Why is the “Domain users” group missing from this Powershell AD Query?
I ran the following powershell script to compare a list of groups....
$dasMem = Get-ADUser -Server "<some-srv>" -Identity "<some-usr>" -Properties MemberOf | Select MemberOf
$blahx = $dasMem.MemberOf | % { $_ -replace "^CN=", "" } | % { $_ -replace ",.*$", "" } | sort
$blahx
When I got the list, I ended up with a missing group, Domain users which I believe is a standard default group, is there any reason why it's missing when I pull the script?
To be clear I was able to see the group in Active Directory Users and Computers but not from my script above.
active-directory powershell groups
asked 2 hours ago
leeand00leeand00
2,16564486
add a comment |
I ran the following powershell script to compare a list of groups....
$dasMem = Get-ADUser -Server "<some-srv>" -Identity "<some-usr>" -Properties MemberOf | Select MemberOf
$blahx = $dasMem.MemberOf | % { $_ -replace "^CN=", "" } | % { $_ -replace ",.*$", "" } | sort
$blahx
When I got the list, I ended up with a missing group, Domain users which I believe is a standard default group, is there any reason why it's missing when I pull the script?
To be clear I was able to see the group in Active Directory Users and Computers but not from my script above.
active-directory powershell groups
asked 2 hours ago
leeand00leeand00
2,16564486
add a comment |
I ran the following powershell script to compare a list of groups....
$dasMem = Get-ADUser -Server "<some-srv>" -Identity "<some-usr>" -Properties MemberOf | Select MemberOf
$blahx = $dasMem.MemberOf | % { $_ -replace "^CN=", "" } | % { $_ -replace ",.*$", "" } | sort
$blahx
When I got the list, I ended up with a missing group, Domain users which I believe is a standard default group, is there any reason why it's missing when I pull the script?
To be clear I was able to see the group in Active Directory Users and Computers but not from my script above.
active-directory powershell groups
asked 2 hours ago
leeand00leeand00
2,16564486
I ran the following powershell script to compare a list of groups....
$dasMem = Get-ADUser -Server "<some-srv>" -Identity "<some-usr>" -Properties MemberOf | Select MemberOf
$blahx = $dasMem.MemberOf | % { $_ -replace "^CN=", "" } | % { $_ -replace ",.*$", "" } | sort
$blahx
When I got the list, I ended up with a missing group, Domain users which I believe is a standard default group, is there any reason why it's missing when I pull the script?
To be clear I was able to see the group in Active Directory Users and Computers but not from my script above.
active-directory powershell groups
active-directory powershell groups
asked 2 hours ago
leeand00leeand00
2,16564486
asked 2 hours ago
leeand00leeand00
2,16564486
asked 2 hours ago
leeand00leeand00
2,16564486
asked 2 hours ago
leeand00leeand00
2,16564486
asked 2 hours ago
leeand00leeand00
2,16564486
2,16564486
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
As silly as it sounds, it's because Domain Users is not actually in the memberOf attribute. You can verify in ADUC by turning on View - Advanced Features, going to the Attributes tab on your object and opening the memberOf attribute (not the "Member Of" tab).
The "Member Of" tab you see on an object's properties in ADUC is actually a conglomeration of the memberOf attribute and the primaryGroupID attribute. By default, users in AD get their Domain Users membership via this primaryGroupID attribute rather than an entry in memberOf. Though it's possible to change the primaryGroupID, most people don't.
answered 2 hours ago
Ryan BolgerRyan Bolger
13.9k23051
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f955721%2fwhy-is-the-domain-users-group-missing-from-this-powershell-ad-query%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
As silly as it sounds, it's because Domain Users is not actually in the memberOf attribute. You can verify in ADUC by turning on View - Advanced Features, going to the Attributes tab on your object and opening the memberOf attribute (not the "Member Of" tab).
The "Member Of" tab you see on an object's properties in ADUC is actually a conglomeration of the memberOf attribute and the primaryGroupID attribute. By default, users in AD get their Domain Users membership via this primaryGroupID attribute rather than an entry in memberOf. Though it's possible to change the primaryGroupID, most people don't.
answered 2 hours ago
Ryan BolgerRyan Bolger
13.9k23051
add a comment |
As silly as it sounds, it's because Domain Users is not actually in the memberOf attribute. You can verify in ADUC by turning on View - Advanced Features, going to the Attributes tab on your object and opening the memberOf attribute (not the "Member Of" tab).
The "Member Of" tab you see on an object's properties in ADUC is actually a conglomeration of the memberOf attribute and the primaryGroupID attribute. By default, users in AD get their Domain Users membership via this primaryGroupID attribute rather than an entry in memberOf. Though it's possible to change the primaryGroupID, most people don't.
answered 2 hours ago
Ryan BolgerRyan Bolger
13.9k23051
add a comment |
As silly as it sounds, it's because Domain Users is not actually in the memberOf attribute. You can verify in ADUC by turning on View - Advanced Features, going to the Attributes tab on your object and opening the memberOf attribute (not the "Member Of" tab).
The "Member Of" tab you see on an object's properties in ADUC is actually a conglomeration of the memberOf attribute and the primaryGroupID attribute. By default, users in AD get their Domain Users membership via this primaryGroupID attribute rather than an entry in memberOf. Though it's possible to change the primaryGroupID, most people don't.
answered 2 hours ago
Ryan BolgerRyan Bolger
13.9k23051
As silly as it sounds, it's because Domain Users is not actually in the memberOf attribute. You can verify in ADUC by turning on View - Advanced Features, going to the Attributes tab on your object and opening the memberOf attribute (not the "Member Of" tab).
The "Member Of" tab you see on an object's properties in ADUC is actually a conglomeration of the memberOf attribute and the primaryGroupID attribute. By default, users in AD get their Domain Users membership via this primaryGroupID attribute rather than an entry in memberOf. Though it's possible to change the primaryGroupID, most people don't.
answered 2 hours ago
Ryan BolgerRyan Bolger
13.9k23051
answered 2 hours ago
Ryan BolgerRyan Bolger
13.9k23051
answered 2 hours ago
Ryan BolgerRyan Bolger
13.9k23051
answered 2 hours ago
Ryan BolgerRyan Bolger
13.9k23051
13.9k23051
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f955721%2fwhy-is-the-domain-users-group-missing-from-this-powershell-ad-query%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
