Error with Get-ADUser: Invalid enumeration context

Question

I posted this question the other day Extract e-mail from grouped objects

$OuUser = @{}

$OuUser = Get-AdUser -Properties * -Filter * -SearchBase "domain"   

$Duplicates = $OuUser | Select samaccountname, mail,UserPrincipalName |
    Group-Object Mail | Where{$_.Count -gt 1}

$Duplicates | Select Name,Count,@{l='Accounts';e={($_.Group|Select -Expand samaccountname) -join ';'}} | 
    Export-CSV E:\Damo\Duplicates.csv -NoTypeInfo

The code works on one domain it works fine, testing it against a small set of users in a OU.

When testing on the domain I want to test against, which has a lot of users in it this code fails. The OU has email address in it which are not of an e-mail format. It points towards Get-ADUser for the error.

Get-ADUser : The server has returned the following error: invalid enumeration c
ontext.
At C:\scripts\CountEmailsDup.ps1:4 char:21
+ $OuUser = Get-AdUser <<<<  -Properties * -Filter * -SearchBase 'ou=external,o
u=user accounts,dc=bizdir,dc=nzpost,dc=co,dc=nz' -SearchScope OneLevel
    + CategoryInfo          : NotSpecified: (:) [Get-ADUser], ADException
    + FullyQualifiedErrorId : The server has returned the following error: inv
   alid enumeration context.,Microsoft.ActiveDirectory.Management.Commands.Ge
  tADUser

I am lost to why I am getting this error on one domain but not another.

Answer 1

The biggest issue you have here is you are asking a lot from Get-ADUser. Based on your comment you are pulling in over 900,000 accounts. On top of that you are pulling all properties of those users. There is a touch of insanity there.

While I am not perfectly clear what your error means I do know that everyone that gets it is returning a lot of users which you clearly are. The first step to mitigate this is to use -ResultPageSize of Get-ADUser. Your mileage may vary but you need to experiment with number of records to return. 500-1000 is usually a good start.

I would never use -Properties * unless I was pulling for one user and wanted to see everything. I strongly doubt you are using all those properties in your function. Limit yourself to what you need for efficiency's sake. You would obviously need to specify Mail.

Since you are processing based on the mail property another thing would be to limit your results to those which only have a populated mail property. Couple of things you could do filters e.g "", "...."(from comments by Vesper) or "@" based on your comment of

There are some email field with 123 and . in them, so I will have to use length -gt 3 or something to skip them.

Not sure about this and I don't have the sample data to test the theory but using the pipeline should also help things along instead of saving the results just to use them in the pipe anyway.

Get-AdUser -Properties mail -Filter 'mail -like "*@*"' -SearchBase "domain" -ResultPageSize 1000 | 
    Group-Object Mail | 
    Where{$_.Count -gt 1} |
    Select Name,Count,@{l='Accounts';e={($_.Group|Select -Expand samaccountname) -join ';'}} | 
    Export-CSV E:\Damo\Duplicates.csv -NoTypeInfo