Help with what the shell thinks are objects and strings

Hi all

I’m finally taking the time to sit myself down and learn Powershell properly and I’m trying the wrap my head around the logic of what I’ve described below. It probably comes down to my head not grasping what the shell thinks is an object or a string.

I’m sure there are blogs and guides that explain what is going on, however if someone could autopsy my thinking process here that would be just grand.

Using Get-ADUser and Get-ADGroupMember cmdlets as my example. What I’m trying to do is to output a simple list of human names that are members of an Active Directory group. And for reference the ‘Name’ property of my ADUser object is an alphanumeric User ID, not an actual persons name.

help get-aduser -Parameter Identity

-Identity <ADUser>
    Specifies an Active Directory user object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the
    attribute.

Required?                    true
    Position?                    1
    Default value
    Accept pipeline input?       True (ByValue)
    Accept wildcard characters?  false

help Get-ADGroupMember -Parameter Identity

-Identity <ADGroup>
    Specifies an Active Directory group object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute.

Required?                    true
    Position?                    1
    Default value
    Accept pipeline input?       True (ByValue)
    Accept wildcard characters?  false

OK, so the Identity parameter for these cmdlets accept <ADUser> and <ADGroup> objects and accept pipeline input ByValue.

Get-ADUser -Identity xxxxx <===sidenote: surely by typing here I’m feeding in a string, not an <ADUser> object?

DistinguishedName : xxxxx
Enabled           : xxxxx
GivenName         : xxxxx
Name              : xxxxx
ObjectClass       : xxxxx
ObjectGUID        : xxxxx
SamAccountName    : xxxxx
SID               : xxxxx
Surname           : xxxxx
UserPrincipalName : xxxxx

Get-ADGroupMember -Identity xxxxx <===sidenote: surely by typing here I’m feeding in a string, not an <ADGroup> object?

distinguishedName : xxxxx
name              : xxxxx
objectClass       : xxxxx
objectGUID        : xxxxx
SamAccountName    : xxxxx
SID               : xxxxx

Piping these to Get-Member reveals Microsoft.ActiveDirectory.Management.ADUser and Microsoft.ActiveDirectory.Management.ADPrincipal objects. Both have a ‘Name’ System.String property.

To get the actual human name for an <ADUser> object I need the ‘DisplayName’ property, and I want a simple list of names with no other clutter.

I can find the alphanumeric User ID of the ADGroup members by examining the properties by running:

Get-ADGroupMember -Identity xxxxx | Select-Object -Property *

No human names in here. But I do have a ‘Name’ System.String property that corresponds to the alphanumeric User ID. I know I can type in that alphanumeric User ID from the shell and get a human name from the ‘DisplayName’ property:

Get-ADUser -Identity xxxxx -Property DisplayName | Select-Object DisplayName

I can use -ExpandProperty to get the User ID as a System.String object:

Get-ADGroupMember -Identity xxxxx | Select-Object -ExpandProperty Name

I know from help that Get-ADUser wants an <ADUser> object (which I’m not providing) but I also know I can manually type in an alphanumeric User ID string for the Identity parameter of Get-ADUser, so I figure that a parenthetical way of doing this will work, ergo:

Get-ADUser -Identity (Get-ADGroupMember -Identity xxxxx | Select-Object -ExpandProperty Name) -Property DisplayName | Select-Object -Property DisplayName

Get-ADUser : Cannot convert 'System.Object[]' to the type 'Microsoft.ActiveDirectory.Management.ADUser' required by parameter 'Identity'. Specified method is
not supported.
At line:1 char:22
+ ... r -Identity (Get-ADGroupMember -Identity xxxxx ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Get-ADUser], ParameterBindingException
    + FullyQualifiedErrorId : CannotConvertArgument,Microsoft.ActiveDirectory.Management.Commands.GetADUser

No worky and the ParameterBindingException gives it away (I guess). However the following does do exactly what I want:

Get-ADGroupMember -Identity xxxxx | Select-Object -ExpandProperty Name | Get-ADUser -Properties Displayname | Select-Object DisplayName

DisplayName
-----------
xxxxx

From my interpretation of things, Get-ADUser is getting a piped in System.String object fed to its Identity parameter - where help declares it requires a piped in <ADUser> object ByValue . This works though. I am going through the

Trace-Command -Name ParameterBinding {}

output of both of these at the moment and I may get my lighbulb moment from that. But it would be great the get some direct feedback on this. It’s clear to me that something fundamental has not sunk in yet.

Thanks

CS,
G’day and Welcome to the forum. :wave:t3:

You actually did not ask any question. :smirk: But to explain why this …

… is not working …

The parameter -Identitiy can take ONE value at a time and you try to feed it more than that. The difference would be between System.Object[] and System.Object. If you use a loop to separate the individual elements returned by the cmdlet Get-ADGroupMember you could feed it to Get-ADUser.

Hi, ciouple of notes.

  1. You generally don’t want to destroy your rich objects with Select-Object -Property or -ExpandProperty until you are outputting.
  2. You can pipe the output of Get-ADGroupMember straight into Get-ADUser, you don’t have to use a loop. There may be plenty of reasons to use a loop, but for your example it’s not required.
Get-ADGroupMember -Identity xxxxx | Get-ADUser | Select-Object -Property DisplayName
1 Like