Domain controller not updating Get-ADUser in powershell

1
votes

When looking up an account using net user jsmith /domain it will display all the current info about a user and it's password. When I look it up using powershell with Get-ADUser , the information is not accurate. I am guessing this is because they are pointing to a different domain controller, and one did not catch up yet?

Question is: What domain controller is net user using? So that I may make Get-ADUser use the same one.

Better yet, how can I find the fastest domain controller?

2
powershellactive-directory
I think net user would be using the domain controller that you would see from the command set logonserver or set log for short. There is not fastest domain controller really. All depends on where the initial change is made and the deisng of your replication sites - Matt
Any way to find out what controller that is? - Aaron
I was trying to tell you. The output of the cmd set log should tell you that. - Matt
Strange that this worked with command prompt but not in powershell. Any idea why? - Aaron
In short because it is not a powershell command. Set in powershell is an alias for Set-Variable. In PowerShell $env:LOGONSERVER would be a better fit. Didnt occur to me to suggest it at first - Matt

2 Answers

1
votes

So I was wrong about my assumption see Robert's Answer. Using that knowledge properly I can salvage this answer.

So, If you want cohesion between the net user and Get-Aduser you could try something like this:

$pdc = (((nltest /dclist:domainname | ?{$_ -match "\[PDC\]"}).Trim()) -Split '\s')[0]
Get-ADUser -Identity someguy -Server $pdc

As for picking the fastest domain controller your computer should have already been told which controller is appropriate for it to use. Changes you make in the same active directory site should replicate quickly. If you are making changes across AD sites then you will have to wait as long as you have set in your site to site replication settings.

1
votes

The net user command, when given the /domain switch, operates on the Primary Domain Controller, which may not necessarily be your current logon server which, on the other hand, is used by Get-ADUser.

And the reason why you are seeing different information is that replication of this change has not occured yet between these two.

  • To see your logon server, in cmd, do set logonserver.
  • To see your primary domain controller (PDC), do nltest /dclist:example.org (nltest requires some Active Directory tools to be installed, see the docs)