Solved

DSQuery weirdness

Posted on 2010-11-10
4
738 Views
Last Modified: 2012-05-10
When I try to get all the members in the domains admin group. I have 5 users in the domain admins group. When I do a query using dsquery it only shows me 2. Yet active directory users and computers show 5. it only seems to do this with the domain admins group and NOT with other groups. I need it to show all users in that group. any suggestions?


dsquery group -name "Domain Admins" | dsget group -members | dsget user -fn -mi -ln
0
Comment
Question by:Delmiroc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 5

Expert Comment

by:daveTechSearch
ID: 34107020
I'm guessing that you're only getting output from accounts that have the fields you are requesting populated with data.  What happens when you also request '-dn' with 'dsget user'?
0
 
LVL 85

Accepted Solution

by:
oBdA earned 500 total points
ID: 34107460
Check the properties of the three "missing" users; they've probably had their primary group membership changed from Domain Users to Domain Admins. A user's primary group membership will not be returned.
Change that back to "Domain Users"; the primary group has no importance in an AD domain, there's absolutely no use in changing this to "Domain Admins".
0
 
LVL 5

Expert Comment

by:daveTechSearch
ID: 34107564
I'm pretty confident with my suggestion above.
For instance, if I run this in our environment:
dsquery group -name "Domain Admins" | dsget group -members | dsget user -mi

that is, only requesting '-mi', I won't get any results. We don't populate it.
If I run:
dsquery group -name "Domain Admins" | dsget group -members | dsget user -fn -mi -ln
I get *some* results.  Not all created accounts were populated with FirstName,MiddleName,or LastName. Only the accounts that have at least *one* of the fields populated will show in the results.
If I run:
dsquery group -name "Domain Admins" | dsget group -members | dsget user -fn -mi -ln -dn
That is, include '-dn' I get a listing of all group members (Some of the requested fields will be blank, as they have not been populated with info/data).
0
 
LVL 1

Author Closing Comment

by:Delmiroc
ID: 34107793
Thank you guys.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question