9

I've run into a case where specific properties are not enumerated when using
Get-ADUser -Properties *. For example the following code does not list the
msDS-UserPasswordExpiryTimeComputed property even though it exists and I can specify it as a
-Properties argument, have it return, and can process its value.

# Does not return msDS-UserPasswordExpiryTimeComputed
Get-ADUser username -Properties *

# This works to get the msDS-UserPasswordExpiryTimeComputed attribute returned
Get-ADUser username -Properties msDS-UserPasswordExpiryTimeComputed

# If I really want all properties and this one
# I have to specify it alongside *
Get-ADUser username -Properties *, msDS-UserPasswordExpiryTimeComputed

This isn't just a case of the property being omitted from the display, I need to explicitly state the msDS-UserPasswordExpiryTimeComputed property or else it simply isn't available on the resulting object.

I already know filtering on Properties * isn't a good idea in most cases, but I'm curious about why all AD DS attributes are not enumerated when this is precisely what I am asking the cmdlet to do.

This question is asking about Get-ADUser but like most other behaviors with the Get-ADObject cmdlets I assume this behavior extends to most, if not all, of them.

codewario
  • 19,553
  • 20
  • 90
  • 159
  • 1
    Not an answer, but related: https://blogs.msmvps.com/richardsiddaway/2012/03/25/attributes-returned-by-the-cmdlets/ – briantist Jul 13 '18 at 21:13
  • Nice enumeration of additional properties that don't return when using `-Properties *`, thanks for that – codewario Jul 13 '18 at 21:16
  • Also just wondering, if you did `Get-ADObject username -Properties *` is there any difference? – briantist Jul 13 '18 at 21:18
  • Yes, I get 53 properties returned by using `Get-ADObject` instead of 113 when using `Get-ADUser` (both specifying `-Properties *`. So I get even less information by default. Also, `Get-ADObject username` didn't work for me (errored with `Cannot find an object with identity`), so I filtered on my `SamAccountName` as a test. – codewario Jul 13 '18 at 21:22
  • @BendertheGreatest `Get-AdUser username -Properties * | Select *` does the property show up in this list? – Lachie White Jul 13 '18 at 23:02
  • No, the property doesn't exist on the returned `ADUser` unless I explicitly add it to the `-Properties` parameter. – codewario Jul 13 '18 at 23:05
  • 1
    @BendertheGreatest - Though I don't have a backing source with me, but, I'm pretty sure that [msDS-UserPasswordExpiryTimeComputed being a Constructed Attribute](https://msdn.microsoft.com/en-us/library/cc223384.aspx) is not displayed by default. In my experience, these are displayed only when you individually query them. [The attributes which you get from the cmdlet for a particular object type are the set of attributes that govern the creation and update of those objects](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_fd49ea36-576c-4417-93bd-d1ac63e71093). Please check if it helps. – Am_I_Helpful Jul 14 '18 at 06:33
  • That pointed me in the right direction. Still leaves open the question of how to return ***all*** possible attributes for inspection, regardless of the attribute type. I did [find this article](http://www.powershellmagazine.com/2013/04/25/pstip-list-all-active-directory-constructed-attributes/) for how to use an `-LDAPFilter` on `Get-ADObject` to list all constructed attributes defined in the schema, of which the returned attribute names could be inserted into the `Get-ADObject` cmdlets' `-Properties` parameter, but I am on vacation this week and won't be able to test this until next week. – codewario Jul 16 '18 at 14:58
  • I'm also not able to find a direct source stating this, but based on inferences from several other articles/blog posts I think you are correct in that Constructed Attributes are omitted when `-Properties *` is specified, unless you include any Constructed Attributes as part of the `-Properties` array. – codewario Jul 16 '18 at 15:05
  • I keep finding good info, last comment until I write up a proper answer, but the [Determining an Attribute Type](https://docs.microsoft.com/en-us/windows/desktop/ad/determining-an-attribute-type) and [System-Flags attribute](https://docs.microsoft.com/en-us/windows/desktop/ADSchema/a-systemflags) docs from Microsoft shed some light, indicating the different attribute types and how they relate to how `systemFlags` is set on each attribute type. My suspicion is that the AD cmdlets don't implicitly return attributes where `Constructed` (`4`) or `Non-Replicated` (`2`) is flagged on that attribute. – codewario Jul 16 '18 at 15:15

2 Answers2

6

The following code should return ALL attributes of an AD User (all properties of the ObjectClass=user):

$properties = Get-ADObject -SearchBase (Get-ADRootDSE).SchemanamingContext -Filter {name -eq "User"} -Properties MayContain,SystemMayContain |
  Select-Object @{name="Properties";expression={$_.maycontain+$_.systemmaycontain}} |
  Select-Object -ExpandProperty Properties

Get-ADUser -Identity username -Properties $properties | fl $properties

Firstly it retrieves and saves all user properties into an array and then secondly the properties array is used with Get-ADUser to retrieve all the properties for a single user (in this example).

codewario
  • 19,553
  • 20
  • 90
  • 159
TobyU
  • 3,718
  • 2
  • 21
  • 32
3

After doing some research, there are multiple types of attributes on an ADObject - Default, Extended, and Constructed are some examples of these.

Default properties are returned on all ADObject queries matching a specific type of ADObject (ADUser has its own set of default properties, ADGroup has it's own set, etc.)

Extended properties are not returned by default but are implicitly enumerable static attributes on an ADObject.

Constructed attributes are not static properties but are calculated based on the values of other attributes belonging to an ADObject. I could not find any info on this, but I imagine that enumerating all Constructed attributes can be an expensive operation since the values are computed, and as such need to be explicitly requested via the -Properties parameter of the Get-ADObject cmdlets.

This all seems to be related to the systemFlags attribute on an ADObject, which is where the attribute types are set. From my testing, attributes with either the Constructed (4) or Non-Replicated (2) flag need to be explicitly specified to be returned from the RSAT cmdlets.

Sources

msDS-UserPasswordExpiryTimeComputed Documentation

List All Constructed Attributes on ADObject using an LDAP Filter

Determining an Attribute Type

SystemFlags Attribute

codewario
  • 19,553
  • 20
  • 90
  • 159
  • Here's a complementary post related to this issue: https://superuser.com/questions/1738998/is-msds-userpasswordexpirytimecomputed-a-hidden-member/1739099#1739099. Thank you for the answer and question here @Blender +1 x2 – Bitcoin Murderous Maniac Aug 26 '22 at 15:15