0

As in my previous Question, my problem is about this script:

$csvInfos=@()
$allservers=@(Get-ADComputer -SearchBase "OU=BRLN-Servers,OU=OU-BRLN,OU=DE,OU=Locations,DC=bla,DC=bla,DC=bla" -Filter * -Properties *)
foreach($server in $allservers){
                $customobject = new-object -TypeName PSObject -Property @{

                'Servername' = $server.Name
                'WSUS Gruppen' = ($server | get-ADPrincipalGroupMembership |?{$_.Name -like '*wsus*'} | Select-Object -ExpandProperty Name ) -join ";"
                'OS' = $server.OperatingSystem }

            $csvinfos+= $customobject }

$csvinfos | export-csv c:\temp\wsus_server_groups.csv -Delimiter ";" -NoTypeInformation

The script is used on 3 different domains (US, EU, ASIA) The domain are built the same. Same OU structure, same settings, same everything.

Based on the updated script I am able to get the results I want for 2 of the 3 domains. On the third domain I get an error with the get-adprincipalgroupmembership command:

Get-ADPrincipalGroupmembership : The server was unable to process the request due to an internal error.

I googled very much about this error. Even here on stackoverflow is a topic with that error:

Get-ADPrincipalGroupMembership Fails when any user group name has "/"

but I don't think that is describes the same situation as mine. Or maybe I am blind....

so: Is there a way to fix that problem / error or do I have to use another command that does the same as Get-ADPrincipalGroupmembership?

Thank you, Michael

wachna87
  • 5
  • 1
  • 3
  • Is the error consistent, meaning do you get the same error when you query other OUs of the domain not working? – Daniel Björk Jul 22 '20 at 07:24
  • Yes.. It does not matter which OU I use for searchbase or if I search the whole domain. It is the same error every time. but only in 1 of 3 domains... and I don't know why – wachna87 Jul 22 '20 at 07:33
  • How about if you add -Debug to the command. Do you get any more information? – Daniel Björk Jul 22 '20 at 07:44
  • unfortunately no information. just the error message over and over again – wachna87 Jul 22 '20 at 08:11
  • Ok, I'm out of ideas but i tried your script on my own domain and it worked for me too. So its most likely something in one of your domains causing the issue. But i don't know why. – Daniel Björk Jul 22 '20 at 08:36
  • thank you for your effort. is there a way to get all groups of all ad computer objects without using get-adprincipalgroupmembership? – wachna87 Jul 22 '20 at 08:59
  • This is not without the command but you can try it and see if it makes any difference: Get-ADComputer -Filter * | ForEach-Object { $computer = $_ Get-ADPrincipalGroupMembership -Identity $_ | Select-Object @{Name = 'Group'; Expression = {$_.Name}}, @{Name = 'Member'; Expression = {$computer.DNSHostName}} } | Export-Csv -Path .\MemberShip.csv -NoTypeInformation – Daniel Björk Jul 22 '20 at 09:16
  • I tried.. but I get the same error message :( – wachna87 Jul 22 '20 at 09:40
  • It says [here](https://learn.microsoft.com/en-us/powershell/module/addsadministration/get-adprincipalgroupmembership?view=win10-ps#description) that _"This cmdlet requires a global catalog to perform the group search. If the forest that contains the user, computer, or group does not have a global catalog, the cmdlet returns a non-terminating error."_. Could that be the case in the third domain? You can test this using `Get-ADForest | Select-Object -ExpandProperty GlobalCatalogs` – Theo Jul 22 '20 at 14:23
  • yes. every domain got several global catalogs. I even execute the script from a global catalog server – wachna87 Jul 22 '20 at 17:10

1 Answers1

0

I'm not a fan of the AD PowerShell cmdlets for reasons like this. They don't handle all cases very well. I know that foreign security principals are not handled, although I'm not sure how that would affect this specific case. And as you said, forward slashes.

You might be able to hunt down why it's happening if you see which server object it is crashing on.

But you can just avoid using Get-ADPrincipalGroupMembership. You can do the same thing with Get-ADGroup:

'WSUS Gruppen' = (Get-ADGroup -LDAPFilter "(&(name=*wsus*)(member=$($server.DistinguishedName)))" | Select-Object -ExpandProperty Name ) -join ";"

If you have more than one domain in your AD forest, then you should tell Get-ADGroup to use a global catalog by specifying -Server example.com:3268.

Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
  • well.... thank you very very much!! I still don't know why "Get-ADPrincipalGroupmembership" doesn't work on the third domain, but your code works exactly as it has to be! Great help!! – wachna87 Jul 24 '20 at 08:16