] Get group membership through powershell
>
>
>
> I've often used powershell to get the groups that a user is a member of
> by using get-adprincipalgroupmembership.  It's always worked to my
> knowledge.
>
>
>
> However, I've found one group which doesn't show up for anyone - so I was
> curious if anyone has run into this before.  If I run get-adgroupmember
> for the group, everyone shows up who should be there, but if I try to run
> the reverse on any of the users who are a member of the group, it doesn't
> show up - it just returns "domain users".
>
>
>
> If I try get-aduser with -properties "memberof", nothing shows up for
> that property at all.  (not even domain users, but I think that's normal?).
>
>
>
> If you go into ADUC and look up the user, the two groups (this one, and
> domain users) show up just fine.
>
>
>
> Does anyone know of a circumstance why this wouldn't return a value?
>
>
>

RE: [NTSysADM] Get group membership through powershell

2017-04-25 Thread Michael B. Smith 
Did you supply a group name, Ed?

.\Get-GroupMember.ps1 ‘domain admins’

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Ed Ziots
Sent: Monday, April 24, 2017 7:44 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Get group membership through powershell

Michael just looked at that script looks like line 49 the (throw "group must be 
specified"), is throwing an error in pshell. Maybe syntax maybe something 
else.. any ideas?

Ed

On Apr 24, 2017 6:15 PM, "Michael B. Smith" 
<mich...@smithcons.com<mailto:mich...@smithcons.com>> wrote:
Try this out:

http://theessentialexchange.com/blogs/michael/archive/2012/05/04/processing-large-and-embedded-groups-in-powershell.aspx


From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Russ
Sent: Monday, April 24, 2017 5:32 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] Get group membership through powershell

I've often used powershell to get the groups that a user is a member of by 
using get-adprincipalgroupmembership.  It's always worked to my knowledge.

However, I've found one group which doesn't show up for anyone - so I was 
curious if anyone has run into this before.  If I run get-adgroupmember for the 
group, everyone shows up who should be there, but if I try to run the reverse 
on any of the users who are a member of the group, it doesn't show up - it just 
returns "domain users".

If I try get-aduser with -properties "memberof", nothing shows up for that 
property at all.  (not even domain users, but I think that's normal?).

If you go into ADUC and look up the user, the two groups (this one, and domain 
users) show up just fine.

Does anyone know of a circumstance why this wouldn't return a value?

Re: [NTSysADM] Get group membership through powershell

2017-04-25 Thread Russ 
I was trying to avoid to dump the membership of all my groups - I already
know that works.

I just have a subset of users who I need to know which groups they are in.
 (And only groups they are directly in - I don't care about nested groups
and that sort of thing)

I'll play with a few of these suggestions.  Thanks!

On Tue, Apr 25, 2017 at 3:59 AM, Ed Ziots  wrote:

> I think dsquery group "fqdn of group" -expand>>name_of_txt will dump the
> group members inside a group u might need to also put a -limit 5000 switch
> also.
>
> On Apr 25, 2017 2:07 AM, "Russ"  wrote:
>
>> OK - is there a way that you know of to use a command line tool to pull
>> that information accurately?  It seems like if a cmdlet is inaccurate, it
>> is pretty useless.
>>
>> On Mon, Apr 24, 2017 at 3:02 PM, Brian Desmond 
>> wrote:
>>
>>> MemberOf is a constructed attribute which the cmdlets may not be
>>> requesting correctly or at all. ADUC makes specific calls to AD to get that
>>> data.
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Brian Desmond
>>>
>>>
>>>
>>> w – 312.625.1438 <(312)%20625-1438> | c – 312.731.3132
>>> <(312)%20731-3132>
>>>
>>>
>>>
>>> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.myitf
>>> orum.com] *On Behalf Of *Russ
>>> *Sent:* Monday, April 24, 2017 4:32 PM
>>> *To:* ntsysadm@lists.myitforum.com
>>> *Subject:* [NTSysADM] Get group membership through powershell
>>>
>>>
>>>
>>> I've often used powershell to get the groups that a user is a member of
>>> by using get-adprincipalgroupmembership.  It's always worked to my
>>> knowledge.
>>>
>>>
>>>
>>> However, I've found one group which doesn't show up for anyone - so I
>>> was curious if anyone has run into this before.  If I run get-adgroupmember
>>> for the group, everyone shows up who should be there, but if I try to run
>>> the reverse on any of the users who are a member of the group, it doesn't
>>> show up - it just returns "domain users".
>>>
>>>
>>>
>>> If I try get-aduser with -properties "memberof", nothing shows up for
>>> that property at all.  (not even domain users, but I think that's normal?).
>>>
>>>
>>>
>>> If you go into ADUC and look up the user, the two groups (this one, and
>>> domain users) show up just fine.
>>>
>>>
>>>
>>> Does anyone know of a circumstance why this wouldn't return a value?
>>>
>>
>>

RE: [NTSysADM] Get group membership through powershell

2017-04-25 Thread Melvin Backus 
OK, I’m blind. The first option does report data, albeit truncated so I missed 
it. The second dumps it as a list which in my test case was too big for even me 
to miss. J


--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Melvin Backus
Sent: Tuesday, April 25, 2017 7:46 AM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Get group membership through powershell

I’ve never had a problem with net user /domain or net group /domain althought 
output format isn’t particularly handy if you’re trying to manipulate the 
results.

That said, are you sure you’re using the correct syntax?

This will return the user info with no membership info
Get-aduser –identity testuser –properties memberof

But this will return the membership info as expected.
$info = Get-aduser –identity testuser –properties memberof
$info.memberOf


--
There are 10 kinds of people in the world...
 those who understand binary and those who don't.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Russ
Sent: Tuesday, April 25, 2017 1:55 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: Re: [NTSysADM] Get group membership through powershell

OK - is there a way that you know of to use a command line tool to pull that 
information accurately?  It seems like if a cmdlet is inaccurate, it is pretty 
useless.

On Mon, Apr 24, 2017 at 3:02 PM, Brian Desmond 
<br...@briandesmond.com<mailto:br...@briandesmond.com>> wrote:
MemberOf is a constructed attribute which the cmdlets may not be requesting 
correctly or at all. ADUC makes specific calls to AD to get that data.

Thanks,
Brian Desmond

w – 312.625.1438<tel:(312)%20625-1438> | c – 312.731.3132<tel:(312)%20731-3132>

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Russ
Sent: Monday, April 24, 2017 4:32 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] Get group membership through powershell

I've often used powershell to get the groups that a user is a member of by 
using get-adprincipalgroupmembership.  It's always worked to my knowledge.

However, I've found one group which doesn't show up for anyone - so I was 
curious if anyone has run into this before.  If I run get-adgroupmember for the 
group, everyone shows up who should be there, but if I try to run the reverse 
on any of the users who are a member of the group, it doesn't show up - it just 
returns "domain users".

If I try get-aduser with -properties "memberof", nothing shows up for that 
property at all.  (not even domain users, but I think that's normal?).

If you go into ADUC and look up the user, the two groups (this one, and domain 
users) show up just fine.

Does anyone know of a circumstance why this wouldn't return a value?

Re: [NTSysADM] Get group membership through powershell

2017-04-25 Thread Ed Ziots 
I think dsquery group "fqdn of group" -expand>>name_of_txt will dump the
group members inside a group u might need to also put a -limit 5000 switch
also.

On Apr 25, 2017 2:07 AM, "Russ"  wrote:

> OK - is there a way that you know of to use a command line tool to pull
> that information accurately?  It seems like if a cmdlet is inaccurate, it
> is pretty useless.
>
> On Mon, Apr 24, 2017 at 3:02 PM, Brian Desmond 
> wrote:
>
>> MemberOf is a constructed attribute which the cmdlets may not be
>> requesting correctly or at all. ADUC makes specific calls to AD to get that
>> data.
>>
>>
>>
>> Thanks,
>>
>> Brian Desmond
>>
>>
>>
>> w – 312.625.1438 <(312)%20625-1438> | c – 312.731.3132 <(312)%20731-3132>
>>
>>
>>
>> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.myitf
>> orum.com] *On Behalf Of *Russ
>> *Sent:* Monday, April 24, 2017 4:32 PM
>> *To:* ntsysadm@lists.myitforum.com
>> *Subject:* [NTSysADM] Get group membership through powershell
>>
>>
>>
>> I've often used powershell to get the groups that a user is a member of
>> by using get-adprincipalgroupmembership.  It's always worked to my
>> knowledge.
>>
>>
>>
>> However, I've found one group which doesn't show up for anyone - so I was
>> curious if anyone has run into this before.  If I run get-adgroupmember for
>> the group, everyone shows up who should be there, but if I try to run the
>> reverse on any of the users who are a member of the group, it doesn't show
>> up - it just returns "domain users".
>>
>>
>>
>> If I try get-aduser with -properties "memberof", nothing shows up for
>> that property at all.  (not even domain users, but I think that's normal?).
>>
>>
>>
>> If you go into ADUC and look up the user, the two groups (this one, and
>> domain users) show up just fine.
>>
>>
>>
>> Does anyone know of a circumstance why this wouldn't return a value?
>>
>
>

Re: [NTSysADM] Get group membership through powershell

2017-04-25 Thread Russ 
OK - is there a way that you know of to use a command line tool to pull
that information accurately?  It seems like if a cmdlet is inaccurate, it
is pretty useless.

On Mon, Apr 24, 2017 at 3:02 PM, Brian Desmond 
wrote:

> MemberOf is a constructed attribute which the cmdlets may not be
> requesting correctly or at all. ADUC makes specific calls to AD to get that
> data.
>
>
>
> Thanks,
>
> Brian Desmond
>
>
>
> w – 312.625.1438 <(312)%20625-1438> | c – 312.731.3132 <(312)%20731-3132>
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Russ
> *Sent:* Monday, April 24, 2017 4:32 PM
> *To:* ntsysadm@lists.myitforum.com
> *Subject:* [NTSysADM] Get group membership through powershell
>
>
>
> I've often used powershell to get the groups that a user is a member of by
> using get-adprincipalgroupmembership.  It's always worked to my
> knowledge.
>
>
>
> However, I've found one group which doesn't show up for anyone - so I was
> curious if anyone has run into this before.  If I run get-adgroupmember for
> the group, everyone shows up who should be there, but if I try to run the
> reverse on any of the users who are a member of the group, it doesn't show
> up - it just returns "domain users".
>
>
>
> If I try get-aduser with -properties "memberof", nothing shows up for that
> property at all.  (not even domain users, but I think that's normal?).
>
>
>
> If you go into ADUC and look up the user, the two groups (this one, and
> domain users) show up just fine.
>
>
>
> Does anyone know of a circumstance why this wouldn't return a value?
>

RE: [NTSysADM] Get group membership through powershell

2017-04-24 Thread Brian Desmond 
MemberOf is a constructed attribute which the cmdlets may not be requesting 
correctly or at all. ADUC makes specific calls to AD to get that data.

Thanks,
Brian Desmond

w – 312.625.1438 | c – 312.731.3132

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Russ
Sent: Monday, April 24, 2017 4:32 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Get group membership through powershell

I've often used powershell to get the groups that a user is a member of by 
using get-adprincipalgroupmembership.  It's always worked to my knowledge.

However, I've found one group which doesn't show up for anyone - so I was 
curious if anyone has run into this before.  If I run get-adgroupmember for the 
group, everyone shows up who should be there, but if I try to run the reverse 
on any of the users who are a member of the group, it doesn't show up - it just 
returns "domain users".

If I try get-aduser with -properties "memberof", nothing shows up for that 
property at all.  (not even domain users, but I think that's normal?).

If you go into ADUC and look up the user, the two groups (this one, and domain 
users) show up just fine.

Does anyone know of a circumstance why this wouldn't return a value?

Re: [NTSysADM] Get group membership through powershell

2017-04-24 Thread Russ 
It's weird - I don't see that we have tons and tons of nested groups.  I've
found out that in this domain most users I've tried aren't returning any
groups except for domain users, even though they are in other groups.  But
I've tried against other user objects (domain administrator accounts) and
they do return groups.  But those are all built-in groups - I'm going to
have to try to add one of those users to a different group and see if it
shows up.

