Re: [NTSysADM] Get group membership through powershell
Thank you for the net user suggestion - I have found that when running against everyone in the domain (or at least all I've tried) *except* those in the domain admins group, I get "System error 5 - access is denied" even though the account I'm running it from is a member of domain admins / enterprise admins. So now I'm really fascinated as to what is going on and how this domain is set up. The mystery deepens... On Tue, Apr 25, 2017 at 4:46 AM, Melvin Backus <melvin.bac...@byers.com> wrote: > I’ve never had a problem with net user /domain or net group /domain > althought output format isn’t particularly handy if you’re trying to > manipulate the results. > > > > That said, are you sure you’re using the correct syntax? > > > > This will return the user info with no membership info > > Get-aduser –identity testuser –properties memberof > > > > But this will return the membership info as expected. > > $info = Get-aduser –identity testuser –properties memberof > > $info.memberOf > > > > > > -- > There are 10 kinds of people in the world... > those who understand binary and those who don't. > > > > *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists. > myitforum.com] *On Behalf Of *Russ > *Sent:* Tuesday, April 25, 2017 1:55 AM > *To:* ntsysadm@lists.myitforum.com > *Subject:* Re: [NTSysADM] Get group membership through powershell > > > > OK - is there a way that you know of to use a command line tool to pull > that information accurately? It seems like if a cmdlet is inaccurate, it > is pretty useless. > > > > On Mon, Apr 24, 2017 at 3:02 PM, Brian Desmond <br...@briandesmond.com> > wrote: > > MemberOf is a constructed attribute which the cmdlets may not be > requesting correctly or at all. ADUC makes specific calls to AD to get that > data. > > > > Thanks, > > Brian Desmond > > > > w – 312.625.1438 <(312)%20625-1438> | c – 312.731.3132 <(312)%20731-3132> > > > > *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists. > myitforum.com] *On Behalf Of *Russ > *Sent:* Monday, April 24, 2017 4:32 PM > *To:* ntsysadm@lists.myitforum.com > *Subject:* [NTSysADM] Get group membership through powershell > > > > I've often used powershell to get the groups that a user is a member of > by using get-adprincipalgroupmembership. It's always worked to my > knowledge. > > > > However, I've found one group which doesn't show up for anyone - so I was > curious if anyone has run into this before. If I run get-adgroupmember > for the group, everyone shows up who should be there, but if I try to run > the reverse on any of the users who are a member of the group, it doesn't > show up - it just returns "domain users". > > > > If I try get-aduser with -properties "memberof", nothing shows up for > that property at all. (not even domain users, but I think that's normal?). > > > > If you go into ADUC and look up the user, the two groups (this one, and > domain users) show up just fine. > > > > Does anyone know of a circumstance why this wouldn't return a value? > > >
RE: [NTSysADM] Get group membership through powershell
Did you supply a group name, Ed? .\Get-GroupMember.ps1 ‘domain admins’ From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Ed Ziots Sent: Monday, April 24, 2017 7:44 PM To: ntsysadm@lists.myitforum.com Subject: RE: [NTSysADM] Get group membership through powershell Michael just looked at that script looks like line 49 the (throw "group must be specified"), is throwing an error in pshell. Maybe syntax maybe something else.. any ideas? Ed On Apr 24, 2017 6:15 PM, "Michael B. Smith" <mich...@smithcons.com<mailto:mich...@smithcons.com>> wrote: Try this out: http://theessentialexchange.com/blogs/michael/archive/2012/05/04/processing-large-and-embedded-groups-in-powershell.aspx From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] On Behalf Of Russ Sent: Monday, April 24, 2017 5:32 PM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] Get group membership through powershell I've often used powershell to get the groups that a user is a member of by using get-adprincipalgroupmembership. It's always worked to my knowledge. However, I've found one group which doesn't show up for anyone - so I was curious if anyone has run into this before. If I run get-adgroupmember for the group, everyone shows up who should be there, but if I try to run the reverse on any of the users who are a member of the group, it doesn't show up - it just returns "domain users". If I try get-aduser with -properties "memberof", nothing shows up for that property at all. (not even domain users, but I think that's normal?). If you go into ADUC and look up the user, the two groups (this one, and domain users) show up just fine. Does anyone know of a circumstance why this wouldn't return a value?
