Get-ADUser returns an error on windows 2012 R2 when you want all properties.

When you try to get all properties of an ActiveDirectory Object using PowerShell you get an error.

You would typically run some command like:

Get-ADUser -Identity someone -Properties *   . This will return an unexpected error.

Get-ADUser : One or more properties are invalid.
Parameter name: msDS-AssignedAuthNPolicy
At line:1 char:1
+ Get-ADUser pilot1 -Properties *
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : InvalidArgument: (pilot1:ADUser) [Get-ADUser], ArgumentException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.GetADUser 

The workaround is to pipe AD Object to GET- ADObject like this:

Get-ADUser – identity someone | Get-ADObject -Properties *

This is probably a  bug in Windows 2012R2 and Windows 8.1


Group Manager in Exchange 2010-2013 are unable to manage group membership.

There was a change in RBAC. Group managers are not able to add or remove members of a distribution Group even if it seems so in the Exchange Management Console.

The only options in ECP was to give them the additional permission to great and remove groups. You can create a new role that will enable this permission again. Thanks to Matthew Byrd at Microsoft who has created a Powershell script that does this for us.

Does a Lync phone reset to factory default “really” reset the phone?

Had problem with som Lync Phones (Polycom CX600). That suddenly stop signing in. Did a reset to factory deafult and the issues remained. Solution was to login with extension and pin and then connect the phone to PC using USB and login. Now I was able to login the phone using Lync client. This procedure was repeated on several phones. It seems to me that a factory default does not completely remove all old settings.