In this blog, I will discuss the Active Directory (AD) PowerShell error reporting. Good error reporting is critical and it saves time to resolve an issue.

Let's start with the basics. In case of error, AD PowerShell cmdlet prints the error details which contain an error message.

PS C:\> New-ADUser -Name:"ADPSUser" -SamAccountName:"ADPSUser" -Enabled:$true

New-ADUser : The password does not meet the length, complexity, or history requirement of the domain.
At line:1 char:11
+ New-ADUser <<<<  -Name:"ADPSUser" -SamAccountName:"ADPSUser" -Enabled:$true
    + CategoryInfo          : InvalidData: (CN=ADPSUser,CN=...icrosoft,DC=com:String) [New-ADUser], ADPasswordComplexi
   tyException
    + FullyQualifiedErrorId : The password does not meet the length, complexity, or history requirement of the domain.
   ,Microsoft.ActiveDirectory.Management.Commands.NewADUser

 

The above error is actually a System.Management.Automation.ErrorRecord object. In PowerShell, errors occurred in cmdlets or scripts gets stored in a variable $Error (which contains the ErrorRecord objects). $Error is an ArrayList containing the most recent errors and $Error[0] is the most recent error.

PS C:\> $Error[0] | fl * -f

PSMessageDetails      :
Exception             : Microsoft.ActiveDirectory.Management.ADPasswordComplexityException: The password does not meet the ...
TargetObject          : CN=ADPSUser,...
CategoryInfo          : InvalidData: (CN=ADPSUser,CN=...icrosoft,DC=com:String) [New-ADUser], ADPasswordComplexityException
FullyQualifiedErrorId : The password does not meet the length, complexity, or history requirement of the ...
ErrorDetails          :
InvocationInfo        : System.Management.Automation.InvocationInfo
PipelineIterationInfo : {0, 1}

 

As shown above, ErrorRecord contains Exception object (Microsoft.ActiveDirectory.Management.ADPasswordComplexityException). AD PowerShell throws an appropriate exception based on the error. Exception can be System.UnauthorizedAccessException, System.TimeoutException, Microsoft.ActiveDirectory.Management.ADException etc.

Tips: In script, exception can be used for error handling. I do have plan to blog about error handling. So just wait for more details about error handling.

 

Exception object has more diagnostic information as shown below: 

PS C:\> $Error[0].Exception | fl * -f

ErrorCode          : 1325
ServerErrorMessage : 0000052D: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0
Message            : The password does not meet the length, complexity, or history requirement of the domain.
Data               : {}
InnerException     : System.ServiceModel.FaultException: Active Directory returned an error processing the operation.
TargetSite         : Void ThrowExceptionForExtendedError(System.String, System.Exception)
StackTrace         :    at Microsoft.ActiveDirectory.Management.AdwsConnection.ThrowExceptionForExtendedError(String extendedErrorMessage, Exception innerException) in ...
HelpLink           :
Source             : Microsoft.ActiveDirectory.Management

Note: ServerErrorMessage is the error message returned by AD server and it will be in the server locale.

 

Hope this will help and save your diagnostic time.

Cheers!
Ashish

--
Ashish Sharma [MSFT]
Developer – Active Directory Powershell Team