crontab
Reputation: 13
Powershell: An error occurred while enumerating through a collection: The specified directory service attribute or value does not e xist
I have been trying the following PowerShell script in several AD domain, but in one 2008 R2 domain it fails and I cannot find the reason for it:
PS D:\> Add-type -AssemblyName System.DirectoryServices.AccountManagement
PS D:\> $ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
PS D:\> $Domain = $env:USERDOMAIN
PS D:\> $pc = New-Object System.DirectoryServices.AccountManagement.PrincipalContext $ct,$Domain
PS D:\> $user = System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($pc, "SamAccountName", "testuser")
PS D:\> $groups = $user.GetAuthorizationGroups()
D:\> $groups
Normally the script gives a list of groups but for this domain it gives the following error message (after the list of groups):
An error occurred while enumerating through a collection: The specified directory service attribute or value does not exist.
CategoryInfo:InvalidOperation(System.Director...ment.Principal]:FindResultEnumerator`1) [], Runtime
Exception
FullyQualifiedErrorId : BadEnumeration
Could this have anything to do with AD privileges or permission?
Upvotes: 1
Views: 6229
Answers (1)
HAL9256
Reputation: 13523
I this could happen for a few possible reasons:
- While the groups are iterating, it tries to resolve the SID to an Active Directory object that does not exist. I would check out your Active Directory to make sure that there is no missing or broken AD users/groups. (Something like this error: Microsoft Connect - Calling Principal GetAuthorizationGroups Error)
- This could also be because of a Foreign Security principal that can't get resolved (Like this: Foreign Security Groups in Active Directory)
Some possible solutions:
- Ignore the errors i.e. start off with
$ErrorActionPreference = "SilentlyContinue" - Try something like this:
(Very rough code as a starting point)
$searchRoot = New-Object System.DirectoryServices.DirectoryEntry
$adSearcher = New-Object System.DirectoryServices.DirectorySearcher
$adSearcher.SearchRoot = $searchRoot
$adSearcher.Filter = "(samAccountName=UserName)"
$adSearcher.PropertiesToLoad.Add("memberOf")
$samResult = $adSearcher.FindOne()
if($samResult)
{
$adAccount = $samResult.GetDirectoryEntry()
$groupMembership = $adAccount.Properties["memberOf"]
$groupMembership | foreach {
Write-Host $_
}
}
Upvotes: 1
Related Questions
- Powershell: A positional parameter cannot be found that accepts argument "xxx"
- Method Invocation .Foreach failed, System.Object doesn't contain a method named 'foreach'
- Enumerate through array fails
- A parameter cannot be found that matches parameter name 'directory' - registry item
- Powershell Script not recognising ForEach-Object as a valid cmdlet
- System.DirectoryServices.DirectorySearcher objectGUID value incorrect System.Byte[]
- powershell dir gets an error when looping thru the results
- PowerShell InvokeGet the directory property cannot be found
- A parameter cannot be found that matches parameter name 'directory'
- Enumerating PowerShell object's properties throws