Windows 8.1 RSAT PowerShell Cmdlets Get-ADUser & Get-ADComputer : One or more Properties are Invalid

I saw a tweet yesterday from Chris Duck about a PowerShell version 4.0 bug:

aduser-bug1a

Here’s a link to the Connect Bug on this particular issue.

The issue occurs when you try to use the Get-ADUser or Get-ADComputer cmdlets along with specifying the Properties parameter with the asterisk “*” wildcard character to select all of the properties.

No issue when the client is running Windows 8.1 with the RSAT tools installed and the Active Directory domain controllers are running Windows Server 2012 R2:

aduser-bug1b

The Active Directory domain in this environment is running schema version 69:

aduser-bug1h

I can confirm that the issue occurs when the client is running Windows 8.1 with the RSAT tools installed and the domain controllers are running Windows Server 2008 R2:

aduser-bug1c1

Get-ADUser : One or more properties are invalid.
Parameter name: msDS-AssignedAuthNPolicy
At line:1 char:1
+ Get-ADUser jdoe -Properties *
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (jdoe:ADUser) [Get-ADUser], ArgumentException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.GetADUser

A similar error is return when attempting to select all properties with the Get-ADComputer cmdlet:

Get-ADComputer : One or more properties are invalid.
Parameter name: msDS-AssignedAuthNPolicy
At line:1 char:1
+ Get-ADComputer pc01 -Properties *
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (pc01:ADComputer) [Get-ADComputer], ArgumentException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.GetADComputer

The Active Directory domain in this environment which I’m encountering these problems with is running schema version 47:

aduser-bug1i

Let’s use PowerShell to troubleshoot this problem. I’ll first grab a list of all of the property names from the environment where the command completes successfully:

aduser-bug1d

I’ll now massage the data a little, then iterate through the collection of property names and return a list of the ones where the command fails in the environment with the problem:

Note: I have the PowerShell Community Extensions module installed on the machine I’m demonstrating the following example on:

aduser-bug1e

You could also use the .NET Framework to access the clipboard if you’re unable to load third party modules due to policies and/or restrictions that are outside of your control:

aduser-bug1f

As you can see in the results from the previous example, the command errors out on the AuthenticationPolicy and AuthenticationPolicySilo properties. The last element in the array is empty which is why there’s an extra warning at the end with no property name. The Get-ADComputer cmdlet has issues with the same two properties, but also has an issue with the msDS-GenerationId property.

You might be wondering why I’m using the clipboard in the first place? One of these environments is running on a private network so there’s no network access to it.

Now I’ll jump over to the environment that’s running Windows Server 2008 R2 on its domain controllers and get a list of the property names:

aduser-bug1g

Notice that the two property names that are causing the errors don’t exist so it appears that there are some new properties for an Active Directory user in a domain running 2012 R2 that the Windows 8.1 RSAT tools are looking for that don’t exist on older domain controllers. In my opinion, there would need to be a check to see if your running version X or higher then select these properties, otherwise select the legacy list of properties.

In the meantime, you can use implicit remoting to work around this issue. He’s a blog article “Use PowerShell to Create Active Directory User Accounts from Data Contained in the Adventure Works 2012 Database” where I used implicit remoting if you’re interesting in exploring that option.

µ

2 Comments

  1. _Emin_

    Hi Mike,

    Richard Siddaway has identified a workaround:
    http://richardspowershellblog.wordpress.com/2013/11/06/get-aduser-issue/

    Do you also have the issue when you use core cmdlets in the AD drive?

    Reply
  2. Jared

    I know this is an older blog but the hotfix release for this exact issue is here:
    http://support.microsoft.com/kb/2923122/en-us
    thanks.

    Reply

Leave a Reply

%d bloggers like this: