1

This is really annoying and hard to find, but I've proved it in my environment so I thought I'd post it here in hopes of helping more people work around it.

The problem is, when using Get-ADPrincipalGroupMembership -Identity $User.SamAccountName and one of their existing group names (that they're a member of) has a / (forward slash) in the name of any one group, it will non-terminate error on that user.

So, I ran Get-ADGroup -Filter {name -like "*/*"} to see how many of these groups we have and there were quite a few. And sure enough, in my script the catch block is finding a lot of people where this cmdlet is failing.

foreach ($User in $Users) {
    try {
        $User_MemberOf = @()

        Get-ADPrincipalGroupMembership -Identity $User.SamAccountName |
            Select Name |
            Where-Object {$_.Name -like 'CBA-*'} |
            ForEach-Object { $User_MemberOf += @($_.Name) }

        foreach ($Group in $User_MemberOf) {
            New-Object PSObject -Property @{
                SID = $User.SamAccountName
                Name = $User.name
                Group = $Group 
            } | Export-Csv -Path $logs -NoTypeInformation -Append
        }
    } catch {
        New-Object PSObject -Property @{
            SID = $User.SamAccountName
            Name = $User.name
            Group = "Error processing this user" 
        } | Export-Csv -Path $logs -NoTypeInformation -Append
    }
}

Error message:

The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.

Can anyone offer me an alternative solution? I can't find a good one yet.

sodawillow
  • 12,497
  • 4
  • 34
  • 44
MarcGel
  • 299
  • 6
  • 20
  • Can't reproduce. Which OS version, and what is the error? – Ansgar Wiechers Dec 01 '15 at 22:06
  • Win7 Ent, Powershell 4.0; Get-ADPrincipalGroupMembership : The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs. – MarcGel Dec 01 '15 at 22:21
  • 1
    Have you attempted to escape the slash? \*\`/\* or \*\/\* perhaps – Mathias R. Jessen Dec 01 '15 at 22:26
  • No, how do you escape it? – MarcGel Dec 01 '15 at 22:32
  • 1
    As above, use a backtick before the slash, alternatively a backslash – Mathias R. Jessen Dec 01 '15 at 22:40
  • Hi, I've read about these now, but not sure I understand where to escape in the script? – MarcGel Dec 02 '15 at 17:55

1 Answers1

3

There is currently an open bug on connect for this.

https://connect.microsoft.com/PowerShell/Feedback/Details/1190397

One potential work-around:

$user = Get-ADUser $accountName  -Properties MemberOf
$groupMembership = New-Object System.Collections.ArrayList
foreach ($group in $user.MemberOf) {
     $groupMembership.Add((Get-ADGroup $group).SamAccountName)
}
user1074891
  • 279
  • 3
  • 14