Re: [NTSysADM] Get group membership through powershell
I was trying to avoid to dump the membership of all my groups - I already know that works. I just have a subset of users who I need to know which groups they are in. (And only groups they are directly in - I don't care about nested groups and that sort of thing) I'll play with a few of these suggestions. Thanks! On Tue, Apr 25, 2017 at 3:59 AM, Ed Ziotswrote: > I think dsquery group "fqdn of group" -expand>>name_of_txt will dump the > group members inside a group u might need to also put a -limit 5000 switch > also. > > On Apr 25, 2017 2:07 AM, "Russ" wrote: > >> OK - is there a way that you know of to use a command line tool to pull >> that information accurately? It seems like if a cmdlet is inaccurate, it >> is pretty useless. >> >> On Mon, Apr 24, 2017 at 3:02 PM, Brian Desmond >> wrote: >> >>> MemberOf is a constructed attribute which the cmdlets may not be >>> requesting correctly or at all. ADUC makes specific calls to AD to get that >>> data. >>> >>> >>> >>> Thanks, >>> >>> Brian Desmond >>> >>> >>> >>> w – 312.625.1438 <(312)%20625-1438> | c – 312.731.3132 >>> <(312)%20731-3132> >>> >>> >>> >>> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.myitf >>> orum.com] *On Behalf Of *Russ >>> *Sent:* Monday, April 24, 2017 4:32 PM >>> *To:* ntsysadm@lists.myitforum.com >>> *Subject:* [NTSysADM] Get group membership through powershell >>> >>> >>> >>> I've often used powershell to get the groups that a user is a member of >>> by using get-adprincipalgroupmembership. It's always worked to my >>> knowledge. >>> >>> >>> >>> However, I've found one group which doesn't show up for anyone - so I >>> was curious if anyone has run into this before. If I run get-adgroupmember >>> for the group, everyone shows up who should be there, but if I try to run >>> the reverse on any of the users who are a member of the group, it doesn't >>> show up - it just returns "domain users". >>> >>> >>> >>> If I try get-aduser with -properties "memberof", nothing shows up for >>> that property at all. (not even domain users, but I think that's normal?). >>> >>> >>> >>> If you go into ADUC and look up the user, the two groups (this one, and >>> domain users) show up just fine. >>> >>> >>> >>> Does anyone know of a circumstance why this wouldn't return a value? >>> >> >>
RE: [NTSysADM] Get group membership through powershell
OK, I’m blind. The first option does report data, albeit truncated so I missed it. The second dumps it as a list which in my test case was too big for even me to miss. J -- There are 10 kinds of people in the world... those who understand binary and those who don't. From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus Sent: Tuesday, April 25, 2017 7:46 AM To: ntsysadm@lists.myitforum.com Subject: RE: [NTSysADM] Get group membership through powershell I’ve never had a problem with net user /domain or net group /domain althought output format isn’t particularly handy if you’re trying to manipulate the results. That said, are you sure you’re using the correct syntax? This will return the user info with no membership info Get-aduser –identity testuser –properties memberof But this will return the membership info as expected. $info = Get-aduser –identity testuser –properties memberof $info.memberOf -- There are 10 kinds of people in the world... those who understand binary and those who don't. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Russ Sent: Tuesday, April 25, 2017 1:55 AM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: Re: [NTSysADM] Get group membership through powershell OK - is there a way that you know of to use a command line tool to pull that information accurately? It seems like if a cmdlet is inaccurate, it is pretty useless. On Mon, Apr 24, 2017 at 3:02 PM, Brian Desmond <br...@briandesmond.com<mailto:br...@briandesmond.com>> wrote: MemberOf is a constructed attribute which the cmdlets may not be requesting correctly or at all. ADUC makes specific calls to AD to get that data. Thanks, Brian Desmond w – 312.625.1438<tel:(312)%20625-1438> | c – 312.731.3132<tel:(312)%20731-3132> From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] On Behalf Of Russ Sent: Monday, April 24, 2017 4:32 PM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: [NTSysADM] Get group membership through powershell I've often used powershell to get the groups that a user is a member of by using get-adprincipalgroupmembership. It's always worked to my knowledge. However, I've found one group which doesn't show up for anyone - so I was curious if anyone has run into this before. If I run get-adgroupmember for the group, everyone shows up who should be there, but if I try to run the reverse on any of the users who are a member of the group, it doesn't show up - it just returns "domain users". If I try get-aduser with -properties "memberof", nothing shows up for that property at all. (not even domain users, but I think that's normal?). If you go into ADUC and look up the user, the two groups (this one, and domain users) show up just fine. Does anyone know of a circumstance why this wouldn't return a value?
