问题
I'm getting the following error when I run my script:
Get-ADUser : A referral was returned from the server At line:25 char:70
+ ... -Identity $G.name -Recursive | Get-ADUser -Server $dom -Properties *
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (CN=User...,DC=org:ADUser) [Get-ADUser], ADReferral Exception
+ FullyQualifiedErrorId : ActiveDirectoryServer:****,Microsoft.ActiveDirectory.Management.Commands.GetADUser
This is my script:
$Domains = (Get-ADForest).Domains.ForEach{(Get-ADDomain $_).PDCEmulator}
$Users = @()
$Groups = @()
$list = Get-Content C:\temp\ADGroups.txt
ForEach ($dom in $Domains) {
Foreach ($o in $list) {
$ObjectClass = (Get-ADObject -server $dom -Filter {SamAccountName -eq $o}).ObjectClass
If ($ObjectClass -eq "User") {
$U = Get-ADUser -Properties * -Identity $o -Server $dom
$User = "" | Select FullUserName, LoginID, Description
$User.FullUserName = $U.DisplayName
$User.LoginID = $U.SamAccountName
$User.Description = $U.description
$Users += $User
} Else {
If ($ObjectClass -eq "Group") {
$G = Get-ADGroup -Properties * -Identity $o -Server $dom
$GM = Get-ADGroupMember -Server $dom -Identity $G.name -Recursive | Get-ADUser -Server $dom -Properties *
Foreach ($gmember in $GM) {
$Group = "" | Select GroupName, GroupDescription, GroupMemberName, GroupMemberLoginID, GroupMemberDesc
$Group.GroupName = $G.Name
$Group.GroupDescription = $G.Description
$Group.GroupMemberName = $gmember.Name
$Group.GroupMemberLoginID = $gmember.SamAccountName
$Group.GroupMemberDesc = $gmember.Description
$Groups += $Group
}
}
}
}
}
$Users | Export-Csv C:\temp\Users.csv -NoTypeInformation
$Groups | Export-Csv C:\temp\Groups.csv -NoTypeInformation
The purpose of my script is to pull users that belong in a group and export to a .csv file. It works for the most part, but it gives me an error for certain users. I think it could be because those users in the group belong in a different domain.
回答1:
See the answers in this question. Answers there indicate you can retrieve the referral location in the exception and retry the Get-ADUser against the other server.
You might reconsider how you search for all these groups and users. Users are replicated throughout the forest. Global and Universal groups are too. So you could search the Global Catalog instead of iterating through one DC in every domain. Get-DomainController -GlobalCatalog and run your Get-AD* commands against that server's global catalog port, i.e. Get-ADUser -server $GCServerName:3268
However, bear in mind that the GC doesn't contain complete user and group properties, and the properties it does return are subject to replication delays.
Whether this is helpful depends on your domain architecture. In my own workplace, querying remote domain controllers is very expensive. Our site domain controller is a global catalog, though, so searching it for forest information is very fast.
回答2:
I think that you can simply drop the -Server from Get-ADUser. Since Get-ADGroupMember returns a ADPrincipal[] type, every user contains a fully qualified DistinguishedName, which implies the domain ("server") that the results come from.
Yes, you are right in thinking that essentially (pesudocode):
"contoso.com\user" | Get-ADUser -Server "DC01.theOtherContoso.com"
Will not work. And when piping from Get-ADGroupMember, you get the error:
Get-ADUser : A referral was returned from the server
If you run the same query, but omitting the -Server portion from the Get-ADUser portion, it will use the distinguished name to figure out where to pull the information:
$GM = Get-ADGroupMember -Server $dom -Identity $G.name -Recursive | Get-ADUser -Properties *
It should return you the user objects that you need.
来源:https://stackoverflow.com/questions/51831949/get-aduser-a-referral-was-returned-from-the-server