none
Error with Get-ADUser Filter * -Properties * RRS feed

  • Question

  • Hi Richard

    I have a related issue and this is the only thread I can find which bears any resemblance to it.

    My issue is that when running get-aduser -filter * -properties * I get an "object reference error" but only If running the powershell session directly on a domain controller and NOT running it as administrator.

    if I run the PS session as administrator or if i query from a remote machine (even another DC where it fails if run locally) then it works fine.

    the strange thing is, it only fails where the user DOES have a primary group set to Domain Users.

    On all users where the primary group has been changed (for whatever reason) it runs fine.

    This behaviour is the same across Dev, Test and Production Domains, all running Windows 2012r2 DCs, all with PS version 

    Major  Minor  Build  Revision
    -----  -----  -----  --------
    4      0      -1     -1

    Appreciate this is a thread hijack, but thought might be better to keep all info in one place, let me know if not.

    Thursday, January 18, 2018 11:11 AM

Answers

  • I split this question from this old thread:

    https://social.technet.microsoft.com/Forums/en-US/b38e9edb-4696-4eeb-b8ea-a7ebde2113dc/getaduser-object-reference-not-set-to-an-instance-of-an-object?forum=ITCG#8ad80519-5423-4123-8510-cdb353457cf7

    A couple of points:

    1. I suspect there may be more to your script than the one statement you posted. I have never experienced a problem with the statement, or heard of problems.
    2. If something works when run as Administrator, but not otherwise, it usually is a permissions issue. But the error message should be different from yours.
    3. If the primary group membership matters, that makes the memberOf and primaryGroupID attributes suspect. The primaryGroupID attribute is an integer representing the RID of the group. If the primary group is in another domain, it won't be found. If memberOf includes the DN of a group in another domain, maybe that would raise an error.
    4. If you did not use the -Server parameter, you don't really know which domain controller was used by Get-ADUser. If the script is run on the DC, then most likely that DC was used. Are you using the -Server parameter?
    5. When you specify -Filter * and -Properties * you get an array of results, one result for each user in the domain. For each user you get all default properties exposed by Get-ADUser, plus any other properties and attributes where the first user in the collection has values. For example, if the first user has no value assigned to the Title property, this property will not be returned for any of the users, even those that have a value. At least that has been my experience. The first user retrieved might be different depending on how or where you run the script.

    Troubleshooting which user and which attribute raises the error could be difficult. Perhaps the Directory Services forum would be better for this question, especially if database corruption is involved.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, January 18, 2018 5:58 PM
    Moderator

All replies

  • As I noted in your original thread - You need to fix your AD.  The issue is likely a corrupted AD server database or an issue with the domain.  Start be restarting all DCs then run  diags.  Post in Directory Services forum for more information on repairing and troubleshooting AD.

    You might also have issues with the RSAT module.

    Overall this is not a break/fix forum and the issue is not a scripting issue.


    \_(ツ)_/

    Thursday, January 18, 2018 5:46 PM
  • I split this question from this old thread:

    https://social.technet.microsoft.com/Forums/en-US/b38e9edb-4696-4eeb-b8ea-a7ebde2113dc/getaduser-object-reference-not-set-to-an-instance-of-an-object?forum=ITCG#8ad80519-5423-4123-8510-cdb353457cf7

    A couple of points:

    1. I suspect there may be more to your script than the one statement you posted. I have never experienced a problem with the statement, or heard of problems.
    2. If something works when run as Administrator, but not otherwise, it usually is a permissions issue. But the error message should be different from yours.
    3. If the primary group membership matters, that makes the memberOf and primaryGroupID attributes suspect. The primaryGroupID attribute is an integer representing the RID of the group. If the primary group is in another domain, it won't be found. If memberOf includes the DN of a group in another domain, maybe that would raise an error.
    4. If you did not use the -Server parameter, you don't really know which domain controller was used by Get-ADUser. If the script is run on the DC, then most likely that DC was used. Are you using the -Server parameter?
    5. When you specify -Filter * and -Properties * you get an array of results, one result for each user in the domain. For each user you get all default properties exposed by Get-ADUser, plus any other properties and attributes where the first user in the collection has values. For example, if the first user has no value assigned to the Title property, this property will not be returned for any of the users, even those that have a value. At least that has been my experience. The first user retrieved might be different depending on how or where you run the script.

    Troubleshooting which user and which attribute raises the error could be difficult. Perhaps the Directory Services forum would be better for this question, especially if database corruption is involved.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, January 18, 2018 5:58 PM
    Moderator