Issues with Get QADGroupMember cmdlet

One department from my company execute a script where count the members of a domain group and check if they are active or disable, but the script is giving me the following error:

Get-QADGroupMember : The object does not exist. At E:\bulk-admin\NewLDAP_synch.ps1:92 char:24 + $a = Get-QADGroupMember <<<< 'agnirvine\IR-SecureIDToken' -Type 'user' -SizeLimit 0 -Disabled -Indirect + CategoryInfo : NotSpecified: (:) [Get-QADGroupMember], DirectoryAccessException + FullyQualifiedErrorId : Quest.ActiveRoles.ArsPowerShellSnapIn.DirectoryAccess.DirectoryAccessException,Quest.ActiveRoles.Ars PowerShellSnapIn.Powershell.Cmdlets.GetGroupMemberCmdlet Get-QADGroupMember : The object does not exist. At E:\bulk-admin\NewLDAP_synch.ps1:34 char:24 + $a = Get-QADGroupMember <<<< "agnirvine\IR-SecureIDToken" -Type 'user' -SizeLimit 0 -Indirect + CategoryInfo : NotSpecified: (:) [Get-QADGroupMember], DirectoryAccessException + FullyQualifiedErrorId : Quest.ActiveRoles.ArsPowerShellSnapIn.DirectoryAccess.DirectoryAccessException,Quest.ActiveRoles.Ars PowerShellSnapIn.Powershell.Cmdlets.GetGroupMemberCmdlet

Copy of NewLDAP_synch.txt.zip

  • Luis,

    Does the group 'agnirvine\IR-SecureIDToken' contain members from other domains? In other words, is it a Local or Global group? It might be that there is a member from another domain that the code is unable to read (under user context). You are using the -Indirect parameter so you will need to check any nested groups for members in that scenario.

    I would suggest running line 34 separately on the same workstation and check for results. If none are returned then try running the code on a diff workstation or under an account with correct permissions. If you do see some results then its possible there is a user in a diff domain. Hope that helps.

  • Hi Greg, yes the group 'agnirvine\IR-SecureIDToken' contains members from other domains. If I run line 34 separately on the same workstation I receive the same error.

    How can I do to resolver this issue?

    Hope your answer soon

    Regards,

  • Hi Luis,

    If you're running ARS, run the following at the beginning of the script to make sure you're connected to the ARS service and not to one of your domains:

    Connect-QADService -proxy

    (good heavens do I love being able to type a username or group name without knowing precisely *which* domain they're in...)

    If you're not running ARS, try this:

    Connect-QADService -UseGlobalCatalog -Service <<dnsdomain for agnirvine>>

    Using the -UseGlobalCatalog parameter let me get users from outside the domain the group was in. It also let me get any user in our forest as long as I used their NTAccountName (NetBiosDomain\Username) but not their UPNs (Username@dnsdomain.com)

  • It's a double edged sword finding users in multiple domains :-)  - when we first introduced a second domain to manage in ARS I had to check all my scripts to ensure they would correctly manage when multiple accounts were returned or force them to check a single domain.

    Once trick I used in a particular script was to create connection variables to each domain and then used a variable (e.g. $currentConnection) to hold the "in scope" domain during the script loop and then rather than write the same line of code for each domain just use the $currentConnection variable as the connection.

    $domain1 = Connect-QADService -Service "FQDN1"

    $domain2 = Connect-QADService -Service "FQDN2"

    $proxyConnection = Connect-QADService -Proxy

    Then use a switch statement or any other conditional statement to set the $currentConnection to the connection you want to use

    in each command you just add the -Connection switch e.g. Get-QADUser -Connection $currentConnection

    of course another route is to just make sure you are checking the returned user(s) domain

  • The strange thing here is that script was working fine a month ago but now is not working, the server where Quest ActiveRoles software is installed is a VM and a month ago this VM had VMWareTools version 4 and now has version 7. Do your think that this change do something?

    Thanks!