不确定何时启动,但是当我尝试使用具有管理权限的帐户获取Get-ADGroupMember的组成员资格时,我收到以下错误:
Get-ADGroupMember : An operations error occurred
At line:1 char:1
+ Get-ADGroupMember -Identity redacted
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (redacted:ADGroup) [Get-ADGroupMember], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8224,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
如果我尝试扩展实际错误,最终就是这样:
PS C:\Users\redacted> $error[0] | select *
PSMessageDetails :
Exception : Microsoft.ActiveDirectory.Management.ADException: An operations error occurred --->
System.ServiceModel.FaultException`1[schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADGroupMemberFault]:
Active Directory returned an error processing the operation.
Server stack trace:
at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation,
Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime
operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at
schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.AccountManagement.GetADGroupMember(GetADGroupMemberRequest
request)
at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetADGroupMemberRequest request)
--- End of inner exception stack trace ---
at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowException(CustomActionFault caFault, FaultException
faultException)
at Microsoft.ActiveDirectory.Management.AdwsConnection.GetADGroupMember(GetADGroupMemberRequest request)
at Microsoft.ActiveDirectory.Management.ADWebServiceStoreAccess.Microsoft.ActiveDirectory.Management.IADAccountManagement.
GetADGroupMember(ADSessionHandle handle, GetADGroupMemberRequest request)
at Microsoft.ActiveDirectory.Management.ADAccountManagement.GetGroupMembers(String partitionDN, String groupDN, Boolean
recursive)
at Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember.GetADGroupMemberProcessCSRoutine()
at Microsoft.ActiveDirectory.Management.CmdletSubroutinePipeline.Invoke()
at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()
TargetObject : redacted
CategoryInfo : NotSpecified: (redacted:ADGroup) [Get-ADGroupMember], ADException
FullyQualifiedErrorId : ActiveDirectoryServer:8224,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
ErrorDetails :
InvocationInfo : System.Management.Automation.InvocationInfo
ScriptStackTrace : at <ScriptBlock>, <No file>: line 1
PipelineIterationInfo : {}
有趣的是,我无法在我的开发环境中重现这一点,只有在特定帐户下运行时才会重现(最明显的是具有帐户管理类型权限的帐户)。
有趣的是 Get-ADGroup -Identity redacted -Properties member 工作得很好。问题是,我需要获得嵌套组的成员资格,而且我真的很想避免重新发明轮子,如果我不必这样做的话。
似乎问题与权限有关,但我真的不知道从哪里开始。我已经做了一些搜索,发现了几个点击但没有任何解决方案。
所以......任何人都有任何想法或建议吗?
答案 0 :(得分:1)
在我的情况下,如果我查询的组具有来自可信任林的成员,则在使用Get-ADGroupMember查询AD组时会得到完全相同的错误。所有其他组工作正常,但是当cmdlet从运行它的域外部找到对象时,它会抛出错误。使用Get-AdGroup的解决方法然后展开Members属性并在其他命令中使用该输出可以正常工作。
答案 1 :(得分:0)
使用Get-ADGroupMember执行递归查询时,我也遇到了相同的错误。
+ FullyQualifiedErrorId : ActiveDirectoryServer:8224,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
最后我发现RODC是罪魁祸首,并使用此方法解决了该问题
$UList = get-adgroupmember -Server DontUseReadOnlyDomainController -Identity 'ADGroupName' -Recursive
foreach ($user in $UList)
{
write-host $user.SamAccountName $user.distinguishedName
}
我的环境由具有域信任的多个域组成