none
Get-ADPrincipalGroupMembership returns internal error on only SOME accounts RRS feed

  • General discussion

  • I'm trying to develop a script that will return a user's groups.  I'm between the Get-ADPrincipalGroupMembership and the Quest Get-QADMemberOf.  Sometimes when running the Get-ADPrincipal command, it will return an internal error, but not on all accounts.  Some work, some don't.  I've found that if user is a member of a group that has a slash in the name, it will cause this error, but I am also seeing it on a brand new test account that is only a member of Domain Users.  However, when using the Get-QADMemberOf command on all the same user accounts, it works every time.  Any idea what causes these unknown errors and why it would only be on some accounts?

    Thanks

    Friday, March 20, 2015 9:55 PM

All replies

  • Without seeing the distinguished names of the objects, the exact commands you are typing, and the exact error messages, we can only guess.

    -- Bill Stewart [Bill_Stewart]

    Friday, March 20, 2015 10:02 PM
    Moderator
  • Created new user account 'pstest3'. After given ample time to replicate, we run the following:

    Get-ADPrincipalGroupMembership -Server CDS -Identity 'pstest3' | Select-Object 'name'

    That returns the following error:

    Get-ADPrincipalGroupMembership : The server was unable to process the request due to an internal error.  For more information about the error, either turn on IncludeExceptionDetailInFaults (either from serviceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.

    At line:1 char:1
    + Get-ADPrincipalGroupMembership -Server CDS -Identity 'pstest3' | Select-Object ' ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (pstest3:ADPrincipal) [Get-ADPrincipalGroupMembership], ADException
        + FullyQualifiedErrorId : The server was unable to process the request due to an internal error.  For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.,Microsoft.ActiveDirectory.Management.Commands.GetADPrincipalGroupMembership.

    But when running the following and input cds\pstest3, it returns the only group the new user is a member of, which is Domain Users: 

    Get-QADMemberOf | Select-Object name

    Monday, March 23, 2015 12:59 PM
  • Thank you.  I did do some searching and came across this article.  However, because it was centered around having a / in one of the user's group names, it didn't exactly apply to my situation. I was already aware that the command had an issue with that, but the test account I was working with was not a member of any other group than Domain Users and was still getting the same error. When I try to use the Get-ADObject workaround suggested (Get-ADObject -filter {samaccountname -eq "pstest3" } -properties members), I get a "One or more properties are invalid.  Parameter name : members" error.

    I'm just starting to learn PS, and making good headway, so bear with me.  Looks like I've got some more research to do.

    Thanks

    Monday, March 23, 2015 4:24 PM
  • There is not an attribute for groups named 'members'. I believe you're looking for 'member', not 'members'.


    -- Bill Stewart [Bill_Stewart]

    Monday, March 23, 2015 4:46 PM
    Moderator
  • Ah, that's too simple. That appears to work, but I don't get any results. Just takes me back to the command line.
    Monday, March 23, 2015 5:08 PM
  • Hi,

    Try it this way:


    Get-ADObject -Filter "SamAccountName -eq 'pstest3'" -Properties MemberOf


    Don't retire TechNet! - (Don't give up yet - 13,225+ strong and growing)

    Monday, March 23, 2015 5:32 PM
  • Exact same result.  Just goes right back to the command line.
    Monday, March 23, 2015 5:36 PM
  • Hi,

    Try it this way:


    Get-ADObject -Filter "SamAccountName -eq 'pstest3'" -Properties MemberOf


    Don't retire TechNet! - (Don't give up yet - 13,225+ strong and growing)


    This will return no members for a new user.

    ¯\_(ツ)_/¯

    Monday, March 23, 2015 5:37 PM
  • Exact same result.  Just goes right back to the command line.
    That suggests that you don't have an object with that SamAccountName for it to find.

    Don't retire TechNet! - (Don't give up yet - 13,225+ strong and growing)

    Monday, March 23, 2015 5:38 PM
  • This will return no members for a new user.


    ¯\_(ツ)_/¯

    Nope, as it shouldn't.

