Help with get-aduser filter

This topic contains 14 replies, has 4 voices, and was last updated by Profile photo of Tony Pagliaro Tony Pagliaro 1 year, 8 months ago.

  • Author
    Posts
  • #26960
    Profile photo of Tony Pagliaro
    Tony Pagliaro
    Participant

    I used online resources to piece together this working script, but it isn't perfect yet. My goal is to enumerate password history info on all domain admin members.

    Get-ADUser -filter 'PrimaryGroupID -eq "512"' -properties PasswordLastSet, PasswordNeverExpires | 
    select-object Name, PasswordLastSet, PasswordNeverExpires | 
    sort-object Name
    

    The problem is that a user account could be a member of domain admins but not have it set as the Primary Group. So it may yield incomplete results.

    I've tried replacing the [-filter 'PrimaryGroupID -eq "512"'] with [-filter 'MemberOf -like "*Domain Admins*"'] and it gives no output, other things I tried give errors.

    If I run this:

    Get-ADUser -Identity administrator -properties * 
    

    I do not see "Domain Admins" listed under MemberOf, but I see it in the AD GUI.

  • #26961
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Unfortunately, group membership is tracked as a property of the group, not the user, so there's no way to construct the kind of query you're after. You'll have to start by recursively getting the members of the group you want, and then retrieving those accounts. It isn't as efficient as you're wanting, but it's the way AD works.

    What you're seeing in the GUI is it performing multiple queries to unwind the group memberships.

  • #26963
    Profile photo of Tony Pagliaro
    Tony Pagliaro
    Participant

    OK thanks.
    So I have this to get me the list of members:

    get-adgroupmember  -Identity "domain admins" |select samaccountname
    

    It outputs a nice list to the console, but if I assign a $,

    $admins = get-adgroupmember  -Identity "domain admins" |select samaccountname
    

    ...the resultant call for that $ is null.

  • #26964
    Profile photo of Don Jones
    Don Jones
    Keymaster

    I don't have a DC I can test against right now, but all things being equal the variable should contain whatever the command output. Can you show me a snippet of what the first command outputs?

  • #26965
    Profile photo of Tony Pagliaro
    Tony Pagliaro
    Participant
    PS C:\Users\admin123> get-adgroupmember  -Identity "domain admins" |select samaccountname
    
    samaccountname
    --------------
    Administrator
    EvltExch
    MWService
    kenadmin2
    JaeAdmin
    nocadmin
    backupexec
    
    PS C:\Users\admin123> $admins = get-adgroupmember  -Identity "domain admins" |select samaccountname
    
    PS C:\Users\admin123>$admins
    
    
    

    that last line is blank.

  • #26966
    Profile photo of Don Jones
    Don Jones
    Keymaster

    That is weird. I'm gonna have to fuss with that on a DC.

  • #26967
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Cannot replicate. For me, the variable populates as expected.

    Reboot. Reinstall. Reconsider career options. 🙂

  • #26968
    Profile photo of Richard Siddaway
    Richard Siddaway
    Moderator

    This will give you the data you need

    Get-ADGroupMember -Identity 'Domain Admins' |
    foreach {
    Get-ADUser -Identity $psitem.samAccountName -Properties PasswordLastSet, PasswordNeverExpires |
    select Name, PasswordLastSet, PasswordNeverExpires
    }

    BTW

    $admins = Get-ADGroupMember -Identity 'Domain Admins' | select -ExpandProperty samaccountname

    will give you the list of just the samaccountnames.

    I tried your
    $admins = get-adgroupmember -Identity "domain admins" |select samaccountname

    and it worked in my Windows 2012 R2 domain

  • #26972
    Profile photo of Rob Simmers
    Rob Simmers
    Participant

    Not sure what's going on, but the same query worked for me. Additionally, if there are any nested groups in Domain Admins, you will want to specify -Recursive:

    $da = Get-ADGroupMember -Identity "Domain Admins" -Recursive | Select Name, SamAccountName
    
  • #26974
    Profile photo of Tony Pagliaro
    Tony Pagliaro
    Participant

    OK so I tried it on a different DC and it works fine.
    Guess I don't have to reconsider my career options afterall..

    So now I plan to use a foreach loop to create a table of the desired properties for these accounts... sound like a good plan?

  • #26975
    Profile photo of Tony Pagliaro
    Tony Pagliaro
    Participant

    Thanks Richard, didn't see your example.
    And thanks Don.. and everyone who replied.

    import-module activedirectory 
    $admins = get-adgroupmember  -Identity "domain admins" |select samaccountname
    foreach ($admin in $admins)
    {
      Get-aduser -Identity $admin.samAccountName -Properties PasswordLastSet, PasswordNeverExpires |
        select Name, PasswordLastSet, PasswordNeverExpires |
        sort-object Name 
    

    This works well.

  • #26976
    Profile photo of Richard Siddaway
    Richard Siddaway
    Moderator

    Get-ADGroupMember and Get-AdUser work together on the pipeline so you can also do this:

    Get-ADGroupMember -Identity 'Domain Admins' |
    Get-ADUser -Properties PasswordLastSet, PasswordNeverExpires |
    select Name, PasswordLastSet, PasswordNeverExpires

  • #26979
    Profile photo of Tony Pagliaro
    Tony Pagliaro
    Participant

    Much cleaner, thx Richard

  • #26980
    Profile photo of Tony Pagliaro
    Tony Pagliaro
    Participant

    This is awesome... maybe others can use it as well, will work on any Windows DC.
    I have the cmdlet version too, if anyone is interested.

    ***Cannot post the code, there are carrots getting dropped. if someone is interested, i can give you a dropbox link.

  • #27172
    Profile photo of Tony Pagliaro
    Tony Pagliaro
    Participant

    html code tag doesn't work either... 🙁
    oh well

You must be logged in to reply to this topic.