RE: [NTSysADM] Get group membership through powershell

[Melvin Backus]

I’ve never had a problem with net user /domain or net group /domain althought 
output format isn’t particularly handy if you’re trying to manipulate the 
results.

That said, are you sure you’re using the correct syntax?

This will return the user info with no membership info
Get-aduser –identity testuser –properties memberof

But this will return the membership info as expected.
$info = Get-aduser –identity testuser –properties memberof
$info.memberOf


--
There are 10 kinds of people in the world...
         those who understand binary and those who don't.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Russ
Sent: Tuesday, April 25, 2017 1:55 AM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] Get group membership through powershell

OK - is there a way that you know of to use a command line tool to pull that 
information accurately?  It seems like if a cmdlet is inaccurate, it is pretty 
useless.

On Mon, Apr 24, 2017 at 3:02 PM, Brian Desmond 
<br...@briandesmond.com<mailto:br...@briandesmond.com>> wrote:
MemberOf is a constructed attribute which the cmdlets may not be requesting 
correctly or at all. ADUC makes specific calls to AD to get that data.

Thanks,
Brian Desmond

w – 312.625.1438<tel:(312)%20625-1438> | c – 312.731.3132<tel:(312)%20731-3132>

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Russ
Sent: Monday, April 24, 2017 4:32 PM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] Get group membership through powershell

I've often used powershell to get the groups that a user is a member of by 
using get-adprincipalgroupmembership.  It's always worked to my knowledge.

However, I've found one group which doesn't show up for anyone - so I was 
curious if anyone has run into this before.  If I run get-adgroupmember for the 
group, everyone shows up who should be there, but if I try to run the reverse 
on any of the users who are a member of the group, it doesn't show up - it just 
returns "domain users".

If I try get-aduser with -properties "memberof", nothing shows up for that 
property at all.  (not even domain users, but I think that's normal?).

If you go into ADUC and look up the user, the two groups (this one, and domain 
users) show up just fine.

Does anyone know of a circumstance why this wouldn't return a value?