locked
Counting Users in AD security groups and getting different results with -recursive RRS feed

  • Question

  • Hi

    I am trying to get a user count for all users and nested groups in an AD Security groups. I am using a basic 1 liner but get different results. The correct result is 1.

    Can someone explain why my results are different just by adding -recursive? This group has no childeren OUs

     
    PS C:\> (Get-ADGroupMember "Group1" -Recursive | measure-object).count
    5
    
    PS C:\> (Get-ADGroupMember "Group1"| measure-object).count
    1
    
    PS C:\> 




    • Edited by ktitchard Thursday, August 24, 2017 8:45 AM
    Thursday, August 24, 2017 8:40 AM

Answers

  • Seems to be an issue with this one AD group. I will move to the next and fix it later cheers all!
    • Marked as answer by ktitchard Thursday, August 24, 2017 9:24 AM
    Thursday, August 24, 2017 9:24 AM

All replies

  • Run the command without .count and chec kthe result displayed.

    Cdt, Loïc V. - NetSec Design - Blog: http://ms-sec.fr

    Thursday, August 24, 2017 8:41 AM
  • PS C:\> Get-ADGroupMember "Group1" | measure-object


    Count    : 1
    Average  :
    Sum      :
    Maximum  :
    Minimum  :
    Property :


    PS C:\> Get-ADGroupMember "Group1" -Recursive | measure-object


    Count    : 5
    Average  :
    Sum      :
    Maximum  :
    Minimum  :
    Property :

    Thursday, August 24, 2017 8:46 AM
  • That is how "recursive" works.  It will count all nested groups.  Your issue make little sense.  THe outcome is completely dependent in what is in ALL groups that are nested.


    \_(ツ)_/

    Thursday, August 24, 2017 8:50 AM
  • tried your script in my AD and in both instance, with and without "-Recursive", it returned the same result.
    Thursday, August 24, 2017 8:52 AM
  • PS C:\> Get-ADGroupMember "Group1" | measure-object


    Count    : 1
    Average  :
    Sum      :
    Maximum  :
    Minimum  :
    Property :


    PS C:\> Get-ADGroupMember "Group1" -Recursive | measure-object


    Count    : 5
    Average  :
    Sum      :
    Maximum  :
    Minimum  :
    Property :


    Sorry, forgot to let you know that measure-object needs also to be removed. The purpose for you is to list he object returned and understand what is the difference btween recursive and not recursive.

    Cdt, Loïc V. - NetSec Design - Blog: http://ms-sec.fr

    Thursday, August 24, 2017 9:03 AM
  • This is interesting...

    The results without the measure-object with recursive lists 5 users. The same without the recursive shows "Group1".

    Within AD the group only has 1 user account in the "Members".

    As a test I searched one of the 5 members it had listed using rescursive and they are not a member of "Group1"???

    Thursday, August 24, 2017 9:17 AM
  • Seems to be an issue with this one AD group. I will move to the next and fix it later cheers all!
    • Marked as answer by ktitchard Thursday, August 24, 2017 9:24 AM
    Thursday, August 24, 2017 9:24 AM
  • The one member of the group shown on the member tab is not a user, but a nested group, which has 4 user members. So the first group has 5 total members, the nested group plus the 4 user members of the nested group.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, August 24, 2017 9:29 AM