CODEWITHSUNDEEP
powershell
PSnewbie
PSnewbie

Reputation: 37

Powershell 5.1.16299.1146 Get-ADGroupMember An operations error occurred

I'm getting

"An operations error occurred"

error when a group contains users from a different domain.

The same line in Powershell 5.1.14409.1018 works great.

Get-ADGroupMember -Server "MyDomain" -Identity "MyGroup" | ForEach-Object {$_.SamAccountName}

Is anyone else having a problem on version 5.1.16299.1146 with Get-ADGroupMember when the group contains users from a different domain?

Get-ADGroupMember : An operations error occurred At line:1 char:1 + Get-ADGroupMember -Server "MyDomain" "MyGroup ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (MyGroup:ADGroup) [Get-ADGroupMember], ADException + FullyQualifiedErrorId : ActiveDirectoryServer:8224,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

Upvotes: 3

Views: 11825

Answers (2)

Sean Field
Sean Field

Reputation: 11

I expanded /u/markekraus script a little bit for large multi-domain environments and to bake in recursive group search. Because there is some funky stuff you can only get through the global catalog server and some stuff the global catalog server CAN‘T get.

Disclaimer: I am not a powershell pro. I just make scripts as I go along and need them. If you have helpful input, please leave it in a comment below.

Function Get-ADGroupMemberFix {
[CmdletBinding()]
param(
    [Parameter(
        Mandatory = $true,
        ValueFromPipeline = $true,
        ValueFromPipelineByPropertyName = $true,
        Position = 0
    )]
    [string[]]
    $Identity,

    [Parameter(
        Mandatory = $false,
        ValueFromPipeline = $true,
        ValueFromPipelineByPropertyName = $true,
        Position = 1
    )]
    [bool]
    $Recursive = $false,

    [Parameter(
        Mandatory = $true,
        ValueFromPipeline = $true,
        ValueFromPipelineByPropertyName = $true,
        Position = 2
    )]
    [string]
    $globalCatalogServer
   
)
process {

    foreach ($GroupIdentity in $Identity) {
        $Group = $null
        $Group = Get-ADGroup -Identity $GroupIdentity -Properties CanonicalName -Server "$($globalCatalogServer)"
        if (-not $Group) {
            continue
        }
        $server = $Group.CanonicalName.Substring(0, $Group.CanonicalName.IndexOf('/'))
        $Group = Get-ADGroup -Identity $GroupIdentity -Properties Member -Server $server

        Foreach ($Member in $Group.Member) {
            $memberObject = Get-ADObject $Member -Server "$($globalCatalogServer)"
            if(($memberObject.ObjectClass -eq "group") -and $Recursive){
                Get-ADGroupMemberFix -Identity $memberObject.distinguishedName -Recursive:$Recursive -globalCatalogServer $globalCatalogServer
            }else {
                $memberObject
            }
        }
    }
}}

With this function I can call up all group members across the forest recursively, like this:

Get-ADGroupMemberFix -Identity „mygroup“ -Recursive:$True -globalCatalogServer „mydomain.local:3268“

I find it very easy this way to check membership of a security group, when looking at an AD that I am not familiar with.

Upvotes: 1

Mathias R. Jessen
Mathias R. Jessen

Reputation: 174485

Get-ADGroupMember is notoriously bad at handling referral chasing for foreign security principals. You should be able to do it manually with Get-ADGroup and Get-ADObject though:

Function Get-ADGroupMemberFix {
    [CmdletBinding()]
    param(
        [Parameter(
            Mandatory = $true,
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true,
            Position = 0
        )]
        [string[]]
        $Identity,

        [string]
        $Server
    )

    begin {
        $additionalArguments = @{}
        if($PSBoundParameters.ContainsKey('Server')){
            $additionalArguments['Server'] = $Server
        }
    }

    process {
        foreach ($GroupIdentity in $Identity) {
            $Group = $null
            $Group = Get-ADGroup -Identity $GroupIdentity -Properties Member @additionalArguments
            if (-not $Group) {
                continue
            }
            Foreach ($Member in $Group.Member) {
                Get-ADObject $Member 
            }
        }
    }
}

Get-ADGroupMemberFix -Identity ''

(script above is a modified version of the script posted in the referenced reddit post by /u/markekraus)

You can add desired property name to the Get-ADObject call if needed

Upvotes: 4

Related Questions