Author Posts

February 19, 2018 at 10:18 pm

For some reason, ADSI is returning different membership results than Get-ADGroupMembership for "Domain Admins." Any idea why? It is a standard (enabled) admin account that is in the Get-ADGroupMembership results, but not in ADSI results.

([adsi]'LDAP://CN=Domain Admins,OU=Admin and Service Accounts,DC=domain,DC=com' | select -ExpandProperty member).count
6

(get-adgroupmember 'domain admins' | select distinguishedname).count
7

I just want to make sure I am getting accurate results when expanding group members. Thanks!!!

February 19, 2018 at 10:20 pm

The LDAP provider is lower-level and has a couple of known quirks about, like that. The commands "fix" some of those internally.

February 19, 2018 at 10:23 pm

That's too bad – The performance is a LOT better than ones that come with the ActiveDirectory module and don't require any AD features to be installed. Do you suggest I just use Get-ADGroupMembership or is there a better way that I am not aware of?

February 19, 2018 at 10:31 pm

Yup, LDAP is tons faster. It's what the old Quest cmdlets used, for that reason. And it's pretty much the only alternative to the .NET classes. Use LDAP, if you want – just get used to its quirks and be able to adjust.