locked
Get-ADGroupMember -Recursive : Output not as expected; account missing from results RRS feed

  • Question

  • I am using the following command to determine which accounts are effectively members of the ADDS built-in group [DOMAIN]\Administrators:

    Get-ADGroupMember -Identity 'Administrators' -Recursive

    The output of this command surprised me, because there is an account missing from the expected output. One of the direct members of the [DOMAIN]\Administrators group is the [DOMAIN]\Domain Admins group. So, when I run the above command against the Administrators group, I should see any account that is a member of that group as well as any account that is a member of any nested group, including Domain Admins.

    There is an account in Domain Admins that does not show in the output when I run the above command. All other accounts that are in Domain Admins but not Administrators do appear correctly in the output. The missing account does show in the results when I query the Domain Admins group directly with the following command:

    Get-ADGroupMember -Identity 'Domain Admins' -Recursive
    Can anyone think of any reason the account might not appear when running the first command? We rely on commands such as these for auditing purposes, and if I can't trust the output of the command...

    Monday, October 1, 2018 4:05 PM

Answers

  • I was finally able to formulate a Google search query that led me to the answer: the "missing" account had its Primary Group set to Domain Admins for some reason.

    Source: https://blogs.technet.microsoft.com/leesteve/2017/10/04/group-membership-isnt-consistent-in-ad-users-and-computers/

    Changing the Primary Group of the missing account back to Domain Users resolved the issue. More of an issue with how the Get-ADGroupMember cmdlet works and how account Primary Groups were set than an actual issue with the command / script.

    Monday, October 1, 2018 4:40 PM

All replies

  • Remove "Recursive" and it will show up.


    \_(ツ)_/

    Monday, October 1, 2018 4:14 PM
  • I was finally able to formulate a Google search query that led me to the answer: the "missing" account had its Primary Group set to Domain Admins for some reason.

    Source: https://blogs.technet.microsoft.com/leesteve/2017/10/04/group-membership-isnt-consistent-in-ad-users-and-computers/

    Changing the Primary Group of the missing account back to Domain Users resolved the issue. More of an issue with how the Get-ADGroupMember cmdlet works and how account Primary Groups were set than an actual issue with the command / script.

    Monday, October 1, 2018 4:40 PM
  • Groups do not have a "primary group".  Either your question is wrong or your solution is wrong.  You stted that "Domain Admins" group was missing.  It will not be displayed if you use "Recursive" as it will be expanded.  Only an NT user account can have a "primary group".  "Domain Admins" and "Administrators" are not "user" accounts.


    \_(ツ)_/

    Monday, October 1, 2018 4:51 PM
  • I'll repeat from my previous post: "...the 'missing' account had its Primary Group set to Domain Admins for some reason."

    The word "account" here (and for any and all other references I made in this thread) was referring to a user account, not a group. I don't think I should have to specify this fact. I've never heard of a group referred to as an "account" before.

    I thought it was pretty clear in my original question that:

    1. I was saying there was a user account that wasn't appearing in the recursive Get-ADGroupMember output when querying the Administrators group.
    2. The user account was a member of Domain Admins.
    3. The Domain Admins group was a member of the Administrators group.

    I never said the Domain Admins group was missing. Perhaps the part that confused you was this: "So, when I run the above command against the Administrators group, I should see any account that is a member of that group as well as any account that is a member of any nested group, including Domain Admins."

    What I meant by "including Domain Admins" at the end of that statement is that the command output should also show any user account that is a member of Domain Admins. I did not mean that the command output should show the Domain Admins group itself. I'm aware that Get-ADGroupMember doesn't show any groups in the output when -Recursive is used.

    Circling back to the true cause and resolution... It turns out the reason the output surprised me was because I wasn't aware of the effect of the Primary Group on the output of Get-ADGroupMember and that one of the members of Domain Admins had its (the user account's) Primary Group set to Domain Admins. Setting this "missing" user's Primary Group to Domain Users resolved the issue.

    The reason behind all of this is explained in more detail in the link I posted.

    If the original problem still isn't clear to you or you have some sort of other retort, you are of course free to respond how you wish but I'm not going to belabor the point any further.

    Thanks for engaging and offering suggestions. Good day!


    Monday, October 1, 2018 5:42 PM
  • Ok. I see that you original question is hard to decode. You are trying to say that a group that is returned is missing an account.

    Yes - primary groups are not displayed for any and all groups.


    \_(ツ)_/

    Monday, October 1, 2018 5:46 PM
  • This is one reason why it is not recommended to change the primary group.

    You can determine a user's primary group by grabbing the primary group ID (and then figuring out which RID that is), but yes it's an extra step.


    -- Bill Stewart [Bill_Stewart]

    Monday, October 1, 2018 6:41 PM