Get-ADUser : The server has returned the following error: invalid enumeration context. RRS feed

  • Question

  • I'm running a powershell command to add the email (AD mail) attribute to users in a specific OU.  It seems to work then will bomb out with the error in the title.

    I'm using a "scripting guy" command that I've altered with my specfic OU/domain information however, I'm pasting in the more "generic" version :: Get-ADUser -LDAPFilter "(!(mail=\.name*))" -resultSetSize $null -searchbase "ou=test,dc=nwtraders,dc=com"| % {set-aduser -identity $_.distinguishedname -email ($_.samaccountname + "")}

    I work for a school district and this command is being used to add the mail attribute to the student's accounts.  I think about 2/3 of the students are completed but the script/command bombs and I'm not sure where or why.  I've resubmitted the command several times but I'm not sure whether it's starting from where it bombed or if it's starting again at the beginning and essentially re-doing the ones already completed.

    Can someone point me in the direction of a work around or a resolution to the Get-ADUser error?


    Thursday, December 26, 2013 11:48 PM


All replies

  • Does this return what you are looking for?

    Get-ADUser -LDAPFilter '(!(mail=\.name*))' -searchbase 'ou=test,dc=nwtraders,dc=com'

    If it doesn't then what are you trying to filter for?


    Friday, December 27, 2013 12:05 AM
  • I have looked very closely at the code posted and run it.  The issue cannot be from the code.  Yu should post in the AD forum.  I would run AAD diagnostics next.


    Friday, December 27, 2013 12:13 AM
  • A web search on "Invalid Enumeration Context" turns up quite a few results. A common theme seems to be that you can get better results and performance by using the DirectorySearcher class instead of Get-ADUser / Get-ADComputer for these sorts of large operations. For example:
    Friday, December 27, 2013 1:22 AM
  • I don't know the error, so I can only guess there. But the LDAP syntax filter cannot be correct. Can you provide a link to the reference where "Scripting Guy" suggested this?

    As written, you are retrieving all users where the mail attribute does not begin with the string ".name" (case insensitve), where "name" is not a property or attribute, but a string value. LDAP syntax clauses are in the format:


    In your case, <operator> is "=", <attributeName> is "mail", and <value> is ".name". The "\" character is the escape character, which means to interpret the following character (the period in this case) literally. You cannot use an attribute name on the right side of the operator (the "="), unless PowerShell has introduced some functionality I am not familiar with to expand the LDAP syntax. For example, the following does not filter on users where the first name is the same as the last name:


    Instead, it filters on users where the first name is the string ".sn". Even if "\.name" was interpreted by the Get-ADUser cmdlet to be the "Name" attribute of the user, this would cause problems. "Name" is the Relative Distinguished Name of the user (the value of the cn attribute) and it could include commas or spaces. I would expect "\.sAMAccountName" to make more sense.

    Richard Mueller - MVP Directory Services

    Friday, December 27, 2013 4:36 PM
  • Richard - I tested that an it is a dumy for 'name' meaning some name prefix I believe.  It does not throw an error and if `I use a good name it returns a value.

    The error is usually caused by the server running out of resources.  That is why I removed the -ResultSet $null from the command.   IN other cases of this error resultset had to be set as low as 10 to get the command to complete without error.

    A very busy server can run out of critical memory needed to allocate comm buffers.  This can cause the query to fail in the middle or intermittently depending on exact load.  I suspect that this may be the issue here.  Simplifying the LDAPFilter can also prevent overflow as it may be returning everything.


    Friday, December 27, 2013 4:54 PM
  • When I tested, the cmdlet returned all users, because none had an email address that began with the string ".name". If I substitute something else for name (and forget the "\." part), won't I most likely retrieve all users but one? Or do all email addresses in this domain start with the same prefix? But if so, no email address can begin with ".".

    Richard Mueller - MVP Directory Services

    Friday, December 27, 2013 5:03 PM
  • Yes - the filter does not work or return anything useful.

    I have a user mail that is test.user so this should work if it were legitimate:

    Get-ADUser -LDAPFilter '(mail=\.user*)'

    It returns nothing.  The negative returns everything so the query will likely run out of memory which is why I removed the $null.

    We need t know what the OP is trying to do.


    Friday, December 27, 2013 6:48 PM
  • Oh - since the dot is not illegal in an email address this works as expected:

    Get-ADUser -LDAPFilter '(mail=*.user*)'

    This also works as expected:

    Get-ADUser -LDAPFilter '(!(mail=*.user*))'


    Friday, December 27, 2013 6:50 PM
  • I know this is a pretty old thread, but I hope this Technet WIKI article will help someone in the future that has this issue.

    Tuesday, October 13, 2015 10:09 PM