Get-ADPrincipalGroupMembership and Get-ADGroup Internal Error

This topic contains 2 replies, has 2 voices, and was last updated by Profile photo of Bunni Rowlett Bunni Rowlett 3 years, 7 months ago.

  • Author
    Posts
  • #9872
    Profile photo of Bunni Rowlett
    Bunni Rowlett
    Participant

    I'm having a problem with two Active Directory Module cmdlets: Get-ADPrincipalGroupMembership and Get-ADGroup.

    Get-ADPrincipalGroupMembership:
    If I attempt to call a user who is a member of a group that contains a forward slash "/" in the group name, it results in an internal error. Example: Get-ADPrincipalGroupMembership -Identity 'John Smith'. (John is a member of a group of name "Some/WeirdGroupName"). The error prevents me from reporting *any* of John Smith's groups.

    Get-ADGroup:
    If I attempt to call a group and its Name property does not match the SamAccountName property, I receive a similar error. Example: Get-ADGroup -identity "SomeGroupName". (The group's Name is "SomeGroupName, but its SamAccountName is "SomeGroup".)

    I've found comments elsewhere indicating that these might be bugs. They occur in both Powershell 2.0 and 3.0. I have two questions for the forum:
    (1) is there a way to obtain the necessary information/objects in spite of this error?
    (2) In general, when Microsoft identifies Powershell bugs, how are the corrections published? (Why wasn't it fixed in powershell 3.0?)

    Thanks and keep up the Powershell-ing.

  • #9873
    Profile photo of Richard Siddaway
    Richard Siddaway
    Moderator

    These are mainly AD issues not PowerShell issues.

    First off – and this may seem like I'm splitting hairs – but the PowerShell team aren't responsible for the AD cmdlets. They are produced by the AD team. What version of Windows are you using for your domain controllers? If you were running Windows 2008 R2 and for instance and upgraded PowerShell to v3 the AD cmdlets wouldn't be changed because they aren't part of the core PowerShell engine.

    When I tried to create a group called Test/Group in AD Users and Computers I was told / is an illegal character and I was offered the chance to replace the / by a _ I got a similar error in New-Adgroup.
    PS> New-ADGroup -Name 'Test/Group' -Path 'ou=All groups,dc=manticore,dc=org' -SamAccountName 'Test/Group' -GroupCategory
    Security -GroupScope Global
    New-ADGroup : The name provided is not a properly formed account name

    if I was you I'd seriously consider renaming the groups to remove the /. Its going to save you a lot of effort over time.

    I created a group with a different name and samAccountName and tried using Get-ADGroup

    PS> New-ADGroup -Name 'FunnyTestGroup' -Path 'ou=All groups,dc=manticore,dc=org' -GroupCategory Security -GroupScope Gl
    obal -SamAccountName 'AnyOldName'
    PS> Get-ADGroup -Identity 'Funnytestgroup'
    Get-ADGroup : Cannot find an object with identity: 'Funnytestgroup' under: 'DC=Manticore,DC=org'.
    At line:1 char:1
    + Get-ADGroup -Identity 'Funnytestgroup'

    The problem is that the identity parameter only accepts values representing
    samAccountName
    distinguished name
    GUID
    SID

    In this case none of those were supplied. However:
    Get-ADGroup -Filter {Name -eq 'Funnytestgroup'}

    will work for you.

    Again I would recommend keeping the samAccountName the same as the group name for ease of administration

  • #9874
    Profile photo of Bunni Rowlett
    Bunni Rowlett
    Participant

    Thank you, Richard. This gives me a better understanding of what's occurring. Our DCs are 2008 R2, but I'm running AD module from Win7 and Win8 computers.

    These groups are a little old, and were probably created by some method that did not strictly enforce these restrictions. I'll research making the corrections on the groups themselves.

    Thank you also for the explanation about the AD module being written by the AD team.

You must be logged in to reply to this topic.