3
votes

I'm getting

"An operations error occurred"

error when a group contains users from a different domain.

The same line in Powershell 5.1.14409.1018 works great.

Get-ADGroupMember -Server "MyDomain" -Identity "MyGroup" | ForEach-Object {$_.SamAccountName}

Is anyone else having a problem on version 5.1.16299.1146 with Get-ADGroupMember when the group contains users from a different domain?

Get-ADGroupMember : An operations error occurred At line:1 char:1 + Get-ADGroupMember -Server "MyDomain" "MyGroup ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (MyGroup:ADGroup) [Get-ADGroupMember], ADException + FullyQualifiedErrorId : ActiveDirectoryServer:8224,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

1
Please update your question with a copy and paste of the exact error message. (Remember, we can't see your screen.)Bill_Stewart
I'm unable to replicate the issue - are you using correct domains/groups? - note i'm using PSVersion 5.1.14393.2636Matthew
domains/groups are correct, the same line works great with 5.1.14409.1018PSnewbie

1 Answers

2
votes

Get-ADGroupMember is notoriously bad at handling referral chasing for foreign security principals. You should be able to do it manually with Get-ADGroup and Get-ADObject though:

Function Get-ADGroupMemberFix {
    [CmdletBinding()]
    param(
        [Parameter(
            Mandatory = $true,
            ValueFromPipeline = $true,
            ValueFromPipelineByPropertyName = $true,
            Position = 0
        )]
        [string[]]
        $Identity,

        [string]
        $Server
    )

    begin {
        $additionalArguments = @{}
        if($PSBoundParameters.ContainsKey('Server')){
            $additionalArguments['Server'] = $Server
        }
    }

    process {
        foreach ($GroupIdentity in $Identity) {
            $Group = $null
            $Group = Get-ADGroup -Identity $GroupIdentity -Properties Member @additionalArguments
            if (-not $Group) {
                continue
            }
            Foreach ($Member in $Group.Member) {
                Get-ADObject $Member 
            }
        }
    }
}

Get-ADGroupMemberFix -Identity ''

(script above is a modified version of the script posted in the referenced reddit post by /u/markekraus)

You can add desired property name to the Get-ADObject call if needed