2

I have this portion of code that is throwing an invalid enumeration context error.

$ADComputers1 = (get-adcomputer -Filter {enabled -eq $true} -ResultPageSize 500 -ResultSetSize $null -Properties instanceType, IPv4Address, IPv6Address, isCriticalSystemObject, isDeleted, KerberosEncryptionType, LastBadPasswordAttempt, LastKnownParent, localPolicyFlags, Location, CannotChangePassword)
foreach ($computer in $ADComputers1){
        $values += [PSCustomObject]@{
            instanceType=$computer.instanceType #check
            IPv4Address=$computer.IPv4Address #fail
            IPv6Address=$computer.IPv6Address #fail
            isCriticalSystemObject=$computer.isCriticalSystemObject
            isDeleted=$computer.isDeleted
            KerberosEncryptionType=$computer.KerberosEncryptionType
            LastBadPasswordAttempt=$computer.LastBadPasswordAttempt
            LastKnownParent=$computer.LastKnownParent #fail
            localPolicyFlags=$computer.localPolicyFlags
            Location=$computer.Location
            CannotChangePassword=$computer.CannotChangePassword
        }
}

I have looked online and found multiple errors similar to the one that is being thrown. In doing so, I have adjusted the -Filter, -ResultPageSize, and shortened the number of properties being accessed multiple times, yet this error is always thrown.

The rest of this code is checking about 70 properties fine, but this section, no matter how small or large I make it, is always throwing an error.

Any help would be appreciated.

kutulo
  • 39
  • 5
  • Looks like you've already been [here](https://stackoverflow.com/questions/30880639/error-with-get-aduser-invalid-enumeration-context), so plus one for doing your own investigation before posting. But to clarify on that post: the error is related to the AD server timing out before you can finish looping/loading data. – Joel Coehoorn Nov 04 '22 at 14:32

1 Answers1

0

This TechNet article provides information about this error, basically this happens when a single query has been running for more than 30 minutes. This answer also provide a few more details.

In this case, there doesn't seem to be a way to refine your LDAP query further because you're interested in gathering all Computer Objects, however something that may help is to query one Organizational Unit at a time. This would increment the number of queries but also reduce the time per query. In my personal experience, changing the values for -ResultPageSize and -ResultSetSize don't give me better results but I'll leave up to you for testing.

Get-ADOrganizationalUnit -Filter * | & {
    begin {
        $params = @{
            Filter     = "enabled -eq '$true'"
            Properties = @(
                'instanceType'
                'IPv4Address'
                'IPv6Address'
                'isCriticalSystemObject'
                'isDeleted'
                'KerberosEncryptionType'
                'LastBadPasswordAttempt'
                'LastKnownParent'
                'localPolicyFlags'
                'Location'
                'CannotChangePassword'
            )
        }
    }
    process {
        $params['SearchBase'] = $_.DistinguishedName
        Get-ADComputer @params | & {
            process {
                [PSCustomObject]@{
                    instanceType           = $_.instanceType
                    IPv4Address            = $_.IPv4Address
                    IPv6Address            = $_.IPv6Address
                    isCriticalSystemObject = $_.isCriticalSystemObject
                    isDeleted              = $_.isDeleted
                    KerberosEncryptionType = $_.KerberosEncryptionType
                    LastBadPasswordAttempt = $_.LastBadPasswordAttempt
                    LastKnownParent        = $_.LastKnownParent
                    localPolicyFlags       = $_.localPolicyFlags
                    Location               = $_.Location
                    CannotChangePassword   = $_.CannotChangePassword
                }
            }
        }
    }
} | Export-Csv path\to\export.csv -NoTypeInformation

If have Computers in Containers instead of Organizational Units, which would be pretty odd, you can change the initial query for:

Get-ADObject -LDAPFilter '(|(objectclass=container)(objectclass=organizationalUnit))' | & {
Santiago Squarzon
  • 41,465
  • 5
  • 14
  • 37
  • I will try this and report back! The one thing that is still very confusing to me is that I have multiple other blocks of code checking more properties than this one, and it works fine. But I can't seem to find why one of these properties would cause this error. I've looked into each one and it's relatively the same values as the rest of the code so there shouldn't be a reason why it's being thrown here and not the rest of the code. – kutulo Nov 04 '22 at 15:18
  • @kutulo but are you querying for all computers in the domain on those blocks? – Santiago Squarzon Nov 04 '22 at 16:07