Error getting local group members when at least one has an orphaned SID

[flynngw]

Bug description

Members of a Local Group are not enumerated and left blank if that group contains an entry with an orphaned SID.
When Get-LocalGroupMember is run (eg: Get-LocalGroupMember -Name 'Administrators')
This errors in the background with:
Get-LocalGroupMember : Failed to compare two elements in the array.

It seems this is a known bug with Get-LocalGroupMember in powershell 5.x

These errors can be seen from line 113 and 114 of AsBuiltReport.Microsoft.Windows\Src\Public\Invoke-AsBuiltReport.Microsoft.Windows.ps1:

$LocalGroups = Invoke-Command -Session $TempPssSession { Get-LocalGroup | Where-Object {$_.PrincipalSource -ne "ActiveDirectory" } | ForEach-Object { [PSCustomObject]@{ GroupName = $_.Name;  Description = $_.Description; Members = (Get-LocalGroupMember -Group $_.Name).Name } }}
$LocalAdmins = Invoke-Command -Session $TempPssSession { Get-LocalGroupMember -Name 'Administrators' -ErrorAction SilentlyContinue }

On one of my sample Windows Server 2019 servers, the local Administrators group had a member that was orphaned.
So the Administrators group members showed as blank in the "Local Groups" section, and "Local Administrators" was completely missing, as the members would have evaluated to null.

I've managed to find a way around this.
I created a custom powershell module that uses Get-CIMInstance to evaluate the group members (and output in the same format as Get-LocalGroupMember, then updated the lines 113 and 114 above to run my custom Get-LocalGroupMembers function.
Would you like me to provide this function and the updated code?
If so, where should i keep that function? A custom PS module, or just a function within Invoke-AsBuiltReport.Microsoft.Windows.ps1?

Command-line input

New-AsBuiltReport -Report Microsoft.Windows -Target $Computername -Format Html,Word -Credential $Creds -ReportConfigFilePath 'C:\tmp\AsBuiltReport.Microsoft.Windows.json' -AsBuiltConfigFilePath 'C:\tmp\G\AsBuiltreport.json' -OutputFolderPath C:\Tmp\Output -Verbose

Steps to reproduce

Create a temporary user in AD
On a Windows Member Server, add that AD user as a member of the Local Administrators Group
Delete that user within AD (you may have to purge the AD recycle bin for this to show as orphaned, i'm unsure exactly how to force this)
Run the Microsoft.Windows AsBuilt Report against the server, ensuring that Infolevel.Account is set to at least 1 (default)
If you also run Get-LocalGroupMember -Name 'Administrators' will will give an error:
Get-LocalGroupMember : Failed to compare two elements in the array.

Expected behaviour

When Get-LocalGroupMember is run (eg: Get-LocalGroupMember -Name 'Administrators')
This errors in the background with:
Get-LocalGroupMember : Failed to compare two elements in the array.

In the AsBuilt report, the Administrators group members will be blank in the "Local Groups" section, and "Local Administrators" will be completely missing.

Screenshots

No response

Operating System

My main test host was Windows Server 2019 Standard
Confirmed the workaround works against Windows Server 2012 R2, Server 2016 and Server 2019

PowerShell Version

Name Value

---

PSVersion 5.1.17763.5933
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.17763.5933
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1

PowerShell Modules

Name Version

---

AsBuiltReport.Core 1.4.0
AsBuiltReport.Microsoft.Windows 0.5.4
PScribo 0.10.0

Additional Context

No response

Before submitting

• I have read and followed the bug reporting guidelines.
• I have read the documentation, and referred to the known issues before submitting this bug report.
• I have checked for previously opened & closed issues before submitting this bug report.

[rebelinux]

I'm able to reproduce the bug

PS C:\Users\administrator> Get-LocalGroupMember -Group Administrators
Get-LocalGroupMember : Failed to compare two elements in the array.
At line:1 char:1
+ Get-LocalGroupMember -Group Administrators
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-LocalGroupMember], InvalidOperationException
    + FullyQualifiedErrorId : An unspecified error occurred.,Microsoft.PowerShell.Commands.GetLocalGroupMemberCommand

Would you like me to provide this function and the updated code?

• Yes.

If so, where should i keep that function? A custom PS module, or just a function within Invoke-AsBuiltReport.Microsoft.Windows.ps1?

• You can add the custom function to the SharedUtilsFunctions.ps1 file.

Thanks.

[flynngw]

This turned out to be a much more difficult issue to resolve than I thought.
I ended up finding some code that got the local administrators that was created years back by another author
Is it ok that we use this?
I've tested it, it seems to work well and I have a version ready for a pull request
The function to get the members of the local groups is from here:
https://github.com/proxb/PowerShell_Scripts/blob/master/Get-LocalGroupMembership.ps1
I've had to make changes to Invoke-AsBuiltReport.Microsoft.Windows.ps1 so that it uses the new function also.

[rebelinux]

No problem,

Send me the pull request

[flynngw]

I've tried a pull request but i'm getting an error.
I have no idea why.
Are you able to see the error in the pull request and advise please?: https://github.com/AsBuiltReport/AsBuiltReport.Microsoft.Windows/pull/32

[rebelinux]

I've tried a pull request but i'm getting an error. I have no idea why. Are you able to see the error in the pull request and advise please?: https://github.com/AsBuiltReport/AsBuiltReport.Microsoft.Windows/pull/32

The error is related to github permission and not related to your commit. Done merging the Pull Request.

Thanks!