get-adgroupmember for builtin\administrator fail

Hi I was running this task for obtaining the member of Builtin\Administrator group and it was working ok

get-adgroupmember "CN=Administrators,CN=Builtin,DC=CenterXXX,DC=ORG" |ft distinguishedName |out-string -width 200 >C:\cgxxxt1-scripts\Reports\admins.txt

 but I noticed today that it stopped to work and when I run it from the PowerShell the error below is displayed. Any idea about this error? I tried using -identity parameter and it is the same error. Only this is for administrator is failing. I have other task using the same command for Domain Admin and it working ok.  Ideas?


PS C:\Users\admin> get-adgroupmember "CN=Administrators,CN=Builtin,DC=Centerxxx,DC=ORG" |ft distinguishedName |out-str
ing -width 200
Get-ADGroupMember : A referral was returned from the server
At line:1 char:18
+ get-adgroupmember <<<<  "CN=Administrators,CN=Builtin,DC=Centerxxx , DC=ORG" |ft distinguishedName |out-string -width 200

    + CategoryInfo          : NotSpecified: (CN=Administrato...=CEnterxx,DC=ORG:ADGroup) [Get-ADGroupMember], ADExcepti
    + FullyQualifiedErrorId : A referral was returned from the server,Microsoft.ActiveDirectory.Management.Commands.Ge

PS C:\Users\admin
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

could you not perhaps use the ps command like this:
get-adgroupmember -identity administrators |ft distinguishedName |out-string -width 200

CGNET-TEAuthor Commented:
I already tried this bellow too but error is the same.  Any idea?

get-adgroupmember -identity administrators |ft distinguishedName |out-string -width 200

PS C:\Users\rootadmin> get-adgroupmember -identity administrators |ft distinguishedName |out-string -width 200
get-adgroupmember : A referral was returned from the server
At line:1 char:1
+ get-adgroupmember -identity administrators |ft distinguishedName |out-string -wi ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (administrators:ADGroup) [Get-ADGroupMember], ADException
    + FullyQualifiedErrorId : A referral was returned from the server,Microsoft.ActiveDirectory.Management.Commands.Ge

PS C:\Users\rootadmin>
HI There,

the error is not very descriptive, however, I'd suggest the following :

1. have a look at the group policies on your domain to see if anything was changed around the time when it stopped working..

2. try use the -server switch to use another DC and see if the results are the same/different. - (eliminate the currently used server)

3. perhaps try to see if the --verbose and -debug helps with additional output that could be used to troubleshoot.
check event viewer to see what happens there also. try running it directly from the DC, if not already.

4. try the following.
ps command by itself
get-adgroupmember -identity administrators

Does the error appear again?

if yes, try run it from another machine /domain controller.
try to re-import the AD modules (something like "Import-Module *directory*"  and or run "gcm *directory*"
-- I really dont know powershell that well, but I think the above may work, else perhaps you know:) )

Also perhaps try "Set-Executionpolicy Unrestricted"

If the above worked fine, try adding the "|ft distinguishedName "
and so on, adding "|out-string -width 200"

to try see what it is that is causing the ps problem.

also try run "Get-AdGroupMember" and press enter, enter the Identity in the Identity line when asked
see what happens from that.
one of the things I would also suggest to look at is to ensure that the  Administrators group was not moved from the BuiltIn container.. - there are many unexpected issues that can arise from this, so not sure if it's applicable, but I;d be sure to check this if I was you :)

If possible, try using another account either by specifying credentials to perform the get-adgroupmember command or by logging on with another account.

also try specify the servername and search scope/Base (for the domain in question, esp in an environment where there may be more than one domain involved (even if in the same forest).  I would assume that your initial command line should work fine, however I'm thinking it could fail if the object is in another domain (different to the connected DC).  -- I have a fuzzy feeling about this one :)


would like to hear back on this as I'm currently trying to get more experience on Powershell myself and I've run into many errors which I dont always understand either. :)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.