Get-ADGroupMember returns nothing while being completed successfully
Solution 1
I get the same results on groups if they contain ForeignSecurityPrincipal Objects. As these are displayed as SID's, it looks like a DS query throws that exception which isn't picked up by Get-Adgroupmember cmdlet.
Solution 2
Get-ADGroupMember requires an ADGroup object to work with so you need to retrieve the ADGroup and pipe it into the Get-ADGroupMember cmdlet.
Get-ADGroup "GROUP_NAME" | Get-ADGroupMember -Recursive | Select name
Related videos on Youtube
![Volodymyr Molodets](https://i.stack.imgur.com/Hd7P3.jpg?s=256&g=1)
Volodymyr Molodets
Updated on September 18, 2022Comments
-
Volodymyr Molodets almost 2 years
I've tried to list all of the members of one of the groups in AD, but nothing is returned, although the command is completed successfully. It neither works with group DN specified, instead of sAMAccountName.
Get-ADGroupMember "sAMAccountName" -Recursive | select name
See output below:
The following message appears if one views Members from dsa.msc
--------------------------- Active Directory Domain Services --------------------------- Some of the object names cannot be shown in their user-friendly form. This can happen if the object is from an external domain and that domain is not available to translate the object's name. --------------------------- OK ---------------------------
Can this be a reason for powershell not returning results? Any thoughts?
UPD: this doesn't seem to be permissions issue, since dsquery does return group members.
-
Noor Khaldi almost 11 yearsIs the group part of your domain? a different domain? or a different forest? I would suggest to have a look at your Global Catalog server too.
-
uSlackr almost 11 yearsIs the group empty? Try running without the "|select name" to see if the powershell notice goes away.
-
Volodymyr Molodets almost 11 years@uSlackr, No, the group is not empty. Still doesn't work even without "|select name".
-
Volodymyr Molodets almost 11 years@Noor Yes, group is the part of my domain and it contains some users from other domains.
-
-
Volodymyr Molodets almost 11 yearsStill same result, command completed successfully, but nothing is returned.
-
Pablo almost 11 yearsI'll throw out an example to make sure we're on same page. Say you have a group called VPN. dsquery group -name "VPN" And you get "CN=VPN,OU=groups,dc=example,dc=com" Then you would do a Get-ADGroup "VPN" | Get-ADGroupMember -Recursive | Select name You use the part after CN= and before the first comma for the quoted value in Get-ADGroup
-
Volodymyr Molodets almost 11 yearsYes, that's the way I tried this, but it is still the same result, - nothing is returned, although command completes successfully. I tried to calculate number of the objects in the group with powershell to compare with dsquery output and specified group DN and it worked. The group name itself is correct, don't know why it doesn't work for get-adgroupmember cmd-let.
-
Pablo almost 11 yearsDoes 'Get-ADGroup "GROUP_NAME" -properties members' show a list of members?
-
Tilman Schmidt almost 9 yearsYour answer could be made more helpful by elaborating a bit on the elements of your solution.
-
Kevin Baker over 8 yearsI'm not sure if this was true when posted, but it is not the case now. You can absolutely do Get-AdGroupMember -Identity WhateverMyGroupNameIs. What's unfortunately still true is that if the group in question has Foreign Security Principals (members from other forests) in its membership, the cmdlet will fail and return nothing.