Following commands run on a Windows 10 VM that's joined to AzureAD:
PS C:\Windows\system32> Get-LocalGroupMember -Group Administrators
Get-LocalGroupMember : Failed to compare two elements in the array. At line:1 char:1PS C:\Windows\system32> Get-LocalGroupMember -Group Users
Group NT AUTHORITY\Authenticated Users Unknown
Group NT AUTHORITY\INTERACTIVE UnknownPS C:\Windows\system32> net localgroup administrators
Members
Administrator AzureAD\UserName
Any idea why the PowerShell Get-LocalGroupMember command is generating an error on the Administrators group whereas net localgroup works as does Get-LocalGroupMember for the Users group?
25 Answers
This has been referenced as an official bug:
Here is workaround:
UPDATE:
I had some issues with CIM and WMI.
Here is another workaround which worked everywhere for me.
1This is caused by empty sids in the Administrators Group. Open the Administrators group and remove the empty sids left behind from domain join/leave. Before and After cleaning up the administrators group
PS C:\WINDOWS\system32> Get-LocalGroupMember -Group "Administrators" Get-LocalGroupMember : Failed to compare two elements in the array. At line:1 char:1
- Get-LocalGroupMember -Group "Administrators"
+ CategoryInfo : NotSpecified: (:) [Get-LocalGroupMember], InvalidOperationException + FullyQualifiedErrorId : An unspecified error occurred.,Microsoft.PowerShell.Commands.GetLocalGroupMemberCommand
PS C:\WINDOWS\system32> Get-LocalGroupMember -Group "Administrators"
ObjectClass Name PrincipalSource
User MyMachine\Administrator Local
User NA\otheradmin AzureAD
you are welcome, working on a way cleaning up all empty sids from groups now.
This will clean up the broken administrators. I think they were created during the update process:
(powershell script)
$administrators = @(
([ADSI]"WinNT://./Administrators").psbase.Invoke('Members') |
% { $_.GetType().InvokeMember('AdsPath','GetProperty',$null,$($_),$null)
}
) -match '^WinNT';
$administrators = $administrators -replace "WinNT://",""
$administrators
foreach ($administrator in $administrators)
{
if ($administrator -like "$env:COMPUTERNAME/*" -or $administrator -like "AzureAd/*")
{ continue;
}
Remove-LocalGroupMember -group "administrators" -member $administrator
}Modified the above script to remove empty SIDs and report anyone else. Local users that are AzureAD Joined (onprem) using ADFS could be removed (set in azure ad / endpoint manager )
$administrators = @(
([ADSI]"WinNT://./Administrators").psbase.Invoke('Members') |
% { $_.GetType().InvokeMember('AdsPath','GetProperty',$null,$($_),$null)
}
) -match '^WinNT';
$administrators = $administrators -replace "WinNT://",""
#$administrators
foreach ($administrator in $administrators)
{
#write-host $administrator "got here"
if ($administrator -like "$env:COMPUTERNAME/*" -or $administrator -like "AzureAd/*")
{ continue;
}
elseif ($administrator -match "S-1") #checking for empty/orphaned SIDs only
{
write-host $administrator
Remove-LocalGroupMember -group "administrators" -member $administrator
}
write-host $administrator "check this users permissions if set in endpoint manager"
}The problem is empty SIDs in the Administrators Group caused by domain joins/leave/join etc.
Remove the empty sids and the command works just fine.
