Member Property missing in AD Group object

Question

Writing a script to validate that my servers belong to a group. Start with the PowerShell code...

$root = [ADSI]'GC://dc=xx,dc=yyy,dc=zzz'
$searcher = new-object System.DirectoryServices.DirectorySearcher($root)
$searcher.filter = "(&(objectClass=Group)(Name=$groupName))"
$groups = $searcher.findall()
$group = $groups[0]

This returns an Active Directory Group in the variable $group. Half the time, this variable has a property titled 'member' which contains all the servers in the group. The other half the time, that property is not returned. Cannot find any pattern due to user, log-on ADS server, etc. Has anyone encountered this behavior?

Answer 1

I think the point Jon was trying to make is that the member attribute is not replicated to the global catalog, so if you're trying to enumerate group memberships by targeting a global catalog, you're not going to get valid results. The only time you'll get results back is if you're querying the membership of a universal security group, as its membership will be on all Global Catalogs.

Also, one word of caution when enumerating group memberships - it is always good to test your scripts to make sure that they can detect circular loops in nested memberships, otherwise there exists the possibility of the scripts running infinitely.

In general, to enumerate group memberships, you should bind to a domain controller in the target domain.

Answer 2

You are querying the global catalog. A global catalog (also known as partial attribute set) contains only a subset of the properties of all attributes. Only for universal groups the member property is guaranteed to be available in the global catalog. Membership information for domain local and global groups that are not in the same domain as the global catalog you are querying will not be available.

If the member attribute contains no values, even if your global catalog is in the same domain as the group you are querying the member attribute will not be available.