locked
Does not working 100% of the time: Get-ADPrincipalGroupMembership : Directory object not found RRS feed

  • Question

  • Hello,

    Looking to see if anyone can see where my issue is coming from. I have a script that transitions employees to different departments in our domain. There is a portion of the script where all current access is stripped from the account and the new department access is applied. Before removing the access I have the portion of the script below to export all the users group membership into a csv, which I then attach to an email sent to the manager. (incase they need to request and additional access)

    It happens more times than I'd like but i get the error message:

    Get-ADPrincipalGroupMembership : Directory object not found
    At E:\PowerShellScripts\28AUG2019_Re_Hire_Transitions.ps1:857 char:5
    +     Get-ADPrincipalGroupMembership -Identity $UserN | select Name | S ...
    +     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (Test.User:ADPrincipal) [Get-ADPrincipalGroupMembership], ADIdentityNotFoundException
        + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADPrinc 
       ipalGroupMembership

    the Permissions weren't exported into the csv for the previous access, but the new access csv goes through with no issues.

    $UserN = Read-Host "Please Provide the Users UserName..."

    #Find current access and export to CSV to email to manager
    Get-ADPrincipalGroupMembership -Identity $UserN | select Name | Sort Name `
    | Export-Csv "E:\PowerShellScripts\Transitions\Previous_Access.csv" -notypeinformation -Append 

    #Find new access and export to CSV to email to manager
    Get-ADPrincipalGroupMembership -Identity $UserN | select Name | Sort Name `
    | Export-Csv "E:\PowerShellScripts\Transitions\New_Access.csv" -NoTypeInformation -Append


    Thursday, September 5, 2019 9:43 PM

Answers

  • Please format your code as code: How to Use the Code Feature in a TechNet Forum Post.

    The error message is pretty obvious. If you specify the identity for Get-ADPrincipalGroupMembership you have to provide one of the possible options

    • A distinguished name
    • A GUID (objectGUID)
    • A security identifier (objectSid)
    • A SAM account name (sAMAccountName)

    ... and it has to be an exact match. Otherwise you'll get the error "ObjectNotFound".


    Live long and prosper!

    (79,108,97,102|%{[char]$_})-join''

    • Marked as answer by Charwwee Saturday, September 7, 2019 5:18 AM
    Thursday, September 5, 2019 10:02 PM
  • The user you are looking for does NOT exist.  You must use a SamAccountName for a user account that exists in the local domain.

    The error is normal when you use a bad name.


    \_(ツ)_/

    • Marked as answer by Charwwee Saturday, September 7, 2019 5:18 AM
    Thursday, September 5, 2019 10:59 PM
  • The "common name" of the user (the value of the cn attribute of the user object, also called the Relative Distinguished Name) does not uniquely identify the user. It is only required to be unique in the parent OU or container, so it cannot be used with the -Identity parameter.

    Edit: The sAMAccountName of the user is also called the "pre-Windows 2000 logon name" in ADUC. As noted , you should use that value.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    • Edited by Richard MuellerMVP Thursday, September 5, 2019 11:59 PM
    • Marked as answer by Charwwee Saturday, September 7, 2019 5:18 AM
    Thursday, September 5, 2019 11:57 PM

All replies

  • Please format your code as code: How to Use the Code Feature in a TechNet Forum Post.

    The error message is pretty obvious. If you specify the identity for Get-ADPrincipalGroupMembership you have to provide one of the possible options

    • A distinguished name
    • A GUID (objectGUID)
    • A security identifier (objectSid)
    • A SAM account name (sAMAccountName)

    ... and it has to be an exact match. Otherwise you'll get the error "ObjectNotFound".


    Live long and prosper!

    (79,108,97,102|%{[char]$_})-join''

    • Marked as answer by Charwwee Saturday, September 7, 2019 5:18 AM
    Thursday, September 5, 2019 10:02 PM
  • The user you are looking for does NOT exist.  You must use a SamAccountName for a user account that exists in the local domain.

    The error is normal when you use a bad name.


    \_(ツ)_/

    • Marked as answer by Charwwee Saturday, September 7, 2019 5:18 AM
    Thursday, September 5, 2019 10:59 PM
  • The "common name" of the user (the value of the cn attribute of the user object, also called the Relative Distinguished Name) does not uniquely identify the user. It is only required to be unique in the parent OU or container, so it cannot be used with the -Identity parameter.

    Edit: The sAMAccountName of the user is also called the "pre-Windows 2000 logon name" in ADUC. As noted , you should use that value.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    • Edited by Richard MuellerMVP Thursday, September 5, 2019 11:59 PM
    • Marked as answer by Charwwee Saturday, September 7, 2019 5:18 AM
    Thursday, September 5, 2019 11:57 PM
  • Hi Charwwee,

    are you sure? Wrong user will throw following error:

    Get-ADPrincipalGroupMembership -Identity NOTHING
    
    Get-ADPrincipalGroupMembership : Cannot find an object with identity: 'NOTHING' under: 'DC=XXX,DC=XXX'. At line:1 char:2

    Thursday, January 9, 2020 9:55 AM
  • Hi Charwwee,

    are you sure? Wrong user will throw following error:

    Get-ADPrincipalGroupMembership -Identity NOTHING
    
    Get-ADPrincipalGroupMembership : Cannot find an object with identity: 'NOTHING' under: 'DC=XXX,DC=XXX'. At line:1 char:2

    Please do not add ambiguous answer to questions that are marked answered.  It is not helpful.

    \_(ツ)_/

    Thursday, January 9, 2020 11:11 AM