I reported in this post https://richardspowershellblog.wordpress.com/2013/11/06/get-aduser-issue/ an issue with Get-ADUser under PowerShell 4.0 on Windows 8.1/2012 R2 where using –Properties * caused a failure.
I had a comment that this is schema related and a schema upgrade fixes the problem.
My starting point is a Windows 20012 domain
£> Get-ADDomain | ft DomainMode -a
DomainMode
———-
Windows2012Domain
And I have schema version 56
On a Windows 2012 R2 member server I try get-aduser
£> Get-ADUser -Identity richard -Properties *
Get-ADUser : One or more properties are invalid.
Parameter name: msDS-AssignedAuthNPolicy
At line:1 char:1
+ Get-ADUser -Identity richard -Properties *
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (richard:ADUser) [Get-ADUser], ArgumentException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Comm
ands.GetADUser
Now lets try the schema upgrade – looks like it goes to version 69 – that’s quite a big upgrade. Once the upgrade has been performed – let the schema replication occur & reboot the Windows 2012 R2 member server just to make sure nothing is cached that could affect the result.
Now to re-try Get-AdUser
Get-ADUser -Identity richard -Properties *
Get-ADUser -Identity richard -Property *
Both work – we have a winner. If you are seeing this problem the answer is to upgrade your schema. You don’t need to upgrade the Domain Controllers just the schema.
Its a bit naught that this happens – I don’t remember similar problems putting a Windows 8/2012 machine with PowerShell 3.0 into a Windows 2008 r2 domain
Thanks Richard. I’m not going to be allowed to do a schema upgrade at the moment as this is a major infrastructure change. Is there a workaround or another solution ? I want to be able to run these commands.
Only way I know to work around is
Get-AdUser -id XX | Get-AdObject -properties *
Thanks Richard. I’ve seen that one. Trouble is, it doesn’t return all the AD account properties, e.g., AccountExpirationDate, Created. This is a bug. We’ll see if Microsoft provide a fix but of course I won’t hold my breath.
If you run the command from a Windows Server 2008 R2 Server, it does not give you the error
It was explicitly stated that its a PowerShell v4 issue
Pingback: Getting AD User Data via PowerShell | Adam Fowler - I.T. From Australia
Pingback: Getting AD User Data via PowerShell | WeBreakTech