Last week I posted a PowerShell function to get time server NTP settings from clients.
Depending on how you use the script, you may encounter an issue which is not the cause of the script but nevertheless very annoying…
Let’s say that you want to query your AD and only get computers with ‘server’ in the name of the operating system.
You’ll do something like:
Get-ADComputer -Filter 'operatingsystem -like "*server*"' | foreach {Get-TimeServer -ComputerName $_.name}
Now here’s the annoyance. If you have a rather large AD with many computer objects, you’ll encounter an error:
Get-ADComputer : The server has returned the following error: invalid enumeration context.
At line:56 char:15
+ get-adcomputer <<<< -filter 'operatingsystem -like "*server*"' | foreach {Get-TimeServer -computername $_.name}
+ CategoryInfo : NotSpecified: (:) [Get-ADComputer], ADException
+ FullyQualifiedErrorId : The server has returned the following error: invalid enumeration context.,Microsoft.ActiveDirectory.Management.Commands.GetADComputer
As it turns out, the ‘operatingsystem’ attribute in Active Directory is not indexed. When you query lots of objects on this, you’ll get hit with such an error.
If you have a large number of computer objects in your domain, and you frequently query based on OS, it could makes sense to make operatingSystem indexed.
This is controlled by the searchFlags attribute of the attribute (of the attribute object in the cn=Schema container). The bit mask for IS_INDEXED is 1.
In ADSI Edit,
navigate to ‘cn=Schema,cn=Configuration,dc=MyDomain,dc=com’,
find the attribute with Common Name “Operating-System”,
right click and select “Properties”,
find the searchFlags attribute,
click “Edit” and enter the value 1.
Then save it and wait for the attribute to be indexed 