CODEWITHSUNDEEP
powershell
razumny
razumny

Reputation: 127

Get-AdGroupMember -recursive does not return groups when also returning users

I have been asked to audit access to a set of folders. Access is granted through a scheme where one AD group provides access ("Access Group") to the folder, while a second AD group (which is a member of the former) defines what users are granted that access. I want to export a list of both users and groups that are members or nested members of "Access Group".

I started out with

Get-ADGroupMember "Access Group"

This returned the groups and users that are members of that group. As the access scheme relies on nested groups, this didn't give me all I needed.

I next tried

Get-ADGroupMember "Access Group" -recursive

This only returned users that were members of the group.

I was expecting Get-ADGroupMember "Access Group" -recursive to return both users and groups that are members of the group.

In addition, when checking a set of nested groups that has no users as members, nothing is returned. As I understand the documentation from Microsoft, empty groups should be returned:

Specifies that the cmdlet get all members in the hierarchy of a group that do not contain child objects.

If the specified group does not have any members, then nothing is returned.

I might be reading it wrong, but would like some confirmation.

Upvotes: 0

Views: 937

Answers (1)

Scepticalist
Scepticalist

Reputation: 3923

You're reading it wrong:

Specifies that the cmdlet get all members in the hierarchy of a group that do not contain child objects

Groups contain child objects, therefore they aren't listed.

Upvotes: 1

Related Questions