Re: [NTSysADM] Get group membership through powershell
I think dsquery group "fqdn of group" -expand>>name_of_txt will dump the group members inside a group u might need to also put a -limit 5000 switch also. On Apr 25, 2017 2:07 AM, "Russ"wrote: > OK - is there a way that you know of to use a command line tool to pull > that information accurately? It seems like if a cmdlet is inaccurate, it > is pretty useless. > > On Mon, Apr 24, 2017 at 3:02 PM, Brian Desmond > wrote: > >> MemberOf is a constructed attribute which the cmdlets may not be >> requesting correctly or at all. ADUC makes specific calls to AD to get that >> data. >> >> >> >> Thanks, >> >> Brian Desmond >> >> >> >> w – 312.625.1438 <(312)%20625-1438> | c – 312.731.3132 <(312)%20731-3132> >> >> >> >> *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists.myitf >> orum.com] *On Behalf Of *Russ >> *Sent:* Monday, April 24, 2017 4:32 PM >> *To:* ntsysadm@lists.myitforum.com >> *Subject:* [NTSysADM] Get group membership through powershell >> >> >> >> I've often used powershell to get the groups that a user is a member of >> by using get-adprincipalgroupmembership. It's always worked to my >> knowledge. >> >> >> >> However, I've found one group which doesn't show up for anyone - so I was >> curious if anyone has run into this before. If I run get-adgroupmember for >> the group, everyone shows up who should be there, but if I try to run the >> reverse on any of the users who are a member of the group, it doesn't show >> up - it just returns "domain users". >> >> >> >> If I try get-aduser with -properties "memberof", nothing shows up for >> that property at all. (not even domain users, but I think that's normal?). >> >> >> >> If you go into ADUC and look up the user, the two groups (this one, and >> domain users) show up just fine. >> >> >> >> Does anyone know of a circumstance why this wouldn't return a value? >> > >
Re: [NTSysADM] Get group membership through powershell
OK - is there a way that you know of to use a command line tool to pull that information accurately? It seems like if a cmdlet is inaccurate, it is pretty useless. On Mon, Apr 24, 2017 at 3:02 PM, Brian Desmondwrote: > MemberOf is a constructed attribute which the cmdlets may not be > requesting correctly or at all. ADUC makes specific calls to AD to get that > data. > > > > Thanks, > > Brian Desmond > > > > w – 312.625.1438 <(312)%20625-1438> | c – 312.731.3132 <(312)%20731-3132> > > > > *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists. > myitforum.com] *On Behalf Of *Russ > *Sent:* Monday, April 24, 2017 4:32 PM > *To:* ntsysadm@lists.myitforum.com > *Subject:* [NTSysADM] Get group membership through powershell > > > > I've often used powershell to get the groups that a user is a member of by > using get-adprincipalgroupmembership. It's always worked to my > knowledge. > > > > However, I've found one group which doesn't show up for anyone - so I was > curious if anyone has run into this before. If I run get-adgroupmember for > the group, everyone shows up who should be there, but if I try to run the > reverse on any of the users who are a member of the group, it doesn't show > up - it just returns "domain users". > > > > If I try get-aduser with -properties "memberof", nothing shows up for that > property at all. (not even domain users, but I think that's normal?). > > > > If you go into ADUC and look up the user, the two groups (this one, and > domain users) show up just fine. > > > > Does anyone know of a circumstance why this wouldn't return a value? >
RE: [NTSysADM] Get group membership through powershell
MemberOf is a constructed attribute which the cmdlets may not be requesting correctly or at all. ADUC makes specific calls to AD to get that data. Thanks, Brian Desmond w – 312.625.1438 | c – 312.731.3132 From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Russ Sent: Monday, April 24, 2017 4:32 PM To: ntsysadm@lists.myitforum.com Subject: [NTSysADM] Get group membership through powershell I've often used powershell to get the groups that a user is a member of by using get-adprincipalgroupmembership. It's always worked to my knowledge. However, I've found one group which doesn't show up for anyone - so I was curious if anyone has run into this before. If I run get-adgroupmember for the group, everyone shows up who should be there, but if I try to run the reverse on any of the users who are a member of the group, it doesn't show up - it just returns "domain users". If I try get-aduser with -properties "memberof", nothing shows up for that property at all. (not even domain users, but I think that's normal?). If you go into ADUC and look up the user, the two groups (this one, and domain users) show up just fine. Does anyone know of a circumstance why this wouldn't return a value?
