Help with get-aduser filter

tony-pagliaro · June 30, 2015, 2:43am

I used online resources to piece together this working script, but it isn’t perfect yet. My goal is to enumerate password history info on all domain admin members.

Get-ADUser -filter 'PrimaryGroupID -eq "512"' -properties PasswordLastSet, PasswordNeverExpires | 
select-object Name, PasswordLastSet, PasswordNeverExpires | 
sort-object Name

The problem is that a user account could be a member of domain admins but not have it set as the Primary Group. So it may yield incomplete results.

I’ve tried replacing the [-filter ‘PrimaryGroupID -eq “512”’] with [-filter ‘MemberOf -like “Domain Admins”’] and it gives no output, other things I tried give errors.

If I run this:

Get-ADUser -Identity administrator -properties *

I do not see “Domain Admins” listed under MemberOf, but I see it in the AD GUI.

donj · June 30, 2015, 2:46am

Unfortunately, group membership is tracked as a property of the group, not the user, so there’s no way to construct the kind of query you’re after. You’ll have to start by recursively getting the members of the group you want, and then retrieving those accounts. It isn’t as efficient as you’re wanting, but it’s the way AD works.

What you’re seeing in the GUI is it performing multiple queries to unwind the group memberships.

tony-pagliaro · June 30, 2015, 3:04am

OK thanks.
So I have this to get me the list of members:

get-adgroupmember  -Identity "domain admins" |select samaccountname

It outputs a nice list to the console, but if I assign a $,

$admins = get-adgroupmember  -Identity "domain admins" |select samaccountname

…the resultant call for that $ is null.

donj · June 30, 2015, 3:12am

I don’t have a DC I can test against right now, but all things being equal the variable should contain whatever the command output. Can you show me a snippet of what the first command outputs?

tony-pagliaro · June 30, 2015, 3:16am

PS C:\Users\admin123> get-adgroupmember  -Identity "domain admins" |select samaccountname

samaccountname
--------------
Administrator
EvltExch
MWService
kenadmin2
JaeAdmin
nocadmin
backupexec

PS C:\Users\admin123> $admins = get-adgroupmember  -Identity "domain admins" |select samaccountname

PS C:\Users\admin123>$admins

that last line is blank.

donj · June 30, 2015, 4:10am

That is weird. I’m gonna have to fuss with that on a DC.

donj · June 30, 2015, 4:12am

Cannot replicate. For me, the variable populates as expected.

Reboot. Reinstall. Reconsider career options.

richard-siddaway · June 30, 2015, 4:12am

This will give you the data you need

Get-ADGroupMember -Identity ‘Domain Admins’ |
foreach {
Get-ADUser -Identity $psitem.samAccountName -Properties PasswordLastSet, PasswordNeverExpires |
select Name, PasswordLastSet, PasswordNeverExpires
}

BTW

$admins = Get-ADGroupMember -Identity ‘Domain Admins’ | select -ExpandProperty samaccountname

will give you the list of just the samaccountnames.

I tried your
$admins = get-adgroupmember -Identity “domain admins” |select samaccountname

and it worked in my Windows 2012 R2 domain

rob-simmers · June 30, 2015, 4:17am

Not sure what’s going on, but the same query worked for me. Additionally, if there are any nested groups in Domain Admins, you will want to specify -Recursive:

$da = Get-ADGroupMember -Identity "Domain Admins" -Recursive | Select Name, SamAccountName

tony-pagliaro · June 30, 2015, 5:01am

OK so I tried it on a different DC and it works fine.
Guess I don’t have to reconsider my career options afterall…

So now I plan to use a foreach loop to create a table of the desired properties for these accounts… sound like a good plan?

tony-pagliaro · June 30, 2015, 5:18am

Thanks Richard, didn’t see your example.
And thanks Don… and everyone who replied.

import-module activedirectory 
$admins = get-adgroupmember  -Identity "domain admins" |select samaccountname
foreach ($admin in $admins)
{
  Get-aduser -Identity $admin.samAccountName -Properties PasswordLastSet, PasswordNeverExpires |
    select Name, PasswordLastSet, PasswordNeverExpires |
    sort-object Name

This works well.

richard-siddaway · June 30, 2015, 5:31am

Get-ADGroupMember and Get-AdUser work together on the pipeline so you can also do this:

Get-ADGroupMember -Identity ‘Domain Admins’ |
Get-ADUser -Properties PasswordLastSet, PasswordNeverExpires |
select Name, PasswordLastSet, PasswordNeverExpires

tony-pagliaro · June 30, 2015, 8:08am

Much cleaner, thx Richard

tony-pagliaro · June 30, 2015, 9:01am

This is awesome… maybe others can use it as well, will work on any Windows DC.
I have the cmdlet version too, if anyone is interested.

***Cannot post the code, there are carrots getting dropped. if someone is interested, i can give you a dropbox link.

tony-pagliaro · July 5, 2015, 11:48am

html code tag doesn’t work either…
oh well

Topic		Replies	Views
Get-ADUser selected properties for get-ADGroupMember PowerShell Help	6	220	February 26, 2016
query admincount for security groups in all domain for a User PowerShell Help	3	153	May 9, 2016
How to list out multiple ADUsers with ADPrincipalGroupMembership? PowerShell Help	10	201	January 11, 2023
Modifying a Get-ADGroup cmdlet PowerShell Help	5	227	October 9, 2021
Exclude security groups from Get-ADUser PowerShell Help	3	160	December 11, 2013

Help with get-aduser filter

Related Topics