Windows 8.1 RSAT PowerShell Cmdlets Get-ADUser & Get-ADComputer : One or more Properties are Invalid

I saw a tweet yesterday from Chris Duck about a PowerShell version 4.0 bug:

aduser-bug1a.png

The issue occurs when you try to use the Get-ADUser or Get-ADComputer cmdlets along with specifying the Properties parameter with the asterisk “*” wildcard character to select all of the properties.

No issue when the client is running Windows 8.1 with the RSAT tools installed and the Active Directory domain controllers are running Windows Server 2012 R2:

Get-ADUser jasonh -Properties *

aduser-bug1b.png

The Active Directory domain in this environment is running schema version 69:

Get-ADObject -Identity "cn=Schema,cn=Configuration,dc=mikefrobbins,dc=com" -Properties objectVersion | Format-Table objectVersion -AutoSize

aduser-bug1h.png

I can confirm that the issue occurs when the client is running Windows 8.1 with the RSAT tools installed and the domain controllers are running Windows Server 2008 R2:

Get-ADUser jdoe -Properties *

aduser-bug1c1.png

Get-ADUser : One or more properties are invalid.
Parameter name: msDS-AssignedAuthNPolicy
At line:1 char:1
+ Get-ADUser jdoe -Properties *
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (jdoe:ADUser) [Get-ADUser], ArgumentException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.GetADUser

A similar error is return when attempting to select all properties with the Get-ADComputer cmdlet:

Parameter name: msDS-AssignedAuthNPolicy
At line:1 char:1
+ Get-ADComputer pc01 -Properties *
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (pc01:ADComputer) [Get-ADComputer], ArgumentException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.GetADComputer

The Active Directory domain in this environment which I’m encountering these problems with is running schema version 47:

Get-ADObject -Identity "cn=Schema,cn=Configuration,dc=mikefrobbins,dc=local" -Properties objectVersion | Format-Table objectVersion -AutoSize

aduser-bug1i.png

Let’s use PowerShell to troubleshoot this problem. I’ll first grab a list of all of the property names from the environment where the command completes successfully:

Get-ADUser jasonh -Properties * | Select-Object -ExpandProperty PropertyNames | clip.exe

aduser-bug1d.png

I’ll now massage the data a little, then iterate through the collection of property names and return a list of the ones where the command fails in the environment with the problem:

Note: I have the PowerShell Community Extensions module installed on the machine I’m demonstrating the following example on:

$properties = (Get-Clipboard) -split "`r`n"

foreach ($property in $properties) {
    try {
        Get-ADUser jdoe -Properties $property -ErrorAction Stop | Out-Null
    }
    catch {
        Write-Warning "Error Accessing Property: $property"
    }
}

aduser-bug1e.png

You could also use the .NET Framework to access the clipboard if you’re unable to load third party modules due to policies and/or restrictions that are outside of your control:

Add-Type -Assembly PresentationCore
$properties = ([Windows.Clipboard]::GetText()) -split "`r`n"

foreach ($property in $properties) {
    try {
        Get-ADUser jdoe -Properties $property -ErrorAction Stop | Out-Null
    }
    catch {
        Write-Warning "Error Accessing Property: $property"
    }
}

aduser-bug1f.png

As you can see in the results from the previous example, the command errors out on the AuthenticationPolicy and AuthenticationPolicySilo properties. The last element in the array is empty which is why there’s an extra warning at the end with no property name. The Get-ADComputer cmdlet has issues with the same two properties, but also has an issue with the msDS-GenerationId property.

You might be wondering why I’m using the clipboard in the first place? One of these environments is running on a private network so there’s no network access to it.

Now I’ll jump over to the environment that’s running Windows Server 2008 R2 on its domain controllers and get a list of the property names:

Get-ADUser jdoe -Properties * | Select-Object -ExpandProperty PropertyNames

aduser-bug1g.png

Notice that the two property names that are causing the errors don’t exist so it appears that there are some new properties for an Active Directory user in a domain running 2012 R2 that the Windows 8.1 RSAT tools are looking for that don’t exist on older domain controllers. In my opinion, there would need to be a check to see if your running version X or higher then select these properties, otherwise select the legacy list of properties.

In the meantime, you can use implicit remoting to work around this issue. He’s a blog article Use PowerShell to Create Active Directory User Accounts from Data Contained in the Adventure Works 2012 Database where I used implicit remoting if you’re interesting in exploring that option.

ยต