I am trying to run a simple function that will utilize the Get-ADPrinciplaGroupMembership function on the Active directory server with the supplied AD Login name.
I can run this command directly on the Server with no issue.
PS C:\Users\administrator.XXXX> Get-ADPrincipalGroupMembership tpemi | sort name | select name name ---- Domain Users EMI-FaxNotifications Group-AcmeAccess Group-EMI_BizHubColor Group-EMI-Accounting Group-EMI-AccountingSub Group-EMI-Administration Group-EMI-AllUsers Group-EMI-CloudUsers Group-EMI-HR Group-EMI-Management Group-HAR-Drive Group-UCI-Drive
When I invoke this command from a another server, I get the following error:
$Login = ‘tpemi’
Invoke-Command -ComputerName 10.221.21.3 -ScriptBlock { Get-ADPrincipalGroupMembership -identity $Using:Login } -Credential $TPCred
The operation being requested was not performed because the user has not been authenticated
+ CategoryInfo : NotSpecified: (tpemi:ADPrincipal) [Get-ADPrincipalGroupMembership], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:1244,Microsoft.ActiveDirectory.Management.Commands.GetADPrincipalGroupMembership
+ PSComputerName : 10.221.21.3
I verified the authentication by utilizing the Enter-PSSESION cmdlet and reproduced the error while running directly within the session. That IP address in the Prompt is the DC, which I am authenticated to with domain admin level permissions. Seems like there is something ‘special’ about this cmdlet when launching it from a remote session. Don’t have an issue running other AD cmdlets remotely (get-aduser, get-adgroup, etc…)
10.221.21.3]: PS C:\Users\administrator.XXXXX\Documents> Get-ADprincipalGroupMembership -Identity tpemi
The operation being requested was not performed because the user has not been authenticated
+ CategoryInfo : NotSpecified: (tpemi:ADPrincipal) [Get-ADPrincipalGroupMembership], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:1244,Microsoft.ActiveDirectory.Management.Commands.GetADPrincipalGroupMembership