I am a bit lost here and don't know what to search for to make some progress. So maybe someone can help me out.
I am working in an already existing Active Directory, with already existing users, computers, GPOs and all those stuff you need for a working infrastructure. And I am not sure if my problem lies somewhere in here.
Now I want to run the following PowerShell script to get some user accounts but:
(Get-ADUser -LDAPFilter "((memberOf=CN=All,OU=Groups,DC=domain,DC=de))").Count
As a user that is only admin on some servers e.g. the fileserver and with no other privileges, the script shows only 600 accounts. If I run the exact same script as the domain admin, I get the correct amount of 11000 accounts.
The results are the same no matter on which server I run the script - even on a DC itself.
I tried to set the resultsize to $null but this doesn't change anything. The non-privileged user gets the wrong number of accounts, every time, and every time the same wrong number.
So my questions are:
Does anybody know why?
Does anybody know how to change that?
Which permissions does my account need to get the right number but without having domain admin permissions?
And even if you just know some keywords for me to search for, I would be happy...
So, as mentioned in the question and @mikee already told in the comments the problem lies in inapropriate permissions.
While i tried out some different permissions i could pin it down to the permissions to read all attributes for group objects. I am pretty sure, that you don't need to read all of them, but in our old and messy AD it is a pain to figure out which aren't necessary.
As original solved here you have to right click on your domain (or on the OU, where the permissions should take place) and choose "Properties". In the "Security"-tab you open the advanced window and add a new entry.
There you have to choose first which user or group gets this permission. Then you need to aply it to group objects. Scroll a bit down and check the box for the permission to read all attributes (or if you better know which are required, choose only them individually).
It may take some time before the changes are working - even on the DC where you made the changes.