Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, December 11, 2013 2:38 PM
Hi All,
I am trying to run the following query:
get-adgroup -Filter * -SearchBase "OU=Test,dc=domain,dc=com" | get-adgroupmember | get-aduser -Properties * | Select Name,postalCode
and get the following error: Get-ADUser : A referral was returned from the server
Test OU contains Universal Distribution Groups with memebers from different domains in the same forest.
So I've figured running agains GC server should fix it but I've hit a limitation:
get-adgroup -Server dcgc01.domain.com:3268 -Filter * -SearchBase "OU=Test,dc=domain,dc=com" | get-adgroupmember | get-aduser -Properties * | Select Name,postalCode
and got the following error: Get-ADGroupMember : The operation is not supported on Global Catalog port.
It's Server 2008R2 with PS version 2
Thank you,
Naz
All replies (5)
Thursday, December 12, 2013 5:46 PM âś…Answered | 3 votes
Not being able to control referral chasing behavior is my biggest gripe with the AD module right now. If you're in a multi-domain environment, you may find it better to either use the Quest cmdlets, or write your own code using the System.DirectoryServices namespace.
In this case, though, I'd just grab the Member attribute of each group, and make individual calls to Get-ADUser in a foreach loop. This sidesteps the problem and allows you to keep using the simpler AD cmdlets:
Get-ADGroup -Properties member -Filter * -SearchBase "OU=Test,dc=domain,dc=com" |
ForEach-Object {
$group = $_
foreach ($dn in $group.member)
{
Get-ADUser $dn -Properties Name,postalCode |
Select-Object Name,postalCode
}
}
Or, alternatively:
Get-ADGroup -Properties member -Filter * -SearchBase "OU=Test,dc=domain,dc=com" |
Select-Object -ExpandProperty member |
ForEach-Object {
$dn = $_
Get-ADUser $dn -Properties Name,postalCode |
Select-Object Name,postalCode
}
Wednesday, December 11, 2013 3:56 PM
Have you tried the Global Catalog server on the Get-ADUser cmdlet, as the error specifed, the group contained **users in **different domains, not groups. Also, you could have a possible failure if the members of a group are a group itself, piping directly over to get-aduser would result in error.
If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.
Thursday, December 12, 2013 4:12 PM
Not 100% sure what you mean by GC on Get-ADUser. So in my case such as this:
get-adgroup -Filter * -SearchBase "OU=Test,dc=domain,dc=com" | get-adgroupmember | get-aduser -Server dcgc01.domain.com:3268 -Properties * | Select Name,postalCode
I get the following error:
Get-ADGroup : The supplied distinguishedName must belong to one of the following partition(s): 'DC=domain,DC=com , CN=Co
nfiguration,DC=domain,DC=com , CN=Schema,CN=Configuration,DC=wajax,DC=com , DC=ForestDnsZones,DC=domain,DC=com , DC=DomainDnsZones,DC=domain,DC=com'.
These groups are not nested and only contain user account from different domains in the same forest.
It can be accomplished using Quest modules, such as this:
Get-QADGroup -SearchRoot "OU=Test,dc=domain,dc=com" | Get-QADGroupMember | Select Name,postalCode
But it doesn't work with ActiveDirectory module.
Saturday, December 14, 2013 3:44 PM
Tons of thanks. I suspected it was something to do with ActiveDirectory module. Hopefuly it will be fixed in later releases of PS.
Thursday, March 8, 2018 8:33 PM
Hi nsnidanko,
Still i am facing the same issue.