none
Get-ADGroupMember limitations

    Question

  • Hi All,

    I am trying to run the following query:

    get-adgroup -Filter * -SearchBase "OU=Test,dc=domain,dc=com" | get-adgroupmember | get-aduser -Properties * | Select Name,postalCode

    and get the following error: Get-ADUser : A referral was returned from the server

    Test OU contains Universal Distribution Groups with memebers from different domains in the same forest.

    So I've figured running agains GC server should fix it but I've hit a limitation:

    get-adgroup -Server dcgc01.domain.com:3268 -Filter * -SearchBase "OU=Test,dc=domain,dc=com" | get-adgroupmember | get-aduser -Properties * | Select Name,postalCode

    and got the following error: Get-ADGroupMember : The operation is not supported on Global Catalog port.

    It's Server 2008R2 with PS version 2

    Thank you,

    Naz


    • Edited by nsnidanko Wednesday, December 11, 2013 2:38 PM forgot code tags
    Wednesday, December 11, 2013 2:38 PM

Answers

  • Not being able to control referral chasing behavior is my biggest gripe with the AD module right now.  If you're in a multi-domain environment, you may find it better to either use the Quest cmdlets, or write your own code using the System.DirectoryServices namespace.

    In this case, though, I'd just grab the Member attribute of each group, and make individual calls to Get-ADUser in a foreach loop.  This sidesteps the problem and allows you to keep using the simpler AD cmdlets:

    Get-ADGroup -Properties member -Filter * -SearchBase "OU=Test,dc=domain,dc=com" | 
    ForEach-Object {
        $group = $_
        foreach ($dn in $group.member)
        {
            Get-ADUser $dn -Properties Name,postalCode |
            Select-Object Name,postalCode 
        }
    }

    Or, alternatively:

    Get-ADGroup -Properties member -Filter * -SearchBase "OU=Test,dc=domain,dc=com" | 
    Select-Object -ExpandProperty member |
    ForEach-Object {
        $dn = $_
        
        Get-ADUser $dn -Properties Name,postalCode |
        Select-Object Name,postalCode 
    }


    • Edited by David Wyatt Thursday, December 12, 2013 5:48 PM
    • Marked as answer by nsnidanko Saturday, December 14, 2013 3:42 PM
    Thursday, December 12, 2013 5:46 PM

All replies

  • Have you tried the Global Catalog server on the Get-ADUser cmdlet, as the error specifed, the group contained users in different domains, not groups. Also, you could have a possible failure if the members of a group are a group itself, piping directly over to get-aduser would result in error.

    If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.

    Don't Retire Technet


    • Edited by clayman2 Wednesday, December 11, 2013 3:57 PM typos
    Wednesday, December 11, 2013 3:56 PM
  • Not 100% sure what you mean by GC on Get-ADUser. So in my case such as this:

    get-adgroup -Filter * -SearchBase "OU=Test,dc=domain,dc=com" | get-adgroupmember | get-aduser -Server dcgc01.domain.com:3268 -Properties * | Select Name,postalCode

    I get the following error:

    Get-ADGroup : The supplied distinguishedName must belong to one of the following partition(s): 'DC=domain,DC=com , CN=Co
    nfiguration,DC=domain,DC=com , CN=Schema,CN=Configuration,DC=wajax,DC=com , DC=ForestDnsZones,DC=domain,DC=com , DC=DomainDnsZones,DC=domain,DC=com'.

    These groups are not nested and only contain user account from different domains in the same forest.

    It can be accomplished using Quest modules, such as this:

    Get-QADGroup -SearchRoot "OU=Test,dc=domain,dc=com" | Get-QADGroupMember | Select Name,postalCode
    But it doesn't work with ActiveDirectory module.
     


    • Edited by nsnidanko Thursday, December 12, 2013 5:35 PM
    Thursday, December 12, 2013 4:12 PM
  • Not being able to control referral chasing behavior is my biggest gripe with the AD module right now.  If you're in a multi-domain environment, you may find it better to either use the Quest cmdlets, or write your own code using the System.DirectoryServices namespace.

    In this case, though, I'd just grab the Member attribute of each group, and make individual calls to Get-ADUser in a foreach loop.  This sidesteps the problem and allows you to keep using the simpler AD cmdlets:

    Get-ADGroup -Properties member -Filter * -SearchBase "OU=Test,dc=domain,dc=com" | 
    ForEach-Object {
        $group = $_
        foreach ($dn in $group.member)
        {
            Get-ADUser $dn -Properties Name,postalCode |
            Select-Object Name,postalCode 
        }
    }

    Or, alternatively:

    Get-ADGroup -Properties member -Filter * -SearchBase "OU=Test,dc=domain,dc=com" | 
    Select-Object -ExpandProperty member |
    ForEach-Object {
        $dn = $_
        
        Get-ADUser $dn -Properties Name,postalCode |
        Select-Object Name,postalCode 
    }


    • Edited by David Wyatt Thursday, December 12, 2013 5:48 PM
    • Marked as answer by nsnidanko Saturday, December 14, 2013 3:42 PM
    Thursday, December 12, 2013 5:46 PM
  • Tons of thanks. I suspected it was something to do with ActiveDirectory module. Hopefuly it will be fixed in later releases of PS.
    Saturday, December 14, 2013 3:44 PM