Unable to list all members of a Enterprise Admins

Question

I believe I am going crazy but maybe I am missing something. I am trying to enumerate all members of Enterprise Admins. When I look in DSA.MSC GUI tool, I see something like this with no nesting:

John
Bill
Jim
Sue
Mary
Spiderman

When I perform an LDP.EXE, PowerShell, or ADSIEDIT queries, I only see this:

John
Bill
Sue
Mary

Here are some of the methods I have tried to figure this delta out:

Looked at Enterprise Admins in ADSIEDIT and view the member attribute. Doesn't list Spiderman
Looked at Enterprise Admins in LDP.EXE and view the member attribute. Doesn't list Spiderman

Ran the following PowerShell queries

Get-ADgroup 'enterprise admins' -properties members | 
    select -Expandproperties members
# No Spiderman listed

Get-ADuser spiderman -properties memberof | 
    select -Expandproperties memberof
# No Enterprise Admins listed

Get-ADObject (Get-ADuser spiderman) -properties memberof | 
    select -Expandproperties memberof
# No Enterprise Admins listed

Get-AdObject (Get-ADgroup 'enterprise admins') -properties member | 
    select -Expandproperties members
# No Spiderman listed

Get-ADGroupMembers 'Enterprise Admins'
# **Spiderman listed!!!!!!**

What am I missing here! Why is spiderman listed in ADUC/Get-AdGroupMembers and no where else. Am I going crazy?

jwilleke · Accepted Answer

Within Windows the primaryGroupID indicates the account's primary group is used by the posix subsystem.

Generally as Bill_Stewart said, there is never a reason to change the primaryGroupID attribute. (Since Windows Server 2003)

The primaryGroupID attribute: The user is a member of its primary group, although the group is not listed in the user's memberOf attribute. Likewise, a group object's member attribute will not list the user objects whose primaryGroupID is set to the group.

Unable to list all members of a Enterprise Admins

Answers (2)

Related Questions