I'm trying to run the Get-ADGroupMember command as a non Domain Administrator, but everytime I run it it returns:

Get-ADGroupMember : The specified directory service attribute or value does not
 exist
At line:1 char:18
+ Get-ADGroupMember <<<<  "STSS Staff"
    + CategoryInfo          : NotSpecified: (STSS Staff:ADGroup) [Get-ADGroupM
   ember], ADException
    + FullyQualifiedErrorId : The specified directory service attribute or val
   ue does not exist,Microsoft.ActiveDirectory.Management.Commands.GetADGroup
  Member

How are you trying to access the members?  I have a test environment where I can run the following command Get-ADGroupMember "Domain Admins" as a normal account and it returns a collection of members.  Are you looking for a specific attribute?  Here is my example:

Get-ADGroupMember "Domain Admins" | Foreach-Object { Write-Host $_.distinguishedName }

This should echo out the AD path of all members within the group.

Not trying to do anything special:

 

PS C:\Users\schtask> Get-ADGroupMember "STSS Staff"
Get-ADGroupMember : The specified directory service attribute or value does not
 exist
At line:1 char:18
+ Get-ADGroupMember <<<< "STSS Staff"
  + CategoryInfo     : NotSpecified: (STSS Staff:ADGroup) [Get-ADGroupM
  ember], ADException
  + FullyQualifiedErrorId : The specified directory service attribute or val
  ue does not exist,Microsoft.ActiveDirectory.Management.Commands.GetADGroup
 Member

                                       

I think there might be more at play, because any normal account I choose, it doesn't even see the Domain Admins group (domain changed to something generic for post)

PS C:\Users\schtask> Get-ADGroupMember "Domain Admins"
Get-ADGroupMember : Cannot find an object with identity: 'Domain Admins' under:
 'DC=my,DC=test,DC=domain,DC=com'.
At line:1 char:18
+ Get-ADGroupMember <<<< "Domain Admins"
  + CategoryInfo     : ObjectNotFound: (Domain Admins:ADGroup) [Get-ADG
  roupMember], ADIdentityNotFoundException
  + FullyQualifiedErrorId : Cannot find an object with identity: 'Domain Adm
  ins' under: 'DC=my,DC=test,DC=domain,DC=com'.,Microsoft.ActiveDirect
 ory.Management.Commands.GetADGroupMember
                  ommands.GetADGroup
 Member

                                       

How about logging in with the Domain Admin rights?

 

Maybe you could run the following command:

 

([ADSI]’LDAP://CN=Domain Admins,CN=Users,DC=Domain,DC=COM’).member

 

Best Regards

Dale

Any normal account should be able to query the membership of a group, it does not require Domain Admin rights.  For instance, you can use ADExplorer (http://live.sysinternals.com) and pull a complete copy of a domain with a normal user account.

Can you verify that you are logged onto the machine with a domain account?  Are you running this script interactively or in the background as a local system account?

By default, any user authenticated to the domain can view any group membership. If a domain admin can view the membership, but not a regular user with the same script/command/method, then perhaps someone has modified permissions on the group object. When viewing group properties in ADUC, on the Security tab, check permissions.

Richard Mueller

Get-ADGroupMember does not only queries the members attribute of a group but creates for every member a Microsoft.ActiveDirectory.Management.ADPrincipal object. If the account that executes Get-ADGroupMember does not has read permissions on every member of the group you will get the above error.
Account may need read permission on distinguishedName,name,objectClass,objectGUID,SamAccountName,SID attributes of every member object in AD