Why would a user object, which appears in ADUC and is returned by Get-GroupMember from a group its in, not be returned by (Get-ADGroup <TheGroup> -properties *).members?

Tony Auby 20 Reputation points
2023-03-25T23:31:05.44+00:00

Its sort of baffling to me, how this can be occurring. It makes me think the account is somehow corrupt, but i've never seen a corrupt user account in 20 years of doing this, and its working fine for the user. Just that Powershell is doing this.

Note that all of the other users in the group are properly returned by both commands. Only this one user is not.

Any info needed?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,906 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,382 questions
Accepted answer
  1. Ayomide Oluwaga 946 Reputation points
    2023-03-26T00:29:41.21+00:00

    This is not an unusual occurrence, There could be several reasons why a user object that appears in ADUC and is returned by Get-GroupMember from a group it is in, is not returned by (Get-ADGroup <TheGroup> -properties *).members:

    1. The user object may have been removed from the group, but changes to the group membership may not have been replicated to all domain controllers yet. In this case, running Get-ADGroupMember <TheGroup> or Get-ADGroup <TheGroup> -Server <DomainController> could return different results.
    2. The members attribute of the group object may not have been updated with the latest changes to the group membership. This could happen if there are replication issues between domain controllers, or if the group object is cached in memory by a program or script.
    3. The Get-ADGroupMember cmdlet uses a default value of -Recursive for the -MembersOnly parameter, which means that it returns both user objects and nested group objects recursively. On the other hand, the members attribute of the group object only contains direct members of the group, not nested groups. Therefore, if the user object is a member of a nested group that is a member of <TheGroup>, it may be returned by Get-ADGroupMember but not by (Get-ADGroup <TheGroup> -properties *).members.

    To troubleshoot the issue, you could try the following:

    1. Confirm that the user object is still a member of the group in question by running Get-ADGroupMember <TheGroup>.
    2. If the user object is not returned by Get-ADGroup <TheGroup> -properties *.members, try running Get-ADGroup <TheGroup> -Server <DomainController> to see if the results are different.
    3. Check if the user object is a member of any nested groups that are members of <TheGroup>. If so, try running Get-ADGroup <NestedGroup> -properties members to confirm if the user object is listed as a member.

    This was mainly gathered from search and it would be appreciated if you let me know if it works for you

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest