ADSI Group Membership Dfferent than Get-ADGroupMembership

This topic contains 3 replies, has 2 voices, and was last updated by  Don Jones 3 months, 1 week ago.

  • Author
    Posts
  • #94104

    Jeff
    Participant

    For some reason, ADSI is returning different membership results than Get-ADGroupMembership for "Domain Admins." Any idea why? It is a standard (enabled) admin account that is in the Get-ADGroupMembership results, but not in ADSI results.

    ([adsi]'LDAP://CN=Domain Admins,OU=Admin and Service Accounts,DC=domain,DC=com' | select -ExpandProperty member).count
    6
    
    (get-adgroupmember 'domain admins' | select distinguishedname).count
    7
    

    I just want to make sure I am getting accurate results when expanding group members. Thanks!!!

  • #94110

    Don Jones
    Keymaster

    The LDAP provider is lower-level and has a couple of known quirks about, like that. The commands "fix" some of those internally.

    • #94113

      Jeff
      Participant

      That's too bad – The performance is a LOT better than ones that come with the ActiveDirectory module and don't require any AD features to be installed. Do you suggest I just use Get-ADGroupMembership or is there a better way that I am not aware of?

  • #94114

    Don Jones
    Keymaster

    Yup, LDAP is tons faster. It's what the old Quest cmdlets used, for that reason. And it's pretty much the only alternative to the .NET classes. Use LDAP, if you want – just get used to its quirks and be able to adjust.

You must be logged in to reply to this topic.