none
How to list all users and groups? Why does "DOMAIN USERS are not shown? RRS feed

  • Question

  • I´m trying to use a lot of scripts in technet library and it´s amazing the number os scripts that don´t run in my environment (win2008R2/WIn2012R2 AD/DC)

    After a lot of testing i found a good script in: http://www.experts-exchange.com/Programming/Languages/Scripting/Powershell/Q_28277287.html

    I did some minor modifications and i´m puzzled about something: Why the group "Domain Users" is not shown in the output? Even considereing that it´s the primary groups, make no sense, because the script lists all entities, am I right?

    Import-Module Activedirectory
    Get-ADUser -Filter {enabled -eq $true} -Properties SAMAccountName,DisplayName,memberof | % {
      New-Object PSObject -Property @{
    SAMID = $_.SAMAccountName
    UserName = $_.DisplayName
    Groups = ($_.memberof | Get-ADGroup | Select -ExpandProperty Name) -join ","
    }
    } | Select SAMID,UserName,Groups | Export-Csv C:\temp\Lista_Users_Groups.csv -NTI

    An end user asks for a user/grupo listing, asking for some method to track permissions, the resulting CSV it´s good enough, a little modificatio in MS Excel do the trick, but i´m thinking about the DOMAIN USERS missing and wondering if something else was not cutted off form the file..

    Wednesday, September 30, 2015 12:26 PM

Answers

  • Expected behavior. If you want Domain Users listed in the output, use Get-ADPrincipalGroupMembership instead.

    • Proposed as answer by Josh Lavely Wednesday, September 30, 2015 12:57 PM
    • Marked as answer by KayZerSoze Wednesday, September 30, 2015 1:02 PM
    Wednesday, September 30, 2015 12:29 PM

All replies

  • Expected behavior. If you want Domain Users listed in the output, use Get-ADPrincipalGroupMembership instead.

    • Proposed as answer by Josh Lavely Wednesday, September 30, 2015 12:57 PM
    • Marked as answer by KayZerSoze Wednesday, September 30, 2015 1:02 PM
    Wednesday, September 30, 2015 12:29 PM
  • Just to clarify, the memberOf attribute of users (and the member attribute of groups) never includes membership in the "primary" group.

    The reason is that it is expected that everyone will be members of "Domain Users"> Years ago they did not want any group to include more then 5000 members, so membership in the "primary" group was handled differently. The primaryGroupID attribute of the user points to the "primary" group of the user. The value of primaryGroupID matches the value of the primaryGroupToken attribute of the "primary" group. If you check, you will find the the "member" attribute of the "Domain Users" group (on the "Attribute Editor" tab) is either empty, or nearly so.


    Richard Mueller - MVP Directory Services

    Wednesday, September 30, 2015 1:56 PM
    Moderator