ADUser, ADComputer and ADDomainController query optimization

Question

ADUser, ADComputer and ADDomainController query optimization

VishnuVardhan SB 1

Hi All,

I am not a PS guru. I am a beginner in Powershell, so the question may be very basic. I am running the below powershell one-line script on our servers through a cron to fetch the list of ADUser objects. On the same server, I am also running seperate scripts to fetch ADComputer and ADDomainController objects too but on a different cron schedule. The scripts works on one set of servers but on few servers it gets timed out with "Invalid enumeration context" error. I read through some forums and I believe this error is because the numbers of objects retrieved is huge which makes the query to timeout. I am aware that this timeout value can be increased but do not want to do so.

Is there a way I can optimize this query using variables, so that it runs quickly.

script = Get-ADUser -Filter * -ResultSetSize $null -Properties AccountExpirationDate, accountExpires, badPasswordTime, Created, createTimeStamp, DisplayName, DistinguishedName, EmailAddress, Enabled, isDeleted, LastBadPasswordAttempt, lastLogon, LastLogonDate, lastLogonTimestamp, Modified, modifyTimeStamp, Name, PasswordExpired, PasswordLastSet, pwdLastSet, SamAccountName, SID, userAccountControl, UserPrincipalName, whenChanged, whenCreated | Select AccountExpirationDate, accountExpires, badPasswordTime, Created, createTimeStamp, DisplayName, DistinguishedName, EmailAddress, Enabled, isDeleted, LastBadPasswordAttempt, lastLogon, LastLogonDate, lastLogonTimestamp, Modified, modifyTimeStamp, Name, PasswordExpired, PasswordLastSet, pwdLastSet, SamAccountName, SID, userAccountControl, UserPrincipalName, whenChanged, whenCreated

Regards,
Vishnu.

Rich Matheisen 47,901 Reputation points

2022-01-07T21:42:40.357+00:00
Are you running your script to query Microsoft 365 or are you using an on-site Active Directory?

If it's M365, try using Get-MsolUser instead of Get-ADUser.

Or partition your search by Organizational Unit, or maybe by searching for a limited set of users, say, by the first letter of their sAMAccountName.

'abcdefghijklmnopqrstuvwxyz' -split "" | ForEach-Object{ Get-ADUser -Filter "samaccountname -like '$_*'" }
VishnuVardhan SB 1 Reputation point

2022-01-10T15:49:03.753+00:00

Hi @Rich Matheisen ,

Thanks for the response. I am using an onsite Active directory. Problem is, the scripr i posted is working fine on many of my domains but throwing "Invalid enumeration context" error only one one domain.

3 answers

Your answer

Rich Matheisen 47,901 Reputation points

2022-01-07T21:42:40.357+00:00

Are you running your script to query Microsoft 365 or are you using an on-site Active Directory?

If it's M365, try using Get-MsolUser instead of Get-ADUser.

Or partition your search by Organizational Unit, or maybe by searching for a limited set of users, say, by the first letter of their sAMAccountName.

'abcdefghijklmnopqrstuvwxyz' -split "" | ForEach-Object{ Get-ADUser -Filter "samaccountname -like '$_*'" }
VishnuVardhan SB 1 Reputation point

2022-01-10T15:49:03.753+00:00

Hi @Rich Matheisen ,

Thanks for the response. I am using an onsite Active directory. Problem is, the scripr i posted is working fine on many of my domains but throwing "Invalid enumeration context" error only one one domain.

Answer 1

Andreas Baumgarten 123.4K MVP Volunteer Moderator

Hi @VishnuVardhan SB ,

how many user objects are in your AD?
One option could be to split the query using different SearchScopes

Get-ADUser -Filter * -SearchBase "OU=<UserOU1>,DC=DEMO,DC=LOCAL" -Properties *  
Get-ADUser -Filter * -SearchBase "OU=<UserOU2>,DC=DEMO,DC=LOCAL" -Properties *  
Get-ADUser -Filter * -SearchBase "OU=<UserOU3>,DC=DEMO,DC=LOCAL" -Properties *

----------

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

VishnuVardhan SB 1 Reputation point

2022-01-10T15:52:57.537+00:00

Hi @Andreas Baumgarten

Thanks for the response. The script was working fine till 3rd of Nov but started throwing this error recently. Is this something related to the powershell version or auto import of PS modules?

