MemberOf for Get-ADObject Deleted Objects

PowerShell Help
1

I am writing a script to get details of AD Objects. This shows a Treeview, similar to that in AD Users & Computers, but shows Deleted Objects as well.

I am trying to make it as versatile as possible, so using Get-ADObjects, rather than including separate searches for Users, Groups, etc.

I have used the -IncludeDeletedObjects option so I can cope with these as well as existing objects.

Then I use the LastKnownParent to show where the Deleted Object was (since once deleted it is in DeletedObjects of course).

However, when I try to use the MemberOf switch, this includes Group Memberships for other Objects (such as Users, Workstations and other Groups), but does not include any information for Group Memberships for Deleted Objects.

I have tested this with a User object. When Deleted the object is found in DeletedObjects and does not appear to be in any Groups. Admittedly, it is not showing in any of the relevant Groups either. Once the User Object has been restored, it is back in the Groups as before it was Deleted.

Is there any way to show the Groups of which an object was a member before deletion whilst it is ‘deleted’ - in the same way that LastKnownParent indicates where the object was before it was deleted? As the object reappears in the correct Groups once it is Restored, AD must be storing that information somewhere.

Maybe it works by GUIDs, as for File Access Rights for Deleted Objects?

The basic command I am using is:

$ObjectDetail = @(Get-ADObject -Identity "$SelectedObject" -IncludeDeletedObjects -Properties * | select *)

$GroupList = @($ObjectDetail.MemberOf)

Then I write out the various Properties to a RichTextBox:

$GroupList | %{ $richtextbox.AppendText($_.substring(3).split(",")[0]) $richtextbox.AppendText("`r") }

The last part just shows the name of the Object rather than the complete DN and then writes each one on a new line.

(Incidentally, as I am using the ‘Identity’ switch the first search probably doesn’t actually need to produce an array)

2

I’ve been playing around with this a bit.

if you have a deleted group then you can see the members before deletion

Get-ADObject -IncludeDeletedObjects -LDAPFilter "(objectclass=group)" -Properties * | where deleted -eq $true | select -f 1 | select -ExpandProperty member

if you have a deleted user life gets a bit more awkward because you have to filter out computer accounts

Get-ADObject -IncludeDeletedObjects -Filter {objectclass -eq ‘user’} -Properties * |
where deleted -eq $true |
where objectclass -ne ‘computer’ |
select name, memberof

So I did see that group memberships were preserved on the deleted objects

What version of PowerShell and what version of windows on your domain controllers?

3

Our servers are Windows 2008 R2

I am using Powershell 3

4

I don’t think anything on the AD recycle bin changed between 2008 R2 and 2012 which is what I was testing on.

Try looking at the objects directly

5

I have tried the same code when selecting Deleted and Normal Objects. With Normal ones I get a list of Groups, but Deleted ones return no groups. I have tested and I know the Deleted Object is in some groups (by restoring it and then checking MemberOf).

This is a small part of the code:

$ObjectDetail = Get-ADObject -Identity "$SelectedObject" -IncludeDeletedObjects -Properties * | select Name, DisplayName, Description, LastKnownParent, MemberOf

$GroupList = @($ObjectDetail.MemberOf)

$GroupList | %{
Write-Host $_.substring(3).split(“,”)[0]
}

$SelectedObject is selected by clicking on an Object in the Treelist, which shows both Normal and Deleted Objects.
The code also includes writing to a RichTextBox, with a line break between each one.

I have tried Users and Non-Users (such as Workstations and Groups), both Deleted and Normal. In each case, I get a list of Groups for all Normal Objects but none for any Deleted Objects. We use Groups to apply SCCM Packages, so Workstations can be in groups as well. Groups are also in other Groups. These also give the same results.

6

This line makes me suspicious
$GroupList = @($ObjectDetail.MemberOf)

Try examining the data directly

Get-ADObject -Identity “$SelectedObject” -IncludeDeletedObjects -Properties * | select Name, DisplayName, Description, LastKnownParent, MemberOf

That’s effectively what I was doing and I saw the groups in MemberOf.

7

I tried the above, with a Write-Host for each parameter, followed by the breakdown of the Groupnames.

I used the same object - once whilst Deleted and then again after restoring it. A further test with an object which has never been deleted gave similar results to those for the Restored object.

Deleted Object -------------- Name: TTes74 DEL:ed04fa7c-4d85-41ec-a765-75cb9c9c0224 DisplayName: Test Test Description: test for Sham LastKnownParent: OU=Datacentre-CA,OU=RE,OU=Users,OU=WCC,DC=wcc-corp,DC=ad MemberOf: --- List of Groups from MemberOf ---------------------------- ... ( None ) ... ============================================== Same Object as above after being Restored ----------------------------------------- Name: TTes74 DisplayName: Test Test Description: test for Sham LastKnownParent: OU=Datacentre-CA,OU=RE,OU=Users,OU=WCC,DC=wcc-corp,DC=ad MemberOf: CN=Cit-GGR-Admin,OU=Citrix Groups,OU=Security,................... CN=BUFA-GGR-RE-SHIREHALL-NETWAREADMIN,OU=Business Unit Groups,OU=Security,........... CN=Netmon Users,OU=Users,OU=Unallocated,OU=WCC,DC=wcc-corp,DC=ad --- List of Groups from MemberOf ---------------------------- Cit-GGR-Admin BUFA-GGR-RE-SHIREHALL-NETWAREADMIN Netmon Users

I truncated the names of the Groups to shorten the DN. The original output did include the full DN.