Author Posts

January 29, 2015 at 8:37 am

We are using some additional AD Object attributes to track object ownership. For example when I use ADSIEdit to view the properties for an AD group I see the attribute names:


However, when I issue the PowerShell command:

get-adgroup "groupA" -prop *

I do not see these attributes listed. In fact there are many attributes that I see in ADSIEdit that I don't see when I run the PowerShell command listed above.

Using ADSIEdit i added a value to the attribute 'MIISGroupSecondaryOwnerName'. Now when I run the PowerShell command the attribute is displayed (with the value I added).

So seems to be that get-adgroup "groupA" -prop * only shows attributes populated with values.

Is that a correct statement? Is there a way using PowerShell to show all the attributes (populated or not) that I see when using ADSIEdit?

Thanks in advance for any help you can provide.

January 29, 2015 at 8:41 am

Yeah, so, AD isn't like SQL Server in that way. When you add a property to a class, you make it available for use – but the directory doesn't automatically "attach" the property, with an empty value, to all existing objects. So until the value is there, the property doesn't exist. Some tools will fake it out to make it look more consistent, but the AD cmdlets don't.

You could try using the older [ADSI] interface, or the Quest AD cmdlets, instead of the MS AD cmdlets.

January 30, 2015 at 7:15 am

Thank you Don. 🙂