For some reason, ADSI is returning different membership results than Get-ADGroupMembership for “Domain Admins.” Any idea why? It is a standard (enabled) admin account that is in the Get-ADGroupMembership results, but not in ADSI results.
([adsi]'LDAP://CN=Domain Admins,OU=Admin and Service Accounts,DC=domain,DC=com' | select -ExpandProperty member).count
(get-adgroupmember 'domain admins' | select distinguishedname).count
I just want to make sure I am getting accurate results when expanding group members. Thanks!!!
The LDAP provider is lower-level and has a couple of known quirks about, like that. The commands “fix” some of those internally.
That’s too bad - The performance is a LOT better than ones that come with the ActiveDirectory module and don’t require any AD features to be installed. Do you suggest I just use Get-ADGroupMembership or is there a better way that I am not aware of?
Yup, LDAP is tons faster. It’s what the old Quest cmdlets used, for that reason. And it’s pretty much the only alternative to the .NET classes. Use LDAP, if you want - just get used to its quirks and be able to adjust.