Re: [NTSysADM] Get group membership through powershell
It's weird - I don't see that we have tons and tons of nested groups. I've found out that in this domain most users I've tried aren't returning any groups except for domain users, even though they are in other groups. But I've tried against other user objects (domain administrator accounts) and they do return groups. But those are all built-in groups - I'm going to have to try to add one of those users to a different group and see if it shows up. On Mon, Apr 24, 2017 at 3:12 PM, Michael B. Smithwrote: > Try this out: > > > > http://theessentialexchange.com/blogs/michael/archive/ > 2012/05/04/processing-large-and-embedded-groups-in-powershell.aspx > > > > > > *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists. > myitforum.com] *On Behalf Of *Russ > *Sent:* Monday, April 24, 2017 5:32 PM > *To:* ntsysadm@lists.myitforum.com > *Subject:* [NTSysADM] Get group membership through powershell > > > > I've often used powershell to get the groups that a user is a member of by > using get-adprincipalgroupmembership. It's always worked to my > knowledge. > > > > However, I've found one group which doesn't show up for anyone - so I was > curious if anyone has run into this before. If I run get-adgroupmember for > the group, everyone shows up who should be there, but if I try to run the > reverse on any of the users who are a member of the group, it doesn't show > up - it just returns "domain users". > > > > If I try get-aduser with -properties "memberof", nothing shows up for that > property at all. (not even domain users, but I think that's normal?). > > > > If you go into ADUC and look up the user, the two groups (this one, and > domain users) show up just fine. > > > > Does anyone know of a circumstance why this wouldn't return a value? >
RE: [NTSysADM] Get group membership through powershell
Michael just looked at that script looks like line 49 the (throw "group must be specified"), is throwing an error in pshell. Maybe syntax maybe something else.. any ideas? Ed On Apr 24, 2017 6:15 PM, "Michael B. Smith"wrote: > Try this out: > > > > http://theessentialexchange.com/blogs/michael/archive/ > 2012/05/04/processing-large-and-embedded-groups-in-powershell.aspx > > > > > > *From:* listsad...@lists.myitforum.com [mailto:listsadmin@lists. > myitforum.com] *On Behalf Of *Russ > *Sent:* Monday, April 24, 2017 5:32 PM > *To:* ntsysadm@lists.myitforum.com > *Subject:* [NTSysADM] Get group membership through powershell > > > > I've often used powershell to get the groups that a user is a member of by > using get-adprincipalgroupmembership. It's always worked to my > knowledge. > > > > However, I've found one group which doesn't show up for anyone - so I was > curious if anyone has run into this before. If I run get-adgroupmember for > the group, everyone shows up who should be there, but if I try to run the > reverse on any of the users who are a member of the group, it doesn't show > up - it just returns "domain users". > > > > If I try get-aduser with -properties "memberof", nothing shows up for that > property at all. (not even domain users, but I think that's normal?). > > > > If you go into ADUC and look up the user, the two groups (this one, and > domain users) show up just fine. > > > > Does anyone know of a circumstance why this wouldn't return a value? >
RE: [NTSysADM] Get group membership through powershell
Try this out: http://theessentialexchange.com/blogs/michael/archive/2012/05/04/processing-large-and-embedded-groups-in-powershell.aspx From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Russ Sent: Monday, April 24, 2017 5:32 PM To: ntsysadm@lists.myitforum.com Subject: [NTSysADM] Get group membership through powershell I've often used powershell to get the groups that a user is a member of by using get-adprincipalgroupmembership. It's always worked to my knowledge. However, I've found one group which doesn't show up for anyone - so I was curious if anyone has run into this before. If I run get-adgroupmember for the group, everyone shows up who should be there, but if I try to run the reverse on any of the users who are a member of the group, it doesn't show up - it just returns "domain users". If I try get-aduser with -properties "memberof", nothing shows up for that property at all. (not even domain users, but I think that's normal?). If you go into ADUC and look up the user, the two groups (this one, and domain users) show up just fine. Does anyone know of a circumstance why this wouldn't return a value?