Monday, September 08, 2014

Get-ADGroupMember Forgot My Contacts

Working on a script to copy groups and members from one forest to another, and was so happy with the Get-ADGroupMember cmdlet but ran into an issue that means I can’t use it.

The challenge was that the cmdlet wasn’t returning the correct group membership.  I could count the group members using this:

 

Get-ADGroup hoofhearted -Properties member |

Select-Object -ExpandProperty member

 

However, this command would return no objects:

 

Get-ADGroup hoofhearted |

Get-ADGroupMember

 

Thought it just a permissions issue, that I had access to the group but not the member objects, but that turned out to be false.

The answer is right in the TechNet documentation for the Get-ADGroupMember cmdlet:

The Get-ADGroupMember cmdlet gets the members of an Active Directory group. Members can be users, groups, and computers.

Note that members can be users, groups and computers (NOT contacts).  Bummer, I guess they designed the cmdlet with security principals in mind so didn’t include contacts.

The workaround isn’t very difficult:

 

Get-ADGroup hoofhearted -Properties member |

Select-Object -ExpandProperty member |

Get-ADObject

 

This is one of the things I love about PowerShell, and one of the reasons they don’t take many bugs, because there is almost always an easy workaround. 

2 comments:

Adam Akers said...

This was helpful - thank you!

Craig Martin said...

Glad it helped! I spent too much time messing it, hope it saved you some time ;-)