Home > Mobile >  Get-ADUser: The server has returned the following error: invalid enumeration context
Get-ADUser: The server has returned the following error: invalid enumeration context

Time:12-08

I am trying to get all of the contractors and employee from our AD with enabled true for filter. AD itself is very huge and lots of data that may cause timeout limits when running powershell script. I am getting this error when I put it into variable and if I do a straight export, I am getting timeout limit.

Is there any way to gather all of the contractor and employee data with enabled employees with big AD without having this issue? I am getting a output but not sure if the output is realiable since I am getting error.

Thank you

Param(
    [Parameter(Mandatory = $true,ValueFromPipeline = $false,HelpMessage = "Specify a output file name and path.")]
    [string]
    $OutputFileNamePath = $null
)
$Storage = @()
Write-Host "**********************************************************" -ForegroundColor Green
Write-Host "*                  On Process                            *" -ForegroundColor Green
Write-Host "**********************************************************" -ForegroundColor Green
$filter = @("CONTRACTOR", "EMPLOYEE")
$Storage = Get-ADUser -Filter * -Properties EmployeeNumber,Name,SamAccountName,employeeType,PasswordLastSet,LastLogonDate | Where {($_.Enabled -eq $True) -and $filter -contains $_.employeeType} | Select EmployeeNumber,Name,SamAccountName,employeeType,PasswordLastSet,LastLogonDate 
$Storage | Export-Csv -Path $OutputFileNamePath".csv" -Force
Write-Host "**********************************************************" -ForegroundColor Green
Write-Host "*                     Done                               *" -ForegroundColor Green
Write-Host "**********************************************************" -ForegroundColor Green

CodePudding user response:

This TechNet article gives us a hint on why does this error can occur, basically:

  1. Get-ADUser uses paging (256 object per page by default)
  2. It is up to the client to request new Pages
  3. When piping out AD Objects, the longer the code down the pipeline takes to process, the slower we retrieve data from Active Directory Web Services
  4. If that slower processing causes the retrieval time to run over 30 minutes, then the Enumeration Context Expires

Most likely, your query has been running for 30 minutes which lead to this exception. Solution to this is to make a more efficient query so it completes before this time or, not recommended by MS:

Increase the "MaxEnumContextExpiration" value for Active Directory Web Service. There are many reasons not to take this approach.

You can leverage LDAPFilter to increase the performance of your query, using Where-Object is not needed in this case:

$properties = 'EmployeeNumber', 'employeeType', 'PasswordLastSet', 'LastLogonDate'
$filter = '(&(!userAccountControl:1.2.840.113556.1.4.803:=2)(|(employeeType=CONTRACTOR)(employeeType=EMPLOYEE)))'

Get-ADUser -LDAPFilter $filter -Properties $properties

To translate the LDAP Filter into something readable:

  • (!userAccountControl:1.2.840.113556.1.4.803:=2) Enabled Only
  • (|(employeeType=CONTRACTOR)(employeeType=EMPLOYEE)) The | references to OR:
    EmployeeType is "Contractor" OR "Employee"
  • (&(..)(|(..)(..))) The & (AND) references to all conditions must be met.
    In this case, it can be read as:
    ( User is Enabled ) AND ( User's EmployeeType is "Contractor" OR "Employee" ).

For future reference Active Directory: LDAP Syntax Filters

CodePudding user response:

I modified your script but I just grabbed all users into a $Users array then ran a ForEach loop for each individual user. Inside there is an If that checks that the user is enabled and that the EmployeeType is -like CONTRACTOR or EMPLOYEE. If they are, it adds them to the $Storage array, then exports it once the loop is finished.

It worked for me, but let me know if you have any questions:

Param(
    [Parameter(Mandatory = $true,ValueFromPipeline = $false,HelpMessage = "Specify a output file name and path.")]
    [string]
    $OutputFileNamePath = $null
)
$Storage = @()
Write-Host "----------------------------------------------------------" -ForegroundColor Green
Write-Host "-                  On Process                            -" -ForegroundColor Green
Write-Host "----------------------------------------------------------" -ForegroundColor Green
$Users = Get-ADUser -Filter * -Properties EmployeeNumber,Name,SamAccountName,employeeType,PasswordLastSet,LastLogonDate 
Foreach($user in $users){
If(($User.Enabled -eq $True) -and (($User.EmployeeType -like "*CONTRACTOR*") -or (($User.EmployeeType -like  "*EMPLOYEE*")))){
    $Storage  = $User  
    }

}
$Storage | Export-Csv -Path $OutputFileNamePath".csv" -NoTypeInformation -Force
Write-Host "----------------------------------------------------------" -ForegroundColor Green
Write-Host "-                     Done                               -" -ForegroundColor Green
Write-Host "----------------------------------------------------------" -ForegroundColor Green

Page link:https//www.codepudding.com/Mobile/220067.html

Prev:powershell: newline in a single-quoted string?
Next:Need help using a variable to define -Properties for Get-ADUser
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding