Reputation: 89
Querying AD group membership through powershell results in error: Get-ADGroupMember : One or more properties are invalid
I am trying to get a groups membership to verify the existence of a user so that I can remove the user from the group. I am trying to use the Get-ADGroupMember command, but it only works with certain accounts. unfortunately one of the accounts it does not work with is our service account. Ruining the command results in the error below.
$members = Get-ADGroupMember -Identity MyGroup
results in:
Get-ADGroupMember : One or more properties are invalid.
Parameter name: index
At line:1 char:12
+ $members = Get-ADGroupMember -Identity MyGroup
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (MyGroup:ADGroup) [Get-ADGroupMember], ArgumentException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
I am not sure how to proceed from here or why this is occurring only on some accounts. any help is much appreciated.
Upvotes: 1
Views: 3023
Answers (2)
Reputation: 11
This is because the account you are running under likely does not have read access to that group. In my organization we purposely remove add a deny right to all other users for the "Domain Admins" group so that people can't query what users have admin access. When I run your code on my system I get the exact same error. When I run it as an administrator it works because the administrator account has rights to read that group membership.
Upvotes: 1
Reputation: 40868
Get-ADGroupMember outputs a list of type ADPrincipal, which means it is looking up each member too. So it's possible that it's choking on one of the members.
See if you get different results with this:
(Get-ADGroup MyGroup -Properties member).member
That will just spit out the raw member attribute of the group, which contains the distinguished name of each member (a list of strings), without actually trying to look up each member.
If that works, then there are other ways to find the info you need (like loop through those members and ignore members that you can't access).
Upvotes: 1
Related Questions
- Get-ADPrincipalGroupMembership An unspecified error has occurred
- Powershell throws error with Get-ADPrincipleGroup
- Cannot load members with Get-ADGroupMember but can with Get-ADGroup... why?
- Get AD Group Members from AD using powershell
- get-adgroupmember - Failing when group has member from a different domain.
- powershell get-adgroups returns wrong result
- Issue in accessing member details of groups in ADUser
- "GetAuthorizationGroups" throws exception when reading groups for user from Active Directory
- Powershell - (Active Directory Module) - Get-ADGroupMember only works for groups in my Domain
- Member Property missing in AD Group object