The PowerShell cmdlet Get-ADPrincipalGroupMembership can throw an internal error under certain conditions.  On a project I was using this cmdlet quite normally to get a user’s groups to do some special processing with PeoplePlatform during deprovisioning.   A mysterious internal error in PowerShell is never fun to encounter.  One of the beautiful things about PowerShell is the ability to do the same thing using multiple techniques.

In these situations the best thing to do is narrow the error to the simplest command which in this case was:
Get-ADPrincipalGroupMembership $user

(where $user = Get-Aduser …. )

The error message read:

Get-ADPrincipalGroupMembership : The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.
...


The Bug(s)

This was promising to narrow the error to such a simple command.  At first glance there wasn’t anything unusual about the user.  A little googling yielded the following bugs from Microsoft in PowerShell:

https://connect.microsoft.com/PowerShell/Feedback/Details/1201918

and

https://connect.microsoft.com/PowerShell/Feedback/Details/1190397

Consequently, I examined both the user’s display name and the groups to which they belonged.  Their name didn’t have a forward slash in it (second article).  One of their groups, however, did have this character (“A/P” for accounts payable).

The Workaround

What to do?  This is when PowerShell’s flexibility shines.


$EmployeeADPrincipalGroupMembership = New-Object System.Collections.ArrayList
foreach ($gr in $user.MemberOf) {
if ($gr –ne ‘....DC=com’) { # this was particular to the implementation to remove a particular group
$EmployeeADPrincipalGroupMembership.Add((Get-ADGroup $gr).cn) > $null # direct output to NULL or else we'll get an int
}}


Here we get the same functional result as the (more elegant but buggy) single line of PowerShell with multiple lines.  The output of the “Add” command is directed to $null as it returns an integer count.  Unfortunately, this is still an issue in PowerShell 5.1 (at the time of this writing).  Due to the prevalence of this problem, for the time being i’m shelving Get-ADPrincipalGroupMembership.  Thank you to http://stackoverflow.com/questions/34030799/get-adprincipalgroupmembership-fails-when-any-user-group-name-has for the solution altered to meet my needs.