This is not an unusual occurrence, There could be several reasons why a user object that appears in ADUC and is returned by Get-GroupMember
from a group it is in, is not returned by (Get-ADGroup <TheGroup> -properties *).members
:
- The user object may have been removed from the group, but changes to the group membership may not have been replicated to all domain controllers yet. In this case, running
Get-ADGroupMember <TheGroup>
orGet-ADGroup <TheGroup> -Server <DomainController>
could return different results. - The
members
attribute of the group object may not have been updated with the latest changes to the group membership. This could happen if there are replication issues between domain controllers, or if the group object is cached in memory by a program or script. - The
Get-ADGroupMember
cmdlet uses a default value of-Recursive
for the-MembersOnly
parameter, which means that it returns both user objects and nested group objects recursively. On the other hand, themembers
attribute of the group object only contains direct members of the group, not nested groups. Therefore, if the user object is a member of a nested group that is a member of<TheGroup>
, it may be returned byGet-ADGroupMember
but not by(Get-ADGroup <TheGroup> -properties *).members
.
To troubleshoot the issue, you could try the following:
- Confirm that the user object is still a member of the group in question by running
Get-ADGroupMember <TheGroup>
. - If the user object is not returned by
Get-ADGroup <TheGroup> -properties *
.members, try runningGet-ADGroup <TheGroup> -Server <DomainController>
to see if the results are different. - Check if the user object is a member of any nested groups that are members of
<TheGroup>
. If so, try runningGet-ADGroup <NestedGroup> -properties members
to confirm if the user object is listed as a member.
This was mainly gathered from search and it would be appreciated if you let me know if it works for you