PowerShell error with Get-ADUser user -Properties *

After upgrading some of our servers to Server 2012 R2, we’ve discovered a bug in the PowerShell 4.0 Get-ADUser cmdlet. When running the command Get-ADUser username -Properties *, the cmdlet returns the following error:

Get-ADUser : One or more properties are invalid.
Parameter name: msDS-AssignedAuthNPolicy
At line:1 char:1
+ Get-ADUser username -Properties *
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : InvalidArgument: (username:ADUser) [Get-ADUser], ArgumentException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Comm
ands.GetADUser

Mike F Robbins researched the error in the following blog post, and determined that the issue occurs with PowerShell 4.0 run against Server 2008 R2 domain controllers. The issue is that two attributes, AuthenticationPolicy and AuthenticationPolicySilo, exist in a Server 2012 R2 Active Directory but do not exist in a Server 2008 R2 Active Directory. The Server 2012 R2 RSAT tools expect the attributes to exist in both environments, so an error is returned in the Server 2008 R2 Active Directory environment.

http://mikefrobbins.com/2013/11/07/windows-8-1-rsat-powershell-cmdlets-get-aduser-get-adcomputer-one-or-more-properties-are-invalid/

As Mike points out, a good workaround is to use PowerShell implicit remoting to process the commands on the domain controllers themselves. However, in the meantime I’m able to process the command from other downlevel OS machines, which is fine in my case for now.

I’ve submitted the case to Microsoft Premier who has confirmed the bug and escalated to the Platforms Team. I’ll post updates here as I get them.

About Tommy Doan

BF-ITS(Systems)
This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

3 Responses to PowerShell error with Get-ADUser user -Properties *

  1. chuy says:

    you need to do this:
    get-aduser USERNAME | get-adobject -properties *

    It might not have all the properties but it will help you.

    chuy

  2. Tommy Doan says:

    To follow up on the issue, Microsoft acknowledged the problem occurs when the Active Directory domain functional level is Server 2008 R2 and the PowerShell version is 4.0. The debugging team confirmed this is a bug with PowerShell 4.0 due to the different between the Active Directory schema the client expects and the actual schema on Server 2008 R2 DCs.
    Microsoft requested a business impact statement, but I chose to not provide one since I can’t really claim any impact on the business. The engineer stated that the bug is likely to be fixed in the next PowerShell release.

  3. Tommy Doan says:

    As a final follow up, Microsoft released Hotfix KB2923122 in March 2014 to correct this problem, and I have confirmed the fix works on my Server 2012 R2 machine in a Server 2008 R2 domain.
    The hotfix is included in “Update 1″ for Server 2012 R2 and Windows 8.1. Details about Update 1 are here:
    http://support.microsoft.com/kb/2928680

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>