Your basic ITPro blog... What's going on at work, what I'm interested in.

Friday, September 12, 2008

.MemberOf Does Not List the Primary Group

I often use the following command (or something similar) in PowerShell...

(Get-QADUser <name>).MemberOf

NOTE: You must have the Quest AD CMDlets installed. But, of course, if you are using Powershell, you do have them installed! Don't you?!

This simple command will list the groups that a particular AD account is a member of. But, there is one problem... it does not list the Primary Group for the user. At first, I thought this was a problem with the Quest CMDlets (I should have known better!). But, it turns out that this is 'inherent in the system', as it were.

Normally, this isn't a problem, because 'Domain Users' is most often a user's Primary Group. But, there is no guarantee that this is the case.

This problem cropped up when I was working on a script that tested group membership before performing some task. I was getting some odd results. It turned out that, for one user in my test, the group I was testing for was the Primary Group (rather than Domain Users), so it did not show up on his group membership list. Interestingly, the Primary Group setting only has significance for Mac or POSIX-compliant clients. Not sure why it was changed...

My first thought was to modify my group member query to include some additional search for the Primary Group. But then I thought, just change everyone's Primary Group to 'Domain Users'. Easier said that done...

I found this blog post that talked about doing this, but I kept running in to "PrimaryGroupId is ReadOnly" errors. I am guessing that this is some permissions-related issue... But, I didn't want to mess with it. I knew I didn't have too many accounts like this, so I figured if I can identify them easily, then I will make the change manually.

To that end, I came up with this quick little ditty that lists user accounts where "Domain Users" is not the Primary Group:

# PrimaryGroupID for 'Domain Users' = 513
$users = Get-QADUser
foreach ($user in $users) 
    if ($user.PrimaryGroupId -ne 513) 
        Write-Host $user.DisplayName " : " $user.DN

# As a one-liner
Get-QADUser | %{if($_.PrimaryGroupId -ne 513){$_.DN}}

So, this gives me a list. I then go in to ADUC and make the change. Not ideal, but quick and functional for me.

No comments:

Additional Info

My photo
email: support (AT) mangrumtech (DOT) com
mobile: 480-270-4332