AmdiThomsen-1188 avatar image
0 Votes"
AmdiThomsen-1188 asked ·

Powershell: Pipe problems when using import-pssession

I am a very fond user of Windows Terminal, and use it a lot for WSL, Powershell, etc.
I run it in my normal user context, but I sometimes need administrative privileges to our domain controllers.

Therefore I save my admin credentials and use them in a pssession command, and imports that pssession. But when doing this, piping does not work.

A simple command like: "get-aduser <username> | Get-ADPrincipalGroupMembership" throws an exception.

"Cannot validate argument on parameter 'Identity'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again."

From the error message, I conclude that the current object '$_' is for whatever reason not passed through to the next command, but why?
And is there some way to correct this?

· 14
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Does get-aduser <username> return anything? If the username is a variable, make sure it's not empty or null.

0 Votes 0 ·

Hi. Yes, it does return a user object. I am able to save it in a variable, and use it afterwards. Even like follows: Get-ADPrincipalGroupMembership $user.samaccountname

Just to be clear. If I instead of importing the pssession, enters the session. Then the previous command does work and returns the users' group memberships.

0 Votes 0 ·

From within the imported session (not the entered session), run this and post the results:

 $x = Get-ADUser <username>
 $x|gm|select -first 5

0 Votes 0 ·
Show more comments

From within the imported session, does this work?

 Get-ADUser "<username>" | 
     Select-Object @{n='Identity';e={$_.distinguishedName}} | 
0 Votes 0 ·
Show more comments

You're also not showing how you create or import your session, so you leave a lot for us to assume.

0 Votes 0 ·

Sorry about that.
Here is how i create and establish a connection to the pssession.

 $credentials = Get-Credential
 $ADsession = New-PSSession -ComputerName "<domaincontroller>" -Credential $credentials
 Import-PSSession -Session $ADsession -module ActiveDirectory

In this example where I wanted to see if the situation was the same when entering the session i simply ran
Enter-PSSession -Session $ADsession

0 Votes 0 ·

Not to clutter things up, but I have similar results with other commands like:
(works when entering a session but not importing)

Get-ADGroup <group> | Get-ADGroupMember

Get-ADComputer <computername> | Get-ADPrincipalGroupMembership

Get-ADComputer <computername> | Get-ADObject

0 Votes 0 ·

1 Answer

RichMatheisen-8856 avatar image
0 Votes"
RichMatheisen-8856 answered ·

I don't think the problem is that piping doesn't work. I think your problem is that you probably receive a deserialized version of the user object. The Get-ADPrincipalGroupMembership may depend on the object in the pipeline having a specific object type, or it may be trying to find the "Identity" property in the object that it receives from the pipeline.

Start by having a look at the properties in the user object returned by Get-ADUser. Have a look at the "Inputs" section of the cmdlet's help. Is the object type you got from the Get-ADUser an "ADPrincipal" or one of the derived types? If not, is there an "Identity" property in the object?

· 3 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for your answer.

I have looked at the properties of both commandlets, and there are multiple properties that matches. On the help page for the get-adprincipalgroupmembership commandlet it states that it can receive ADPricipals of the following types:

  • Microsoft.ActiveDirectory.Management.ADUser

  • Microsoft.ActiveDirectory.Management.ADComputer

  • Microsoft.ActiveDirectory.Management.ADServiceAccount

  • Microsoft.ActiveDirectory.Management.ADGroup

This shoud be what the get-aduser cmdlet returns. As mentioned above, I am able to save the output in a variable and use it like this ex: Get-ADPrincipalGroupMembership $user.samaccountname.

If I instead of importing the pssession, enters the session. Then the previous command that includes the pipe, does work and returns the users' group memberships.

I hope I am making sense :)

0 Votes 0 ·

Yes, you are making sense, but I don't think you understand what may be happening. One possibility is that the Get-ADPrincipalGroupMembership cmdlet might not be properly matching the object in the pipeline to the list of types in the documentation. That's a bug and deserves reporting, at least through the link on the cmdlet's web page.

Another is that if there is no match for the expected property type of the pipline object, that there's no "Identity" property in the pipeline object either. In this case the cmdlet throws an exception.

I created a comment earlier asking you to post the results of running a three-line script. I created another comment giving you a way that should work regardless of the pipeline object's type -- as long as the object has a distinguishedName property.

0 Votes 0 ·

I've marked this as an answer because you were on point.

For anyone who finds this, there are more details in the thread above.

0 Votes 0 ·