Author Posts

August 30, 2013 at 12:40 pm

I'm having a problem with two Active Directory Module cmdlets: Get-ADPrincipalGroupMembership and Get-ADGroup.

Get-ADPrincipalGroupMembership:
If I attempt to call a user who is a member of a group that contains a forward slash "/" in the group name, it results in an internal error. Example: Get-ADPrincipalGroupMembership -Identity 'John Smith'. (John is a member of a group of name "Some/WeirdGroupName"). The error prevents me from reporting *any* of John Smith's groups.

Get-ADGroup:
If I attempt to call a group and its Name property does not match the SamAccountName property, I receive a similar error. Example: Get-ADGroup -identity "SomeGroupName". (The group's Name is "SomeGroupName, but its SamAccountName is "SomeGroup".)

I've found comments elsewhere indicating that these might be bugs. They occur in both Powershell 2.0 and 3.0. I have two questions for the forum:
(1) is there a way to obtain the necessary information/objects in spite of this error?
(2) In general, when Microsoft identifies Powershell bugs, how are the corrections published? (Why wasn't it fixed in powershell 3.0?)

Thanks and keep up the Powershell-ing.

August 30, 2013 at 1:15 pm

These are mainly AD issues not PowerShell issues.

First off – and this may seem like I'm splitting hairs – but the PowerShell team aren't responsible for the AD cmdlets. They are produced by the AD team. What version of Windows are you using for your domain controllers? If you were running Windows 2008 R2 and for instance and upgraded PowerShell to v3 the AD cmdlets wouldn't be changed because they aren't part of the core PowerShell engine.

When I tried to create a group called Test/Group in AD Users and Computers I was told / is an illegal character and I was offered the chance to replace the / by a _ I got a similar error in New-Adgroup.
PS> New-ADGroup -Name 'Test/Group' -Path 'ou=All groups,dc=manticore,dc=org' -SamAccountName 'Test/Group' -GroupCategory
Security -GroupScope Global
New-ADGroup : The name provided is not a properly formed account name

if I was you I'd seriously consider renaming the groups to remove the /. Its going to save you a lot of effort over time.

I created a group with a different name and samAccountName and tried using Get-ADGroup

PS> New-ADGroup -Name 'FunnyTestGroup' -Path 'ou=All groups,dc=manticore,dc=org' -GroupCategory Security -GroupScope Gl
obal -SamAccountName 'AnyOldName'
PS> Get-ADGroup -Identity 'Funnytestgroup'
Get-ADGroup : Cannot find an object with identity: 'Funnytestgroup' under: 'DC=Manticore,DC=org'.
At line:1 char:1
+ Get-ADGroup -Identity 'Funnytestgroup'

The problem is that the identity parameter only accepts values representing
samAccountName
distinguished name
GUID
SID

In this case none of those were supplied. However:
Get-ADGroup -Filter {Name -eq 'Funnytestgroup'}

will work for you.

Again I would recommend keeping the samAccountName the same as the group name for ease of administration

August 30, 2013 at 2:13 pm

Thank you, Richard. This gives me a better understanding of what's occurring. Our DCs are 2008 R2, but I'm running AD module from Win7 and Win8 computers.

These groups are a little old, and were probably created by some method that did not strictly enforce these restrictions. I'll research making the corrections on the groups themselves.

Thank you also for the explanation about the AD module being written by the AD team.