Powershell throws error with Get-ADPrincipleGroup

Asked 30/10, 2020 at 10:51 Answered 7/8, 2024 at 18:1

Hoping someone maybe able to help with the below error i get when running a powershell script i created. It worked before fine no issues.

"The Operation being Requested was not performed because the user has not been authenticated."

So the account is permissoned fine and i can run various commands fine in PS. The script works fine on another users machine no issues. I can get around the error with -ResourceContextServer parameter but this is not ideal as this is part of a gui which will look at another domain on top of Domain A. So i use that it will not search Domain B when prompted.

Google has given me little insight although i found on thing which i tried and it worked for a period then i get the same again

$PSDefaultParameterValues.Add('Get-ADPrincipalGroupMembership:Server',"$((Get-ADDomain).PDCEmulator)")

The command that is causing the issues is Get-ADPrincipalGroupMembership running in PS on it own i get the same. Running other commands is fine and no issues.

Anyone else seen this and have solution. It is making things hard when i want to update the script and test it.

Thanks

Soldiery answered 30/10, 2020 at 10:51 Comment(6)

Are you running as admin or is uac disabled? – Alternant 30/10, 2020 at 12:40

Some confirmation but no solution. I can reproduce this as a permissioned users, Adm on the server (lesser priveledged account) with UAC disabled. I get the error even when Imanually specifying -Server and even when directing to a non-PDCe, regardless of the default for -Server. With my Dom Adm account, I can reproduce when specified through $PSDefaultParameterValues and manually specifying -Server, but not when manually specifying a non-PDCe server. It doesn't seem to happen with other AD cmdlets either. – Vtehsta 30/10, 2020 at 13:6

UAC is enabled. Its same when running as admin and not. @Vtehsta yes other AD commands are fine just this one. Its a weird one. I thought adding the defaul parms fixed it but its come back... Not sure why. Other users are fine and can run the script fine. Seems like some bug looking on google but nothing definitive. I don't really want to specify the -ResourceContextServer for this as it can be used via a button to pull from another domain. only other thing i can think of thats changed was i added some extra logging and error abilities but tests on other machines work. – Soldiery 30/10, 2020 at 14:3

might be a red herring, but you say you're trying to run Get-ADPrincipleGroupMembership, but it's Get-ADPrincipalGroupMembership – Delusion 17/11, 2020 at 23:5

I think you might be also be after something more like '(Get-ADPrincipalGroupMembership -Server $servername)' instead of 'Get-ADPrincipalGroupMembership:Server' – Delusion 17/11, 2020 at 23:11

@Delusion First point was a typo :) I changed that. I will try with the second. But that will restrict to one domain. This will work with two domains so the above when testing allowed to both to work. For some reason i keep getting that error on and off. After a few days its fine for a few then reverts. The only link i can find is when it changes domains then reverts it produces that. Other users who tested don't get this. – Soldiery 19/11, 2020 at 7:49

This problem happens if you have disabled account delegation on your admin account which is a security best practice. It means your user account credentials cannot be forwarded to a second computer. When I run
Set-Aduser joe.bloggs -accountnotdelegated $false
Then the Get-ADPrincipalGroupMembership cmd works fine. If set to false then I get the user not authenticated error.
You got the workaround is to use ResourceContextServer

Lavonda answered 6/12, 2021 at 23:10 Comment(0)

This is one method to get it to work. If you're requesting credentials at some point, you could use the same $Creds variable multiple times, and this does work

$username = TheUserToFindGroupd
$OperatorUsername = YourOperatorOrScriptUsername
$Creds = Get-Credential -Credential $OperatorUsername
Get-ADPrincipalGroupMembership $username -Credential $Creds | Get-ADGroup -Properties * | select name

It'll authenticate and run against the currently connected DC (I've tried it, where specifying -server for DC1 works, but DC2 and DC3 don't)

Two alternative ways, which I probably prefer anyway, get the MemberOf field from the Get-ADUser. In my testing, it gets all groups, apart from Domain Users.

Get-ADUser $username -Properties MemberOf | Select-Object -ExpandProperty MemberOf | Get-ADGroup | Select-Object Name

and

foreach ($Group in (Get-ADUser $username -Properties MemberOf | Select -ExpandProperty MemberOf)) { write-host ($Group.Split(",")[0]).Split("=")[1] }

They are both faster than Get-ADPrincipalGroupMembership, but the first is a lot cleaner (even if it will be more intensive on the DC).

Brion answered 15/11, 2022 at 19:28 Comment(1)

FYI, your script defines $OperatorUser, but uses $OperatorUsername. – Excelsior 13/12, 2022 at 18:15

We got this working by repassing the credential with the call to Get-AdPrincipalGroupMembership. It's a bit painful to recredential every time, but if you cache the credential it makes it easier.

Amalberga answered 31/5, 2022 at 14:39 Comment(1)

Unfortunately this doesn't work for me. – Periodontics 27/6, 2022 at 13:27

This worked for me (30.08.22):
Following from 2ps solution, explicitly run powershell as your domain account (even if already logged in with it..) and run Get-AdPrincipalGroupMembership from there... Disabling delegation made no difference.

Tactician answered 30/8, 2022 at 11:28 Comment(0)

My issue was that I had been logged on for more than 2 days so my authentication was expired. Logging out and back in solved it.

Linnea answered 26/4, 2023 at 12:10 Comment(0)

The Get-ADPrincipalGroupMembership cmdlet gets the Active Directory groups that have a specified user, computer, group, or service account as a member

Use this instead, it searches the one users groupmembership instead of searching the groups for the user:

Retrieve user's group memberships

    $userGroups = Get-ADUser -Identity $username -Properties MemberOf | Select-Object -ExpandProperty MemberOf
    $groupMembers = $userGroups | ForEach-Object { (Get-ADGroup $_).Name }

Whitehorse answered 16/11, 2023 at 8:56 Comment(0)

Ran into this issue on Windows 11 whereas my old Windows 10 used to not have this issue when I ran the same script—it's a 'before account termination' script logging group membership before term.

The solution that worked for me was to add the -Server parameter followed by the name of a domain controller.

Working Command

Get-ADPrincipalGroupMembership $uName -Server dc01;

Naominaor answered 18/6, 2024 at 18:36 Comment(0)

I use Windows 10 and 11 machines. I run CMD as my domain admin account then type powershell in the command prompt, then run this cmdlet. Get-ADPrincipalGroupMembership username | select name | sort name This works fine on Windows 10. I can specify a domain controller by typing -server DC02 (or 03, o4, etc.) after the username. Windows 11 doesn't behave this way.

For Win 11, the cmdlet only works if I specify the primary DC with -server DC01. If I don't specify a server or specify a different server, I get the authentication error. I've tried using -credential and have tried getting the credential of my domain admin acct and storing it as a variable, but neither works. It seems the cmdlet Get-ADPrincipalGroupMembership is bugged on Win 11. I've read elsewhere that it's related to account delegation, but it's also a behavior that I've only seen with Win 11. FWIW, I'm also running 24H2 release preview.

Iloilo answered 7/8, 2024 at 18:1 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Retrieve user's group memberships

Working Command

Recommended topics

Hot tags