Hi all
I’m finally taking the time to sit myself down and learn Powershell properly and I’m trying the wrap my head around the logic of what I’ve described below. It probably comes down to my head not grasping what the shell thinks is an object or a string.
I’m sure there are blogs and guides that explain what is going on, however if someone could autopsy my thinking process here that would be just grand.
Using Get-ADUser and Get-ADGroupMember cmdlets as my example. What I’m trying to do is to output a simple list of human names that are members of an Active Directory group. And for reference the ‘Name’ property of my ADUser object is an alphanumeric User ID, not an actual persons name.
help get-aduser -Parameter Identity
-Identity <ADUser>
Specifies an Active Directory user object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the
attribute.
Required? true
Position? 1
Default value
Accept pipeline input? True (ByValue)
Accept wildcard characters? false
help Get-ADGroupMember -Parameter Identity
-Identity <ADGroup>
Specifies an Active Directory group object by providing one of the following values. The identifier in parentheses is the LDAP display name for the attribute.
Required? true
Position? 1
Default value
Accept pipeline input? True (ByValue)
Accept wildcard characters? false
OK, so the Identity parameter for these cmdlets accept <ADUser>
and <ADGroup>
objects and accept pipeline input ByValue.
Get-ADUser -Identity xxxxx <===sidenote: surely by typing here I’m feeding in a string, not an
<ADUser>
object?
DistinguishedName : xxxxx
Enabled : xxxxx
GivenName : xxxxx
Name : xxxxx
ObjectClass : xxxxx
ObjectGUID : xxxxx
SamAccountName : xxxxx
SID : xxxxx
Surname : xxxxx
UserPrincipalName : xxxxx
Get-ADGroupMember -Identity xxxxx <===sidenote: surely by typing here I’m feeding in a string, not an
<ADGroup>
object?
distinguishedName : xxxxx
name : xxxxx
objectClass : xxxxx
objectGUID : xxxxx
SamAccountName : xxxxx
SID : xxxxx
Piping these to Get-Member reveals Microsoft.ActiveDirectory.Management.ADUser and Microsoft.ActiveDirectory.Management.ADPrincipal objects. Both have a ‘Name’ System.String property.
To get the actual human name for an <ADUser>
object I need the ‘DisplayName’ property, and I want a simple list of names with no other clutter.
I can find the alphanumeric User ID of the ADGroup members by examining the properties by running:
Get-ADGroupMember -Identity xxxxx | Select-Object -Property *
No human names in here. But I do have a ‘Name’ System.String property that corresponds to the alphanumeric User ID. I know I can type in that alphanumeric User ID from the shell and get a human name from the ‘DisplayName’ property:
Get-ADUser -Identity xxxxx -Property DisplayName | Select-Object DisplayName
I can use -ExpandProperty to get the User ID as a System.String object:
Get-ADGroupMember -Identity xxxxx | Select-Object -ExpandProperty Name
I know from help that Get-ADUser wants an <ADUser>
object (which I’m not providing) but I also know I can manually type in an alphanumeric User ID string for the Identity parameter of Get-ADUser, so I figure that a parenthetical way of doing this will work, ergo:
Get-ADUser -Identity (Get-ADGroupMember -Identity xxxxx | Select-Object -ExpandProperty Name) -Property DisplayName | Select-Object -Property DisplayName
Get-ADUser : Cannot convert 'System.Object[]' to the type 'Microsoft.ActiveDirectory.Management.ADUser' required by parameter 'Identity'. Specified method is
not supported.
At line:1 char:22
+ ... r -Identity (Get-ADGroupMember -Identity xxxxx ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-ADUser], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgument,Microsoft.ActiveDirectory.Management.Commands.GetADUser
No worky and the ParameterBindingException gives it away (I guess). However the following does do exactly what I want:
Get-ADGroupMember -Identity xxxxx | Select-Object -ExpandProperty Name | Get-ADUser -Properties Displayname | Select-Object DisplayName
DisplayName
-----------
xxxxx
From my interpretation of things, Get-ADUser is getting a piped in System.String object fed to its Identity parameter - where help declares it requires a piped in <ADUser>
object ByValue . This works though. I am going through the
Trace-Command -Name ParameterBinding {}
output of both of these at the moment and I may get my lighbulb moment from that. But it would be great the get some direct feedback on this. It’s clear to me that something fundamental has not sunk in yet.
Thanks