ADSI Group Membership Dfferent than Get-ADGroupMembership

Welcome Forums General PowerShell Q&A ADSI Group Membership Dfferent than Get-ADGroupMembership

This topic contains 3 replies, has 2 voices, and was last updated by

 
Keymaster
9 months ago.

  • Author
    Posts
  • #94104

    Participant
    Points: 18
    Rank: Member

    For some reason, ADSI is returning different membership results than Get-ADGroupMembership for "Domain Admins." Any idea why? It is a standard (enabled) admin account that is in the Get-ADGroupMembership results, but not in ADSI results.

    ([adsi]'LDAP://CN=Domain Admins,OU=Admin and Service Accounts,DC=domain,DC=com' | select -ExpandProperty member).count
    6
    
    (get-adgroupmember 'domain admins' | select distinguishedname).count
    7
    

    I just want to make sure I am getting accurate results when expanding group members. Thanks!!!

  • #94110

    Keymaster
    Points: 1,644
    Helping HandTeam Member
    Rank: Community Hero

    The LDAP provider is lower-level and has a couple of known quirks about, like that. The commands "fix" some of those internally.

    • #94113

      Participant
      Points: 18
      Rank: Member

      That's too bad – The performance is a LOT better than ones that come with the ActiveDirectory module and don't require any AD features to be installed. Do you suggest I just use Get-ADGroupMembership or is there a better way that I am not aware of?

  • #94114

    Keymaster
    Points: 1,644
    Helping HandTeam Member
    Rank: Community Hero

    Yup, LDAP is tons faster. It's what the old Quest cmdlets used, for that reason. And it's pretty much the only alternative to the .NET classes. Use LDAP, if you want – just get used to its quirks and be able to adjust.

The topic ‘ADSI Group Membership Dfferent than Get-ADGroupMembership’ is closed to new replies.