发表新帖
发表新帖

Get-ADUser not returning all possible AD attributes when specifying all properties

前端 未结
关注
2 2082
旧巷少年郎
旧巷少年郎 2020-12-31 18:41

I\'ve run into a case where specific properties are not enumerated when using
Get-ADUser -Properties *. For example the following code does not list the

相关标签:
2条回答
  • 别跟我提以往
    2020-12-31 19:23

    The following code should return ALL attributes of an AD User (all properties of the ObjectClass=user):

    $properties = Get-ADObject -SearchBase (Get-ADRootDSE).SchemanamingContext -Filter {name -eq "User"} -Properties MayContain,SystemMayContain |
  Select-Object @{name="Properties";expression={$_.maycontain+$_.systemmaycontain}} |
  Select-Object -ExpandProperty Properties

Get-ADUser -Identity username -Properties $properties | fl $properties

    Firstly it retrieves and saves all user properties into an array and then secondly the properties array is used with Get-ADUser to retrieve all the properties for a single user (in this example).

    0 讨论(0)
  • 挽巷
    2020-12-31 19:28

    After doing some research, there are multiple types of attributes on an ADObject - Default, Extended, and Constructed are some examples of these.

    Default properties are returned on all ADObject queries matching a specific type of ADObject (ADUser has its own set of default properties, ADGroup has it's own set, etc.)

    Extended properties are not returned by default but are implicitly enumerable static attributes on an ADObject.

    Constructed attributes are not static properties but are calculated based on the values of other attributes belonging to an ADObject. I could not find any info on this, but I imagine that enumerating all Constructed attributes can be an expensive operation since the values are computed, and as such need to be explicitly requested via the -Properties parameter of the Get-ADObject cmdlets.

    This all seems to be related to the systemFlags attribute on an ADObject, which is where the attribute types are set. From my testing, attributes with either the Constructed (4) or Non-Replicated (2) flag need to be explicitly specified to be returned from the RSAT cmdlets.

    Sources

    msDS-UserPasswordExpiryTimeComputed Documentation

    List All Constructed Attributes on ADObject using an LDAP Filter

    Determining an Attribute Type

    SystemFlags Attribute

    0 讨论(0)
 看不清?
提交回复
热议问题