12-29-2021 06:16:34.5329273+0 ERROR PowerShell.EndInvoke() failed: Exception calling "EndInvoke" with "1" argument(s): "Method invocation failed because [Selected.Microsoft.ActiveDirectory.Management.ADUser] doesn't contain a method named 'ForEach'."

12-29-2021 06:53:18.1222964+0 ERROR PowerShell.EndInvoke() failed: Exception calling "EndInvoke" with "1" argument(s): "Method invocation failed because [Selected.Microsoft.ActiveDirectory.Management.ADDomainController] doesn't contain a method named 'ForEach'."

Answer 2

Rich Matheisen 47,901

It may be that the problem is brought about by the needless use of the Select-Object. If you simply use this:

$Result = Get-ADUser -Filter * -ResultSetSize $null -Properties AccountExpirationDate, accountExpires, badPasswordTime, Created, createTimeStamp, DisplayName, DistinguishedName, EmailAddress, Enabled, isDeleted, LastBadPasswordAttempt, lastLogon, LastLogonDate, lastLogonTimestamp, Modified, modifyTimeStamp, Name, PasswordExpired, PasswordLastSet, pwdLastSet, SamAccountName, SID, userAccountControl, UserPrincipalName, whenChanged, whenCreated

. . . does it work?

Also, do you have many disabled users? You might want to use a different filter string to get only active users, and if you need disabled users too, run a second Get-ADUser and filter for disabled users.

Also see this for a good explanation of what may be happening: 32418.active-directory-troubleshooting-server-has-returned-the-following-error-invalid-enumeration-context.aspx

VishnuVardhan SB 1 Reputation point

2022-01-10T15:56:15.9+00:00

Hi @Rich Matheisen ,

I am forwarding the powershell script output logs to splunk. Hence I am using the second select-object as recommended by Splunk https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowsdatawithPowerShellscripts#Caveats_for_handling_PowerShell_script_output.

The script was working fine till 3rd of Nov but started throwing this error recently. Is this something related to the powershell version or auto import of PS modules?

12-29-2021 06:16:34.5329273+0 ERROR PowerShell.EndInvoke() failed: Exception calling "EndInvoke" with "1" argument(s): "Method invocation failed because [Selected.Microsoft.ActiveDirectory.Management.ADUser] doesn't contain a method named 'ForEach'."

12-29-2021 06:53:18.1222964+0 ERROR PowerShell.EndInvoke() failed: Exception calling "EndInvoke" with "1" argument(s): "Method invocation failed because [Selected.Microsoft.ActiveDirectory.Management.ADDomainController] doesn't contain a method named 'ForEach'."
Rich Matheisen 47,901 Reputation points

2022-01-10T19:44:26.827+00:00

If you absolutely, positively, must have the output from a Select-Object cmdlet, then get the results of Get-ADUser into an array, and then, in a separate operation, pipe the contents of the array into the Select-Object.

Answer 3

Hi there,

There is a detailed blog for this issue and approaching a solution indicated in this blog might sort this out. There are two possible solutions to this issue. One of the recommended solutions is to Retrieve your Active Directory objects to a variable first, then send it down the pipeline using the variable. This method is easy to implement in your code without lots of configuration changes in your Active Directory environment.

https://social.technet.microsoft.com/wiki/contents/articles/32418.active-directory-troubleshooting-server-has-returned-the-following-error-invalid-enumeration-context.aspx

Here is a thread as well which discusses the same issue and you can try out some troubleshooting steps from this and see if that helps you to sort the Issue.
https://social.technet.microsoft.com/Forums/scriptcenter/en-US/e3ae9c0d-4eed-4703-b120-14727e797df9/invalid-enumeration-context-using-powershell-script-to-check-computer-accounts?forum=ITCG

--If the reply is helpful, please Upvote and Accept it as an answer--

Share via

ADUser, ADComputer and ADDomainController query optimization

3 answers

Your answer