Add-GroupMember fails when using PowerShell Remoting

Create issue
Issue #187 resolved
Christopher Campbell created an issue

The new Add-GroupMember (2.0+) seems to have issues when using PowerShell remoting (Invoke-Command and Enter-PSSession) and there exists domain users/groups in the targeted group. Seems to work fine locally.

Stepping through it remotely, trouble seems to start here:

    [DirectoryServices.AccountManagement.GroupPrincipal]$group = Get-Group -Name $Name

If you pull up $group.members, an error is thrown when it starts enumerating through the domain groups.

An error occurred while enumerating through a collection: The network path was not found. . At line:1 char:1 + $group.Members + ~~~~~~ + CategoryInfo : InvalidOperation: (System.Director...ctionEnumerator:PrincipalCollectionEnumerator) [], RuntimeException + FullyQualifiedErrorId : BadEnumeration To recreate:

$sb = {

. "c:\main\ReleaseManagement\PowerShell\Shared\Carbon-2.1.0\Carbon\Import-Carbon.ps1"

Add-GroupMember -Member "domain\user" -Name "Administrators"

Invoke-Command -ComputerName $server -ScriptBlock $sb

Older versions of this function still work. (1.9 or less)

Comments (9)

  1. Aaron Jensen repo owner

    I think this is a double-hop problem. Carbon doesn't use any explicit credentials when connecting to AD, so your implicit credentials are used. When you remote in to a computer, you no longer have implicit credentials.

    Can you try again using Credssp the authenticate to the remote server? (The -Authenticate parameter on Enter-PsSession.)

  2. Christopher Campbell reporter

    Yeah, definitely double hop. Unfortunately, we try to stray from relying on credssp or credentials in our deployment scripts.

  3. Log in to comment