I used online resources to piece together this working script, but it isn’t perfect yet. My goal is to enumerate password history info on all domain admin members.
Get-ADUser -filter 'PrimaryGroupID -eq "512"' -properties PasswordLastSet, PasswordNeverExpires | select-object Name, PasswordLastSet, PasswordNeverExpires | sort-object Name
The problem is that a user account could be a member of domain admins but not have it set as the Primary Group. So it may yield incomplete results.
I’ve tried replacing the [-filter ‘PrimaryGroupID -eq “512”’] with [-filter ‘MemberOf -like “Domain Admins”’] and it gives no output, other things I tried give errors.
If I run this:
Get-ADUser -Identity administrator -properties *
I do not see “Domain Admins” listed under MemberOf, but I see it in the AD GUI.