Inconsistent results between Powershell and C# .NET AD group memberships
Question
The following Powershell command gives me a result of 44:
Get-ADGroupMember -server domain.local "domain admins" | measure
The following Powershell command gives me a result of 34:
Get-ADGroup -properties * 'domain admins' | select -expandproperty member | measure
The following C# code gives me a result of 34:
[TestMethod]
public void GT()
{
string groupname = "CN=Domain Admins,CN=Users";
string domain = "DC=domain,DC=local";
DirectoryEntry de = new DirectoryEntry("LDAP://" + groupname + "," + domain);
var count = 0;
foreach (object dn in de.Properties["member"])
{
count++;
Regex r = new Regex("CN=(.*?)(?:,[A-Z]+=|$)");
}
Console.WriteLine(count);
}
What could be the reason for this inconsistency? It looks like the "member" property is what is really at issue here - does it not look at service accounts maybe?
EDIT It appears that if the primary group ID is set to 512 (domain admin), it will not be reflected as a member due to legacy issues. My question is if there is any way to, in .NET, get all of these in one query. (I want to use GroupPrincipal, but it is giving me referral errors for the Enterprise Admins group)
1 answers
solution1
0 2015-10-09 02:32:33
Looks like the issue, as noted in the edit, was that if old user accounts from legacy days were present, with a primary group ID of 512, they would not appear in the Domain Admins group.
Therefore, I had to use the following filter:
(|(primaryGroupId=512)(memberOf=CN=Domain Admins,CN=Users,DC=domain,DC=local))
This gave me the full listing!
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.