powershellactive-directorywindows-server-2016adgroup

Get-ADPrincipalGroupmembership : The server was unable to process the request due to an internal error


As in my previous Question, my problem is about this script:

$csvInfos=@()
$allservers=@(Get-ADComputer -SearchBase "OU=BRLN-Servers,OU=OU-BRLN,OU=DE,OU=Locations,DC=bla,DC=bla,DC=bla" -Filter * -Properties *)
foreach($server in $allservers){
                $customobject = new-object -TypeName PSObject -Property @{

                'Servername' = $server.Name
                'WSUS Gruppen' = ($server | get-ADPrincipalGroupMembership |?{$_.Name -like '*wsus*'} | Select-Object -ExpandProperty Name ) -join ";"
                'OS' = $server.OperatingSystem }

            $csvinfos+= $customobject }

$csvinfos | export-csv c:\temp\wsus_server_groups.csv -Delimiter ";" -NoTypeInformation

The script is used on 3 different domains (US, EU, ASIA) The domain are built the same. Same OU structure, same settings, same everything.

Based on the updated script I am able to get the results I want for 2 of the 3 domains. On the third domain I get an error with the get-adprincipalgroupmembership command:

Get-ADPrincipalGroupmembership : The server was unable to process the request due to an internal error.

I googled very much about this error. Even here on stackoverflow is a topic with that error:

Get-ADPrincipalGroupMembership Fails when any user group name has "/"

but I don't think that is describes the same situation as mine. Or maybe I am blind....

so: Is there a way to fix that problem / error or do I have to use another command that does the same as Get-ADPrincipalGroupmembership?

Thank you, Michael


Solution

  • I'm not a fan of the AD PowerShell cmdlets for reasons like this. They don't handle all cases very well. I know that foreign security principals are not handled, although I'm not sure how that would affect this specific case. And as you said, forward slashes.

    You might be able to hunt down why it's happening if you see which server object it is crashing on.

    But you can just avoid using Get-ADPrincipalGroupMembership. You can do the same thing with Get-ADGroup:

    'WSUS Gruppen' = (Get-ADGroup -LDAPFilter "(&(name=*wsus*)(member=$($server.DistinguishedName)))" | Select-Object -ExpandProperty Name ) -join ";"
    

    If you have more than one domain in your AD forest, then you should tell Get-ADGroup to use a global catalog by specifying -Server example.com:3268.