AD cmdlets functionality

This topic contains 3 replies, has 2 voices, and was last updated by  Cory Etmund 2 months, 1 week ago.

  • Author
    Posts
  • #77235

    Cory Etmund
    Participant

    So I noticed something peculiar today while doing some AD filtering in a PS console.

    Get-ADComputer $Env:ComputerName | Select *
    
    DistinguishedName  : 
    DNSHostName        : 
    Enabled            : 
    Name               : 
    ObjectClass        : 
    ObjectGUID         : 
    SamAccountName     : 
    SID                : 
    UserPrincipalName  :
    PropertyNames      : 
    AddedProperties    : 
    RemovedProperties  : 
    ModifiedProperties : 
    PropertyCount      : 
    

    ^^^ This should supposedly return all of the properties for that AD computer (removed all values for confidentiality). But, this next command returns a much larger set of properties (see below)

    Get-ADComputer $Env:ComputerName -Properties *
    
    AccountExpirationDate                :
    accountExpires                       : 
    AccountLockoutTime                   :
    AccountNotDelegated                  : 
    AllowReversiblePasswordEncryption    : 
    AuthenticationPolicy                 : 
    AuthenticationPolicySilo             : 
    BadLogonCount                        : 
    badPasswordTime                      : 
    badPwdCount                          : 
    CannotChangePassword                 : 
    CanonicalName                        : 
    Certificates                         : 
    CN                                   : 
    codePage                             : 
    CompoundIdentitySupported            :
    countryCode                          : 
    Created                              : 
    createTimeStamp                      : 
    Deleted                              :
    Description                          : Cory Etmund Laptop
    DisplayName                          : 
    DistinguishedName                    : 
    DNSHostName                          : 
    DoesNotRequirePreAuth                : 
    dSCorePropagationData                : 
    Enabled                              : 
    HomedirRequired                      : 
    HomePage                             :
    instanceType                         : 
    IPv4Address                          : 
    IPv6Address                          :
    isCriticalSystemObject               : 
    isDeleted                            :
    KerberosEncryptionType               : 
    LastBadPasswordAttempt               :
    LastKnownParent                      :
    lastLogoff                           : 
    lastLogon                            : 
    LastLogonDate                        : 
    lastLogonTimestamp                   : 
    localPolicyFlags                     : 
    Location                             :
    LockedOut                            : 
    logonCount                           : 
    ManagedBy                            :
    MemberOf                             : 
    MNSLogonAccount                      : 
    Modified                             : 
    modifyTimeStamp                      : 
    msDS-SupportedEncryptionTypes        : 
    msDS-User-Account-Control-Computed   : 
    Name                                 : 
    nTSecurityDescriptor                 : 
    ObjectCategory                       : 
    ObjectClass                          : computer
    ObjectGUID                           : 
    objectSid                            : 
    OperatingSystem                      : Windows 10 Enterprise
    OperatingSystemHotfix                :
    OperatingSystemServicePack           :
    OperatingSystemVersion               : 
    PasswordExpired                      : 
    PasswordLastSet                      : 
    PasswordNeverExpires                 : 
    PasswordNotRequired                  : 
    PrimaryGroup                         : 
    primaryGroupID                       : 
    PrincipalsAllowedToDelegateToAccount : 
    ProtectedFromAccidentalDeletion      : 
    pwdLastSet                           : 
    SamAccountName                       : 
    sAMAccountType                       : 
    sDRightsEffective                    : 
    ServiceAccount                       : 
    servicePrincipalName                 : 
    ServicePrincipalNames                : 
    SID                                  : 
    SIDHistory                           : 
    TrustedForDelegation                 : 
    TrustedToAuthForDelegation           : 
    UseDESKeyOnly                        : 
    userAccountControl                   : 
    userCertificate                      : 
    UserPrincipalName                    :
    uSNChanged                           : 
    uSNCreated                           : 
    whenChanged                          : 
    whenCreated                          :
    

    Why won't the first command return all of the properties? Is this (for some weird reason) by design? Sorry for the long code, just wanted to make sure my question is being specific enough and the results of the commands were clear. Thanks in advance! I like to learn the 'How' and 'Why' of things in PS 🙂

  • #77238

    Don Jones
    Keymaster

    Because the first command defaults to a subset of properties that are easier for the domain controller to retrieve. All of the AD commands work like this. You're meant to ask for the specific properties you want, not *, to help avoid unnecessarily loading the domain controller.

    This behavior is also in the help file for the command. From Get-ADUser, for example:

    "This cmdlet retrieves a default set of user object properties. To retrieve additional properties use the Properties parameter. For more information about the how to determine the properties for user objects, see the Properties parameter description."

  • #77242

    Don Jones
    Keymaster

    Further clarification: In your first instance, the Select command is only able to select from the properties passed to it by the previous command. It can't go back and tell the previous command to grab more. In your second instance, you told the command to return more from the domain controller, and so that's what you got. You could have (unnecessarily) added "Select *" in the second instance as well, and you'd have gotten the same extensive list.

    Get-Member is perhaps a better way to see that happening, as it's showing you the breakdown of the object itself, rather than just a property list.

  • #77244

    Cory Etmund
    Participant

    So it's done this way to make the Domain Controller's job a little easier? interesting.

You must be logged in to reply to this topic.