AD cmdlets functionality

Welcome Forums General PowerShell Q&A AD cmdlets functionality

This topic contains 3 replies, has 2 voices, and was last updated by

 
Participant
1 year, 5 months ago.

  • Author
    Posts
  • #77235

    Participant
    Points: 0
    Rank: Member

    So I noticed something peculiar today while doing some AD filtering in a PS console.

    Get-ADComputer $Env:ComputerName | Select *
    
    DistinguishedName  : 
    DNSHostName        : 
    Enabled            : 
    Name               : 
    ObjectClass        : 
    ObjectGUID         : 
    SamAccountName     : 
    SID                : 
    UserPrincipalName  :
    PropertyNames      : 
    AddedProperties    : 
    RemovedProperties  : 
    ModifiedProperties : 
    PropertyCount      : 
    

    ^^^ This should supposedly return all of the properties for that AD computer (removed all values for confidentiality). But, this next command returns a much larger set of properties (see below)

    Get-ADComputer $Env:ComputerName -Properties *
    
    AccountExpirationDate                :
    accountExpires                       : 
    AccountLockoutTime                   :
    AccountNotDelegated                  : 
    AllowReversiblePasswordEncryption    : 
    AuthenticationPolicy                 : 
    AuthenticationPolicySilo             : 
    BadLogonCount                        : 
    badPasswordTime                      : 
    badPwdCount                          : 
    CannotChangePassword                 : 
    CanonicalName                        : 
    Certificates                         : 
    CN                                   : 
    codePage                             : 
    CompoundIdentitySupported            :
    countryCode                          : 
    Created                              : 
    createTimeStamp                      : 
    Deleted                              :
    Description                          : Cory Etmund Laptop
    DisplayName                          : 
    DistinguishedName                    : 
    DNSHostName                          : 
    DoesNotRequirePreAuth                : 
    dSCorePropagationData                : 
    Enabled                              : 
    HomedirRequired                      : 
    HomePage                             :
    instanceType                         : 
    IPv4Address                          : 
    IPv6Address                          :
    isCriticalSystemObject               : 
    isDeleted                            :
    KerberosEncryptionType               : 
    LastBadPasswordAttempt               :
    LastKnownParent                      :
    lastLogoff                           : 
    lastLogon                            : 
    LastLogonDate                        : 
    lastLogonTimestamp                   : 
    localPolicyFlags                     : 
    Location                             :
    LockedOut                            : 
    logonCount                           : 
    ManagedBy                            :
    MemberOf                             : 
    MNSLogonAccount                      : 
    Modified                             : 
    modifyTimeStamp                      : 
    msDS-SupportedEncryptionTypes        : 
    msDS-User-Account-Control-Computed   : 
    Name                                 : 
    nTSecurityDescriptor                 : 
    ObjectCategory                       : 
    ObjectClass                          : computer
    ObjectGUID                           : 
    objectSid                            : 
    OperatingSystem                      : Windows 10 Enterprise
    OperatingSystemHotfix                :
    OperatingSystemServicePack           :
    OperatingSystemVersion               : 
    PasswordExpired                      : 
    PasswordLastSet                      : 
    PasswordNeverExpires                 : 
    PasswordNotRequired                  : 
    PrimaryGroup                         : 
    primaryGroupID                       : 
    PrincipalsAllowedToDelegateToAccount : 
    ProtectedFromAccidentalDeletion      : 
    pwdLastSet                           : 
    SamAccountName                       : 
    sAMAccountType                       : 
    sDRightsEffective                    : 
    ServiceAccount                       : 
    servicePrincipalName                 : 
    ServicePrincipalNames                : 
    SID                                  : 
    SIDHistory                           : 
    TrustedForDelegation                 : 
    TrustedToAuthForDelegation           : 
    UseDESKeyOnly                        : 
    userAccountControl                   : 
    userCertificate                      : 
    UserPrincipalName                    :
    uSNChanged                           : 
    uSNCreated                           : 
    whenChanged                          : 
    whenCreated                          :
    

    Why won't the first command return all of the properties? Is this (for some weird reason) by design? Sorry for the long code, just wanted to make sure my question is being specific enough and the results of the commands were clear. Thanks in advance! I like to learn the 'How' and 'Why' of things in PS 🙂

  • #77238

    Keymaster
    Points: 1,785
    Helping HandTeam Member
    Rank: Community Hero

    Because the first command defaults to a subset of properties that are easier for the domain controller to retrieve. All of the AD commands work like this. You're meant to ask for the specific properties you want, not *, to help avoid unnecessarily loading the domain controller.

    This behavior is also in the help file for the command. From Get-ADUser, for example:

    "This cmdlet retrieves a default set of user object properties. To retrieve additional properties use the Properties parameter. For more information about the how to determine the properties for user objects, see the Properties parameter description."

  • #77242

    Keymaster
    Points: 1,785
    Helping HandTeam Member
    Rank: Community Hero

    Further clarification: In your first instance, the Select command is only able to select from the properties passed to it by the previous command. It can't go back and tell the previous command to grab more. In your second instance, you told the command to return more from the domain controller, and so that's what you got. You could have (unnecessarily) added "Select *" in the second instance as well, and you'd have gotten the same extensive list.

    Get-Member is perhaps a better way to see that happening, as it's showing you the breakdown of the object itself, rather than just a property list.

  • #77244

    Participant
    Points: 0
    Rank: Member

    So it's done this way to make the Domain Controller's job a little easier? interesting.

The topic ‘AD cmdlets functionality’ is closed to new replies.