When does WinNT:// provider query Active Directory? Or how to get SID of local group member if it is domain account

Question

Okay so I am using the WinNT provider with a DirectoryEntry class to enumerate the members of a local group, through the Members property.

If the member is a local account, the DirectoryEntry will also be read from the SAM on the local machine presumably.

If the member is a Domain Account however, will the provider perform a query to Active Directory when I access the properties of the DirectoryEntry object?

Is there a way to differentiate the two scenarios? For example check a property on the DirectoryEntry to see if it is going to get the properties from the local machine SAM, or by querying a domain controller to read Active Directory?

Is there a way to get the name (or even just the SID) of the member without querying Active Directory?

I'm trying to enumerate the local groups on a large number of servers and don't want to be hammering the domain controller, if they contain many domain user accounts.

Answer 1

You could query Win32_GroupUser, and that shouldn't hit AD at all. Then you just have to do a little string parsing to get the user name, user type (user/group), and source (local/domain).

$Servers = 'Server1.domain.com','Server2.domain.com'
$GMembers = ForEach($Server in $Servers){
    $BaseName=$Server.split('.')[0]
    Get-WmiObject -ComputerName $Server -Query "SELECT * FROM win32_GroupUser WHERE GroupComponent = ""Win32_Group.Domain='$BaseName',Name='Administrators'"""
}
$GMembers | 
    ?{$_.PartComponent -match '\\\\(.+?)\\.+?Win32_(.+?)\.Domain="(.+?)",Name="(.+?)"'}|
    %{
        [PSCustomObject]@{
            Server=$Matches[1]
            Domain=$Matches[3]
            Account=$Matches[4]
            AccountType=$Matches[2]
        }
    }