Author Posts

June 30, 2015 at 8:13 am

I used online resources to piece together this working script, but it isn't perfect yet. My goal is to enumerate password history info on all domain admin members.

Get-ADUser -filter 'PrimaryGroupID -eq "512"' -properties PasswordLastSet, PasswordNeverExpires | 
select-object Name, PasswordLastSet, PasswordNeverExpires | 
sort-object Name

The problem is that a user account could be a member of domain admins but not have it set as the Primary Group. So it may yield incomplete results.

I've tried replacing the [-filter 'PrimaryGroupID -eq "512"'] with [-filter 'MemberOf -like "*Domain Admins*"'] and it gives no output, other things I tried give errors.

If I run this:

Get-ADUser -Identity administrator -properties * 

I do not see "Domain Admins" listed under MemberOf, but I see it in the AD GUI.

June 30, 2015 at 8:16 am

Unfortunately, group membership is tracked as a property of the group, not the user, so there's no way to construct the kind of query you're after. You'll have to start by recursively getting the members of the group you want, and then retrieving those accounts. It isn't as efficient as you're wanting, but it's the way AD works.

What you're seeing in the GUI is it performing multiple queries to unwind the group memberships.

June 30, 2015 at 8:34 am

OK thanks.
So I have this to get me the list of members:

get-adgroupmember  -Identity "domain admins" |select samaccountname

It outputs a nice list to the console, but if I assign a $,

$admins = get-adgroupmember  -Identity "domain admins" |select samaccountname

...the resultant call for that $ is null.

June 30, 2015 at 8:42 am

I don't have a DC I can test against right now, but all things being equal the variable should contain whatever the command output. Can you show me a snippet of what the first command outputs?

June 30, 2015 at 8:46 am

PS C:\Users\admin123> get-adgroupmember  -Identity "domain admins" |select samaccountname

samaccountname
--------------
Administrator
EvltExch
MWService
kenadmin2
JaeAdmin
nocadmin
backupexec

PS C:\Users\admin123> $admins = get-adgroupmember  -Identity "domain admins" |select samaccountname

PS C:\Users\admin123>$admins


that last line is blank.

June 30, 2015 at 9:40 am

That is weird. I'm gonna have to fuss with that on a DC.

June 30, 2015 at 9:42 am

Cannot replicate. For me, the variable populates as expected.

Reboot. Reinstall. Reconsider career options. 🙂

June 30, 2015 at 9:42 am

This will give you the data you need

Get-ADGroupMember -Identity 'Domain Admins' |
foreach {
Get-ADUser -Identity $psitem.samAccountName -Properties PasswordLastSet, PasswordNeverExpires |
select Name, PasswordLastSet, PasswordNeverExpires
}

BTW

$admins = Get-ADGroupMember -Identity 'Domain Admins' | select -ExpandProperty samaccountname

will give you the list of just the samaccountnames.

I tried your
$admins = get-adgroupmember -Identity "domain admins" |select samaccountname

and it worked in my Windows 2012 R2 domain

June 30, 2015 at 9:47 am

Not sure what's going on, but the same query worked for me. Additionally, if there are any nested groups in Domain Admins, you will want to specify -Recursive:

$da = Get-ADGroupMember -Identity "Domain Admins" -Recursive | Select Name, SamAccountName

June 30, 2015 at 10:31 am

OK so I tried it on a different DC and it works fine.
Guess I don't have to reconsider my career options afterall..

So now I plan to use a foreach loop to create a table of the desired properties for these accounts... sound like a good plan?

June 30, 2015 at 10:48 am

Thanks Richard, didn't see your example.
And thanks Don.. and everyone who replied.

import-module activedirectory 
$admins = get-adgroupmember  -Identity "domain admins" |select samaccountname
foreach ($admin in $admins)
{
  Get-aduser -Identity $admin.samAccountName -Properties PasswordLastSet, PasswordNeverExpires |
    select Name, PasswordLastSet, PasswordNeverExpires |
    sort-object Name 

This works well.

June 30, 2015 at 11:01 am

Get-ADGroupMember and Get-AdUser work together on the pipeline so you can also do this:

Get-ADGroupMember -Identity 'Domain Admins' |
Get-ADUser -Properties PasswordLastSet, PasswordNeverExpires |
select Name, PasswordLastSet, PasswordNeverExpires

June 30, 2015 at 1:38 pm

Much cleaner, thx Richard

June 30, 2015 at 2:31 pm

This is awesome... maybe others can use it as well, will work on any Windows DC.
I have the cmdlet version too, if anyone is interested.

***Cannot post the code, there are carrots getting dropped. if someone is interested, i can give you a dropbox link.

July 5, 2015 at 5:18 pm

html code tag doesn't work either... 🙁
oh well