Adaxes

Get-admPrincipalGroupMembership doesn't work

0 votes

Hello,

I'm trying to write a simple powershell script to check if a user is a member of one of two groups and output a true value if the user is a member of either group so I can use it with a scheduled task.

In order to do this I think I need to use the Adaxes cmdlet Get-admPrincipalGroupMembership to get the groups the user is a member of.

If I enter this command in the default PS ISE as well as the Adaxes Module:

Get-AdmPrincipalGroupMembership -AdaxesService Adaxes.domain.com -Identity "CN=testuser,OU=TestAccounts,OU=Users,OU=Shared,DC=domain,DC=com"

I get this error:

Get-AdmPrincipalGroupMembership : Can't find an object with identity 'CN=testuser,OU=TestAccounts,OU=Users,OU=Shared,DC=domain,DC=com'.
At line:1 char:1
+ Get-AdmPrincipalGroupMembership -AdaxesService Adaxes.domain.com -Identity " ...
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-AdmPrincipalGroupMembership], IdentityResolvingException
+ FullyQualifiedErrorId : Softerra:Adaxes:PowerShellModule:Commands:GetAdmPrincipalGroupMembershipCommandExecutor:ProcessRecord:ResolveIdentity,Softerra.Adaxes.PowerShellModule.Commands.GetAdmPrincipalGroupMembershipCommand

When I run the built in Get-ADPrincipalGroupMembership looking for the same user with this command:

Get-ADPrincipalGroupMembership -Identity "CN=testuser,OU=TestAccounts,OU=Users,OU=Shared,DC=domain,DC=com"

I get back a list of the test users groups as I would expect.

What am doing wrong with the Adaxes cmdlet? Do I need to use that in my PS scripts intended to be run as Adaxes scheduled tasks or can I use the default Powershell cmdlets instead?

by (810 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

When calling the cmdlet, you pass the -AdaxesService parameter, which means that the operation is performed via Adaxes service.

Get-AdmPrincipalGroupMembership -AdaxesService Adaxes.domain.com -Identity "CN=testuser,OU=TestAccounts,OU=Users,OU=Shared,DC=domain,DC=com"

Judging by the error message, you didn't specify a correct fully qualified domain name (FQDN) of your service and used the name specified in our SDK example:
At line:1 char:1
+ Get-AdmPrincipalGroupMembership -AdaxesService Adaxes.domain.com -Identity " ...

To remedy the issue, specify the correct fully qualified domain name (FQDN) of the computer where Adaxes service is installed.

0

Good Morning,

I removed the actual FQDN of my Adaxes services server from my example. The FQDN is specified correctly in the actual command I'm testing. I'll check for typos in the actual command.

EDIT: I just verified the FQDN is correct in the command. I can ping and resolve the hostname without issues, I even get the same error if I run it from the Adaxes server and use -AdaxesService localhost. If I specify a non existent hostname for the -AdaxesService parameter I get a different error:

Get-AdmPrincipalGroupMembership : Failed to obtain information about the service.

If you look at the error I posted it looks like it's saying it can't find the object.

Can't find an object with identity 'CN=testuser,OU=TestAccounts,OU=Users,OU=Shared,DC=domain,DC=com'

I've tried specifying the DN of the object as well as the SamAccountname for -Identity. I get the same error for both of them. However using the built in get-ADPrincipalGroupMembership I can specify the same DN or Samaccountname for -identity and it finds the object without issue.

by (810 points)
0

Then, the reason for the issue is that you don't have sufficient permissions to view the user account in AD. The thing is that when you specify the -AdaxesService parameter, all operations are executed via Adaxes service. This means, in particular, that permissions granted via Adaxes Security Roles are also applied. To remedy the issue, you need to update the Security Roles assigned to you to grant you permissions to view the account.

by (216k points)
0

Thanks! I knew I was missing something!

by (810 points)

Related questions

0 votes
1 answer
Get-AdmPrincipalGroupMembership doesn't work

Get-AdmPrincipalGroupMembership always throws an exception, even for users which absolutely exist (eg: piped ... :Commands:GetAdmPrincipalGroupMembershipCommand:ProcessRecord,Softerra.Adaxes.PowerShellModule.Commands.GetAdmPrincipalGroupMembershipCommand

asked May 4, 2023 by Viajaz (210 points)
0 votes
1 answer
Adaxes module doesnt work as intended?

Hi im using following power shell script to create a security group in AD. Import-Module Adaxes New-AdmGroup -Name "L-Admin_%fullname%" -Path "OU=Local Admins,OU=99X Oslo,DC ... the available functions to do this. hoping for a quick response. Thanks alot. :)

asked Feb 22, 2018 by ashensha (50 points)
0 votes
0 answers
Outlook 2013 client doesnt work when copying a user.

When we copy a user to create a new user within Adaxes. The new user is not able to outlook client. The error message is "The connection to Microsoft Exchange is ... rule to create the exchange accounts in both situations. What might be causing this issue?

asked Apr 9, 2015 by ollonw (20 points)
0 votes
1 answer
Get-AdmPrincipalGroupMembership and Azure groups

Hi I'm trying to set up a process where when a user (on prem) is added to an Azure group, they are removed from some conflicting groups automatically. When ... $group -Members $user -Server "domain.onmicrosoft.com" -AdaxesService localhost } } Thanks Matt

asked Mar 2, 2023 by chappers77 (2.0k points)
0 votes
1 answer
Using Get-ADMGroup doesn't find all the groups in all the registered domains.

I'm learning how to use the Adaxes powershell commands. I've tried searching for a group and that fails to find anything but the local domain. ... one domain. Get-AdmGroup -AdaxesService ADAXES01.domain.com -Credential $myCredentials -Identity Administrators

asked Jul 29, 2020 by ComputerHabit (790 points)
3,549 questions
3,240 answers
8,232 comments
547,814 users