On Mon, Apr 24, 2017 at 3:12 PM, Michael B. Smith 
wrote:

> Try this out:
>
>
>
> http://theessentialexchange.com/blogs/michael/archive/
> 2012/05/04/processing-large-and-embedded-groups-in-powershell.aspx
>
>
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Russ
> *Sent:* Monday, April 24, 2017 5:32 PM
> *To:* ntsysadm@lists.myitforum.com
> *Subject:* [NTSysADM] Get group membership through powershell
>
>
>
> I've often used powershell to get the groups that a user is a member of by
> using get-adprincipalgroupmembership.  It's always worked to my
> knowledge.
>
>
>
> However, I've found one group which doesn't show up for anyone - so I was
> curious if anyone has run into this before.  If I run get-adgroupmember for
> the group, everyone shows up who should be there, but if I try to run the
> reverse on any of the users who are a member of the group, it doesn't show
> up - it just returns "domain users".
>
>
>
> If I try get-aduser with -properties "memberof", nothing shows up for that
> property at all.  (not even domain users, but I think that's normal?).
>
>
>
> If you go into ADUC and look up the user, the two groups (this one, and
> domain users) show up just fine.
>
>
>
> Does anyone know of a circumstance why this wouldn't return a value?
>

RE: [NTSysADM] Get group membership through powershell

2017-04-24 Thread Ed Ziots 
Michael just looked at that script looks like line 49 the (throw "group
must be specified"), is throwing an error in pshell. Maybe syntax maybe
something else.. any ideas?

Ed

On Apr 24, 2017 6:15 PM, "Michael B. Smith"  wrote:

> Try this out:
>
>
>
> http://theessentialexchange.com/blogs/michael/archive/
> 2012/05/04/processing-large-and-embedded-groups-in-powershell.aspx
>
>
>
>
>
> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.
> myitforum.com] *On Behalf Of *Russ
> *Sent:* Monday, April 24, 2017 5:32 PM
> *To:* ntsysadm@lists.myitforum.com
> *Subject:* [NTSysADM] Get group membership through powershell
>
>
>
> I've often used powershell to get the groups that a user is a member of by
> using get-adprincipalgroupmembership.  It's always worked to my
> knowledge.
>
>
>
> However, I've found one group which doesn't show up for anyone - so I was
> curious if anyone has run into this before.  If I run get-adgroupmember for
> the group, everyone shows up who should be there, but if I try to run the
> reverse on any of the users who are a member of the group, it doesn't show
> up - it just returns "domain users".
>
>
>
> If I try get-aduser with -properties "memberof", nothing shows up for that
> property at all.  (not even domain users, but I think that's normal?).
>
>
>
> If you go into ADUC and look up the user, the two groups (this one, and
> domain users) show up just fine.
>
>
>
> Does anyone know of a circumstance why this wouldn't return a value?
>

RE: [NTSysADM] Get group membership through powershell

2017-04-24 Thread Michael B. Smith 
Try this out:

http://theessentialexchange.com/blogs/michael/archive/2012/05/04/processing-large-and-embedded-groups-in-powershell.aspx


From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Russ
Sent: Monday, April 24, 2017 5:32 PM
To: ntsysadm@lists.myitforum.com
Subject: [NTSysADM] Get group membership through powershell

I've often used powershell to get the groups that a user is a member of by 
using get-adprincipalgroupmembership.  It's always worked to my knowledge.

However, I've found one group which doesn't show up for anyone - so I was 
curious if anyone has run into this before.  If I run get-adgroupmember for the 
group, everyone shows up who should be there, but if I try to run the reverse 
on any of the users who are a member of the group, it doesn't show up - it just 
returns "domain users".

If I try get-aduser with -properties "memberof", nothing shows up for that 
property at all.  (not even domain users, but I think that's normal?).

If you go into ADUC and look up the user, the two groups (this one, and domain 
users) show up just fine.

Does anyone know of a circumstance why this wouldn't return a value?