Author Posts

August 11, 2017 at 7:12 pm

So I noticed something peculiar today while doing some AD filtering in a PS console.

Get-ADComputer $Env:ComputerName | Select *

DistinguishedName  : 
DNSHostName        : 
Enabled            : 
Name               : 
ObjectClass        : 
ObjectGUID         : 
SamAccountName     : 
SID                : 
UserPrincipalName  :
PropertyNames      : 
AddedProperties    : 
RemovedProperties  : 
ModifiedProperties : 
PropertyCount      : 

^^^ This should supposedly return all of the properties for that AD computer (removed all values for confidentiality). But, this next command returns a much larger set of properties (see below)

Get-ADComputer $Env:ComputerName -Properties *

AccountExpirationDate                :
accountExpires                       : 
AccountLockoutTime                   :
AccountNotDelegated                  : 
AllowReversiblePasswordEncryption    : 
AuthenticationPolicy                 : 
AuthenticationPolicySilo             : 
BadLogonCount                        : 
badPasswordTime                      : 
badPwdCount                          : 
CannotChangePassword                 : 
CanonicalName                        : 
Certificates                         : 
CN                                   : 
codePage                             : 
CompoundIdentitySupported            :
countryCode                          : 
Created                              : 
createTimeStamp                      : 
Deleted                              :
Description                          : Cory Etmund Laptop
DisplayName                          : 
DistinguishedName                    : 
DNSHostName                          : 
DoesNotRequirePreAuth                : 
dSCorePropagationData                : 
Enabled                              : 
HomedirRequired                      : 
HomePage                             :
instanceType                         : 
IPv4Address                          : 
IPv6Address                          :
isCriticalSystemObject               : 
isDeleted                            :
KerberosEncryptionType               : 
LastBadPasswordAttempt               :
LastKnownParent                      :
lastLogoff                           : 
lastLogon                            : 
LastLogonDate                        : 
lastLogonTimestamp                   : 
localPolicyFlags                     : 
Location                             :
LockedOut                            : 
logonCount                           : 
ManagedBy                            :
MemberOf                             : 
MNSLogonAccount                      : 
Modified                             : 
modifyTimeStamp                      : 
msDS-SupportedEncryptionTypes        : 
msDS-User-Account-Control-Computed   : 
Name                                 : 
nTSecurityDescriptor                 : 
ObjectCategory                       : 
ObjectClass                          : computer
ObjectGUID                           : 
objectSid                            : 
OperatingSystem                      : Windows 10 Enterprise
OperatingSystemHotfix                :
OperatingSystemServicePack           :
OperatingSystemVersion               : 
PasswordExpired                      : 
PasswordLastSet                      : 
PasswordNeverExpires                 : 
PasswordNotRequired                  : 
PrimaryGroup                         : 
primaryGroupID                       : 
PrincipalsAllowedToDelegateToAccount : 
ProtectedFromAccidentalDeletion      : 
pwdLastSet                           : 
SamAccountName                       : 
sAMAccountType                       : 
sDRightsEffective                    : 
ServiceAccount                       : 
servicePrincipalName                 : 
ServicePrincipalNames                : 
SID                                  : 
SIDHistory                           : 
TrustedForDelegation                 : 
TrustedToAuthForDelegation           : 
UseDESKeyOnly                        : 
userAccountControl                   : 
userCertificate                      : 
UserPrincipalName                    :
uSNChanged                           : 
uSNCreated                           : 
whenChanged                          : 
whenCreated                          :

Why won't the first command return all of the properties? Is this (for some weird reason) by design? Sorry for the long code, just wanted to make sure my question is being specific enough and the results of the commands were clear. Thanks in advance! I like to learn the 'How' and 'Why' of things in PS ūüôā

August 11, 2017 at 7:14 pm

Because the first command defaults to a subset of properties that are easier for the domain controller to retrieve. All of the AD commands work like this. You're meant to ask for the specific properties you want, not *, to help avoid unnecessarily loading the domain controller.

This behavior is also in the help file for the command. From Get-ADUser, for example:

"This cmdlet retrieves a default set of user object properties. To retrieve additional properties use the Properties parameter. For more information about the how to determine the properties for user objects, see the Properties parameter description."

August 11, 2017 at 7:16 pm

Further clarification: In your first instance, the Select command is only able to select from the properties passed to it by the previous command. It can't go back and tell the previous command to grab more. In your second instance, you told the command to return more from the domain controller, and so that's what you got. You could have (unnecessarily) added "Select *" in the second instance as well, and you'd have gotten the same extensive list.

Get-Member is perhaps a better way to see that happening, as it's showing you the breakdown of the object itself, rather than just a property list.

August 11, 2017 at 7:16 pm

So it's done this way to make the Domain Controller's job a little easier? interesting.