I’m attempting to get MemberOf values for an AD user object. However, I’m hitting some roadblocks wherein I am not able to get an absolute list of AD group memberships (MemberOf) for a given AD user.
Get-ADUser with -Server value set to the user object’s domain DC/GCBelow, based on my validation, I’ve jotted down the possible values for the PowerShell Get-ADUser cmdlet’s -Server parameter.
PowerShell Get-ADUser “Server” parameter value options based on MemberOf Group’s Scope
MemberOf a Universal group,
MemberOf a Global group,
MemberOf a Domain-local group,
Now, my question goes, is my above deduction valid, and if yes is it by design - a thumb rule based on how the AD group memberships are designed to work?, or, is it more of a DC replication configuration thing?
Any advice is highly appreciated.
Most of what you figured out is correct. A couple corrections/clarifications:
Universal groups
The memberOf attribute will always contain all universal groups that the user is a member of. This is because universal groups can only contain objects from the same forest, and you can only read the user from a DC/GC in the same forest. So you can be confident that you won't be missing any universal groups in memberOf.
Global groups
You're correct here. You'll only see global groups in memberOf if they are on the same domain as the user.
Domain local
This one is tricky. You will only see domain local groups in memberOf if they are on the same domain as the server you are retrieving results from.
Let's say your user is on DomainA. If you read from a GC in DomainB (that is in the same forest), then you will only see domain local groups in DomainB, and not DomainA.
This is why you do need to be careful if you're relying on memberOf. I discussed this in an article I wrote under the heading Beware of memberOf
How you approach this will depend on what your purpose is. This is something I discussed in another article I wrote on the topic, which might help you: Active Directory: Finding all of a user’s groups