    EDIT: Ah, I see. The user in question is only a member of Domain Users....

    Don't retire TechNet! - (Don't give up yet - 13,225+ strong and growing)

    Monday, March 23, 2015 5:38 PM
  • Exact same result.  Just goes right back to the command line.

    Clearly the samname of the user is not what you think it is. Look in Aduc to see.

    Try this

    Get-AdUser -filter 'CN -like "*pstest*" | select name,SamAcountName


    ¯\_(ツ)_/¯

    Monday, March 23, 2015 5:40 PM
  • This will return no members for a new user.

    ¯\_(ツ)_/¯

    Nope, as it shouldn't.

    Don't retire TechNet! - (Don't give up yet - 13,225+ strong and growing)

    If only Domain User is the group then that will return an empty result.

    See:

    PS C:\scripts> Get-ADObject -Filter "SamAccountName -eq 'testuser01'" -Properties MemberOf|select memberof

    memberof
    --------
    {}


    ¯\_(ツ)_/¯

    Monday, March 23, 2015 5:41 PM
  • This will return no members for a new user.

    ¯\_(ツ)_/¯

    Nope, as it shouldn't.

    Don't retire TechNet! - (Don't give up yet - 13,225+ strong and growing)

    If only Domain User is the group then that will return an empty result.

    See:

    PS C:\scripts> Get-ADObject -Filter "SamAccountName -eq 'testuser01'" -Properties MemberOf|select memberof

    memberof
    --------
    {}


    ¯\_(ツ)_/¯

    Yeah, I hadn't noticed that the test user was only in Domain Users.


    Don't retire TechNet! - (Don't give up yet - 13,225+ strong and growing)

    Monday, March 23, 2015 5:42 PM
  • This will return no members for a new user.

    ¯\_(ツ)_/¯

    Nope, as it shouldn't.

    Don't retire TechNet! - (Don't give up yet - 13,225+ strong and growing)

    If only Domain User is the group then that will return an empty result.

    See:

    PS C:\scripts> Get-ADObject -Filter "SamAccountName -eq 'testuser01'" -Properties MemberOf|select memberof

    memberof
    --------
    {}


    ¯\_(ツ)_/¯

    Yeah, I hadn't noticed that the test user was only in Domain Users.


    Don't retire TechNet! - (Don't give up yet - 13,225+ strong and growing)

    But it still will return something if the user is found.  No findie user then no makee output - old Martian saying.


    ¯\_(ツ)_/¯

    Monday, March 23, 2015 5:48 PM
  • I am able to get Get-ADObject -Filter "SamAccountName -eq 'pstest3'" -Properties MemberOf working by adding the -server parameter and pointing to the domain.  This returns the group the user has now been added to, but not very cleanly.

    Get-ADObject -filter {samaccountname -eq "pstest3" } -properties member works as well with the -server parameter pointed.  However, this does not return the group (that I can see in my window at least).

    What I'm really looking for is a clean list of all the groups that a user is a member of.  Get-ADPrincipalGroupMembership does this very well.  My main goal of this post was to see why this command would work fine for some user accounts and would produce an internal error on other accounts (that do not have groups with a / in the name).

    I really appreciate everyone's time and thoughts.  Thank you.

    Monday, March 23, 2015 6:37 PM
  • I don't have an explanation for why Get-ADPrincipalGroupMembership fails for you, but this is something you can run to get a group listing:

    Get-ADUser pstest3 -Properties MemberOf | ForEach {
    
        $username = $_.SamAccountName
    
        $_.MemberOf | ForEach {
    
            $props = @{
                Username = $username
                GroupName = (Get-ADGroup $_).Name
            }
    
            New-Object PsObject -Property $props
    
        }
    
    } | Sort GroupName

    This won't list the primary group (Domain Users) though. If the user is only a member of Domain Users and nothing else, you won't get any output.


    Don't retire TechNet! - (Don't give up yet - 13,225+ strong and growing)

    Monday, March 23, 2015 6:47 PM