5

Following commands run on a Windows 10 VM that's joined to AzureAD:

PS C:\Windows\system32> Get-LocalGroupMember -Group Administrators
Get-LocalGroupMember : Failed to compare two elements in the array. At line:1 char:1

PS C:\Windows\system32> Get-LocalGroupMember -Group Users
Group NT AUTHORITY\Authenticated Users Unknown
Group NT AUTHORITY\INTERACTIVE Unknown

PS C:\Windows\system32> net localgroup administrators
Members
Administrator AzureAD\UserName

Any idea why the PowerShell Get-LocalGroupMember command is generating an error on the Administrators group whereas net localgroup works as does Get-LocalGroupMember for the Users group?

munrobasher
  • 926

5 Answers5

6

This has been referenced as an official bug:

https://github.com/PowerShell/PowerShell/issues/2996

Here is workaround:

http://jdhitsolutions.com/blog/scripting/2342/query-local-administrators-with-cim/

UPDATE:

I had some issues with CIM and WMI.

Here is another workaround which worked everywhere for me.

https://p0w3rsh3ll.wordpress.com/2016/06/14/any-documented-adsi-changes-in-powershell-5-0/

Luke
  • 434
1

This is caused by empty sids in the Administrators Group. Open the Administrators group and remove the empty sids left behind from domain join/leave. Before and After cleaning up the administrators group

PS C:\WINDOWS\system32> Get-LocalGroupMember -Group "Administrators" Get-LocalGroupMember : Failed to compare two elements in the array. At line:1 char:1

  • Get-LocalGroupMember -Group "Administrators"
  •   + CategoryInfo          : NotSpecified: (:) [Get-LocalGroupMember], InvalidOperationException
  + FullyQualifiedErrorId : An unspecified error occurred.,Microsoft.PowerShell.Commands.GetLocalGroupMemberCommand

PS C:\WINDOWS\system32> Get-LocalGroupMember -Group "Administrators"

ObjectClass Name PrincipalSource

User MyMachine\Administrator Local
User NA\otheradmin AzureAD

you are welcome, working on a way cleaning up all empty sids from groups now.

Derrick
  • 11
0

This will clean up the broken administrators. I think they were created during the update process:

(powershell script)

$administrators = @(
([ADSI]"WinNT://./Administrators").psbase.Invoke('Members') |
% { 
 $_.GetType().InvokeMember('AdsPath','GetProperty',$null,$($_),$null) 
}
) -match '^WinNT';

$administrators = $administrators -replace "WinNT://",""

$administrators

foreach ($administrator in $administrators)
{

if ($administrator -like "$env:COMPUTERNAME/*" -or $administrator -like "AzureAd/*")
{
    continue;
}

Remove-LocalGroupMember -group "administrators" -member $administrator
}
Monofuse
  • 101
0

Modified the above script to remove empty SIDs and report anyone else. Local users that are AzureAD Joined (onprem) using ADFS could be removed (set in azure ad / endpoint manager )

$administrators = @(
([ADSI]"WinNT://./Administrators").psbase.Invoke('Members') |
% { 
 $_.GetType().InvokeMember('AdsPath','GetProperty',$null,$($_),$null) 
}
) -match '^WinNT';

$administrators = $administrators -replace "WinNT://",""


#$administrators


foreach ($administrator in $administrators)
{
#write-host $administrator "got here"
if ($administrator -like "$env:COMPUTERNAME/" -or $administrator -like "AzureAd/")
{
    continue;
}
elseif ($administrator -match "S-1") #checking for empty/orphaned SIDs only
{
write-host $administrator
Remove-LocalGroupMember -group "administrators" -member $administrator
}
write-host $administrator "check this users permissions if set in endpoint manager"
}
zx485
  • 2,337
Derrick
  • 11
-1

The problem is empty SIDs in the Administrators Group caused by domain joins/leave/join etc.

Remove the empty sids and the command works just fine.

Derrick
  • 11