I used online resources to piece together this working script, but it isn’t perfect yet. My goal is to enumerate password history info on all domain admin members.
The problem is that a user account could be a member of domain admins but not have it set as the Primary Group. So it may yield incomplete results.
I’ve tried replacing the [-filter ‘PrimaryGroupID -eq “512”’] with [-filter ‘MemberOf -like “Domain Admins”’] and it gives no output, other things I tried give errors.
If I run this:
Get-ADUser -Identity administrator -properties *
I do not see “Domain Admins” listed under MemberOf, but I see it in the AD GUI.
Unfortunately, group membership is tracked as a property of the group, not the user, so there’s no way to construct the kind of query you’re after. You’ll have to start by recursively getting the members of the group you want, and then retrieving those accounts. It isn’t as efficient as you’re wanting, but it’s the way AD works.
What you’re seeing in the GUI is it performing multiple queries to unwind the group memberships.
I don’t have a DC I can test against right now, but all things being equal the variable should contain whatever the command output. Can you show me a snippet of what the first command outputs?
Not sure what’s going on, but the same query worked for me. Additionally, if there are any nested groups in Domain Admins, you will want to specify -Recursive: