0

I’m attempting to get MemberOf values for an AD user object. However, I’m hitting some roadblocks wherein I am not able to get an absolute list of AD group memberships (MemberOf) for a given AD user.

  • I get most MemberOf AD Groups when I query Get-ADUser with -Server value set to the user object’s domain DC/GC
  • Remaining, I’m only able to retrieve if I separately query for the same user object under the Root/Parent domain DC/GC

Below, based on my validation, I’ve jotted down the possible values for the PowerShell Get-ADUser cmdlet’s -Server parameter.

PowerShell Get-ADUser “Server” parameter value options based on MemberOf Group’s Scope

MemberOf a Universal group,

  1. User domain DC/GC
  2. Root/Parent domain GC
  3. Other domains GC in the same forest

MemberOf a Global group,

  1. User domain DC/GC

MemberOf a Domain-local group,

  1. Group domain GC
  2. Root/Parent domain GC

Now, my question goes, is my above deduction valid, and if yes is it by design - a thumb rule based on how the AD group memberships are designed to work?, or, is it more of a DC replication configuration thing?

Any advice is highly appreciated.

Karthick Ganesan
  • 375
  • 4
  • 11
  • See following : https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups – jdweng Mar 20 '23 at 02:59

1 Answers1

1

Most of what you figured out is correct. A couple corrections/clarifications:

Universal groups

The memberOf attribute will always contain all universal groups that the user is a member of. This is because universal groups can only contain objects from the same forest, and you can only read the user from a DC/GC in the same forest. So you can be confident that you won't be missing any universal groups in memberOf.

Global groups

You're correct here. You'll only see global groups in memberOf if they are on the same domain as the user.

Domain local

This one is tricky. You will only see domain local groups in memberOf if they are on the same domain as the server you are retrieving results from.

Let's say your user is on DomainA. If you read from a GC in DomainB (that is in the same forest), then you will only see domain local groups in DomainB, and not DomainA.

This is why you do need to be careful if you're relying on memberOf. I discussed this in an article I wrote under the heading Beware of memberOf

How you approach this will depend on what your purpose is. This is something I discussed in another article I wrote on the topic, which might help you: Active Directory: Finding all of a user’s groups

Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84