MemberOf for Get-ADObject Deleted Objects

This topic contains 6 replies, has 2 voices, and was last updated by  Tom Kemp 3 years, 10 months ago.

  • Author
    Posts
  • #10569

    Tom Kemp
    Participant

    I am writing a script to get details of AD Objects. This shows a Treeview, similar to that in AD Users & Computers, but shows Deleted Objects as well.

    I am trying to make it as versatile as possible, so using Get-ADObjects, rather than including separate searches for Users, Groups, etc.

    I have used the -IncludeDeletedObjects option so I can cope with these as well as existing objects.

    Then I use the LastKnownParent to show where the Deleted Object was (since once deleted it is in DeletedObjects of course).

    However, when I try to use the MemberOf switch, this includes Group Memberships for other Objects (such as Users, Workstations and other Groups), but does not include any information for Group Memberships for Deleted Objects.

    I have tested this with a User object. When Deleted the object is found in DeletedObjects and does not appear to be in any Groups. Admittedly, it is not showing in any of the relevant Groups either. Once the User Object has been restored, it is back in the Groups as before it was Deleted.

    Is there any way to show the Groups of which an object was a member before deletion whilst it is 'deleted' – in the same way that LastKnownParent indicates where the object was before it was deleted? As the object reappears in the correct Groups once it is Restored, AD must be storing that information somewhere.

    Maybe it works by GUIDs, as for File Access Rights for Deleted Objects?

    The basic command I am using is:


    $ObjectDetail = @(Get-ADObject -Identity "$SelectedObject" -IncludeDeletedObjects -Properties * | select *)

    $GroupList = @($ObjectDetail.MemberOf)

    Then I write out the various Properties to a RichTextBox:


    $GroupList | %{
    $richtextbox.AppendText($_.substring(3).split(",")[0])
    $richtextbox.AppendText("`r")
    }

    The last part just shows the name of the Object rather than the complete DN and then writes each one on a new line.

    (Incidentally, as I am using the 'Identity' switch the first search probably doesn't actually need to produce an array)

  • #10575

    Richard Siddaway
    Moderator

    I've been playing around with this a bit.

    if you have a deleted group then you can see the members before deletion


    Get-ADObject -IncludeDeletedObjects -LDAPFilter "(objectclass=group)" -Properties * |
    where deleted -eq $true | select -f 1 |
    select -ExpandProperty member

    if you have a deleted user life gets a bit more awkward because you have to filter out computer accounts

    Get-ADObject -IncludeDeletedObjects -Filter {objectclass -eq 'user'} -Properties * |
    where deleted -eq $true |
    where objectclass -ne 'computer' |
    select name, memberof

    So I did see that group memberships were preserved on the deleted objects

    What version of PowerShell and what version of windows on your domain controllers?

  • #10581

    Tom Kemp
    Participant

    Our servers are Windows 2008 R2

    I am using Powershell 3

  • #10582

    Richard Siddaway
    Moderator

    I don't think anything on the AD recycle bin changed between 2008 R2 and 2012 which is what I was testing on.

    Try looking at the objects directly

  • #10583

    Tom Kemp
    Participant

    I have tried the same code when selecting Deleted and Normal Objects. With Normal ones I get a list of Groups, but Deleted ones return no groups. I have tested and I know the Deleted Object is in some groups (by restoring it and then checking MemberOf).

    This is a small part of the code:


    $ObjectDetail = Get-ADObject -Identity "$SelectedObject" -IncludeDeletedObjects -Properties * | select Name, DisplayName, Description, LastKnownParent, MemberOf

    $GroupList = @($ObjectDetail.MemberOf)

    $GroupList | %{
    Write-Host $_.substring(3).split(",")[0]
    }

    $SelectedObject is selected by clicking on an Object in the Treelist, which shows both Normal and Deleted Objects.
    The code also includes writing to a RichTextBox, with a line break between each one.

    I have tried Users and Non-Users (such as Workstations and Groups), both Deleted and Normal. In each case, I get a list of Groups for all Normal Objects but none for any Deleted Objects. We use Groups to apply SCCM Packages, so Workstations can be in groups as well. Groups are also in other Groups. These also give the same results.

  • #10588

    Richard Siddaway
    Moderator

    This line makes me suspicious
    $GroupList = @($ObjectDetail.MemberOf)

    Try examining the data directly

    Get-ADObject -Identity "$SelectedObject" -IncludeDeletedObjects -Properties * | select Name, DisplayName, Description, LastKnownParent, MemberOf

    That's effectively what I was doing and I saw the groups in MemberOf.

  • #10596

    Tom Kemp
    Participant

    I tried the above, with a Write-Host for each parameter, followed by the breakdown of the Groupnames.

    I used the same object – once whilst Deleted and then again after restoring it. A further test with an object which has never been deleted gave similar results to those for the Restored object.


    Deleted Object
    --------------
    Name: TTes74
    DEL:ed04fa7c-4d85-41ec-a765-75cb9c9c0224
    DisplayName: Test Test
    Description: test for Sham
    LastKnownParent: OU=Datacentre-CA,OU=RE,OU=Users,OU=WCC,DC=wcc-corp,DC=ad
    MemberOf:
    ---
    List of Groups from MemberOf
    ----------------------------
    ...
    ( None )
    ...
    ==============================================
    Same Object as above after being Restored
    -----------------------------------------
    Name: TTes74
    DisplayName: Test Test
    Description: test for Sham
    LastKnownParent: OU=Datacentre-CA,OU=RE,OU=Users,OU=WCC,DC=wcc-corp,DC=ad
    MemberOf: CN=Cit-GGR-Admin,OU=Citrix Groups,OU=Security,...................
    CN=BUFA-GGR-RE-SHIREHALL-NETWAREADMIN,OU=Business Unit Groups,OU=Security,...........
    CN=Netmon Users,OU=Users,OU=Unallocated,OU=WCC,DC=wcc-corp,DC=ad
    ---
    List of Groups from MemberOf
    ----------------------------
    Cit-GGR-Admin
    BUFA-GGR-RE-SHIREHALL-NETWAREADMIN
    Netmon Users

    I truncated the names of the Groups to shorten the DN. The original output did include the full DN.

You must be logged in to reply to this topic.