So I have a question about strange PowerShell behavior with Get-ADGroup. If I use it on a group I created, I can get members just fine. But on some (not all) built in groups, including Domain Users, it returns nothing. See:

PS C:\> Get-ADGroup -Filter * -Properties * | Where {$_.name -eq "Iron Throne"} | Select -ExpandProperty members
CN=robert,OU=Baratheons,DC=seven-kingdoms,DC=local
CN=daenerys,OU=Targaryens,DC=seven-kingdoms,DC=local
CN=margaery,OU=Tyrells,DC=seven-kingdoms,DC=local
CN=joffrey,OU=Baratheons,DC=seven-kingdoms,DC=local
CN=Cersei Lannister,OU=Lannisters,DC=seven-kingdoms,DC=local

PS C:\> Get-ADGroup -Filter * -Properties * | Where {$_.name -eq "Domain Users"} | Select -ExpandProperty members

PS C:\> 

They show up fine in Active Directory Users and Computers. This is on a Win2012R2 DC as Administrator. Anyone knows why?

First start with a proper query.

Get-ADGroupMember 'Iron Throne' | 
    Select SamAccountName,DictinguishedName

Be sure the name of the group is stated correctly.

First, the member attribute of groups and the memberOf attributes of user objects never reveals membership in the "primary" group of the user. In most cases (and by default), this is the group "Domain Users". Since the PowerShell cmdlets depend on the member and memberOf attributes, they also do not reveal membership in the "Primary" group. In most cases, using PowerShell to output all members of "Domain Users" will result in no output. Using PowerShell to document the groups a user is a member of will not include membership in "Domain Users".

Note, the default "primary" group for computer objects is "Domain Computers", so that group should appear to be

If you are interested, "primary" group membership in AD is determined by the primaryGroupToken attribute of the group object, and the primaryGroupID attribute of the user (or computer) object. PowerShell Get-ADGroup and ADUC do not reveal the value of the primaryGroupToken attribute because it is operational (also called constructed). It is an integer, equal to the last digits (after the final dash) in the value of the SID property (or the objectSID attribute in Attribute Editor). Or you can retrieve the value using dsquery *. The user object has the attribute primaryGroupID, also an integer. The value matches the primaryGroupToken attribute of the group the user has designated as their "Primary".

The primaryGroupToken of "Domain Users" is 513, and for "Domain Computers is 515 (because their RID values are "well-known"). If you need to check the "primary" group of a user, retrieve the value of the primaryGroupID attribute. If the value is 513, the "primary" group of the user is "Domain Users". Do the same for computer objects and if primaryGroupID equals 515, then the "primary" group is "Domain Computers".

To find all users that have "Domain Users" as their "primary" group, you could use:

Get-ADUser -LDAPFilter "(primaryGroupID=513)" | Select distinguishedName

To check an individual user:

Get-ADUser -Identity jsmith -Properties primaryGroupID | Select Name, primaryGroupID

Unfortunately, you cannot filter on primaryGroupToken because it is operational. Special code techniques are required to find which group has a given value assigned to the primaryGroupToken attribute. The following isn't efficient (since it retrieve all groups), but it works to find the group where primaryGroupToken is 514:

Get-ADGroup -Filter * | Where-Object {$_.SID -Like "*-514"}

The result will be "Domain Guests", which has another well-known RID.