We are using some additional AD Object attributes to track object ownership. For example when I use ADSIEdit to view the properties for an AD group I see the attribute names:
However, when I issue the PowerShell command:
get-adgroup "groupA" -prop *
I do not see these attributes listed. In fact there are many attributes that I see in ADSIEdit that I don't see when I run the PowerShell command listed above.
Using ADSIEdit i added a value to the attribute 'MIISGroupSecondaryOwnerName'. Now when I run the PowerShell command the attribute is displayed (with the value I added).
So seems to be that get-adgroup "groupA" -prop * only shows attributes populated with values.
Is that a correct statement? Is there a way using PowerShell to show all the attributes (populated or not) that I see when using ADSIEdit?
Thanks in advance for any help you can provide.
Yeah, so, AD isn't like SQL Server in that way. When you add a property to a class, you make it available for use – but the directory doesn't automatically "attach" the property, with an empty value, to all existing objects. So until the value is there, the property doesn't exist. Some tools will fake it out to make it look more consistent, but the AD cmdlets don't.
You could try using the older [ADSI] interface, or the Quest AD cmdlets, instead of the MS AD cmdlets.
Thank you Don. 🙂
You must be logged in to reply to this topic.