From b035e1eccaa337be74006b0439584f9068352a36 Mon Sep 17 00:00:00 2001
From: David Paulson <dpaul@microsoft.com>
Date: Fri, 22 Nov 2024 16:42:08 -0600
Subject: [PATCH] Addressing Computer Membership Unknown Issues with Remote
 Computer

AD Module cmdlets don't work inside Invoke-Command
---
 .../Invoke-AnalyzerExchangeInformation.ps1    | 20 ++++++++++-----
 .../Get-ExchangeInformation.ps1               | 25 +++++++++++++++----
 2 files changed, 34 insertions(+), 11 deletions(-)

diff --git a/Diagnostics/HealthChecker/Analyzer/Invoke-AnalyzerExchangeInformation.ps1 b/Diagnostics/HealthChecker/Analyzer/Invoke-AnalyzerExchangeInformation.ps1
index 8c5dc48d19..ddf1e2890d 100644
--- a/Diagnostics/HealthChecker/Analyzer/Invoke-AnalyzerExchangeInformation.ps1
+++ b/Diagnostics/HealthChecker/Analyzer/Invoke-AnalyzerExchangeInformation.ps1
@@ -305,16 +305,24 @@ function Invoke-AnalyzerExchangeInformation {
                 Where-Object { $_.WellKnownName -in @("Exchange Trusted Subsystem", "Exchange Servers") }
             $displayMissingGroups = New-Object System.Collections.Generic.List[string]
 
-            foreach ($localGroup in $localGroupList) {
-                if (($null -eq ($exchangeInformation.ComputerMembership.LocalGroupMember.SID | Where-Object { $_.ToString() -eq $localGroup.SID } ))) {
-                    $displayMissingGroups.Add("$($localGroup.WellKnownName) - Local System Membership")
+            if ($null -ne $exchangeInformation.ComputerMembership.LocalGroupMember) {
+                foreach ($localGroup in $localGroupList) {
+                    if (($null -eq ($exchangeInformation.ComputerMembership.LocalGroupMember.SID | Where-Object { $_.ToString() -eq $localGroup.SID } ))) {
+                        $displayMissingGroups.Add("$($localGroup.WellKnownName) - Local System Membership")
+                    }
                 }
+            } else {
+                $displayMissingGroups.Add("Unable to determine Local System Membership as the results were blank.")
             }
 
-            foreach ($adGroup in $adGroupList) {
-                if (($null -eq ($exchangeInformation.ComputerMembership.ADGroupMembership.SID | Where-Object { $_.ToString() -eq $adGroup.SID }))) {
-                    $displayMissingGroups.Add("$($adGroup.WellKnownName) - AD Group Membership")
+            if ($null -ne $exchangeInformation.ComputerMembership.ADGroupMembership) {
+                foreach ($adGroup in $adGroupList) {
+                    if (($null -eq ($exchangeInformation.ComputerMembership.ADGroupMembership.SID | Where-Object { $_.ToString() -eq $adGroup.SID }))) {
+                        $displayMissingGroups.Add("$($adGroup.WellKnownName) - AD Group Membership")
+                    }
                 }
+            } else {
+                $displayMissingGroups.Add("Unable to determine AD Group Membership as the results were blank.")
             }
 
             if ($displayMissingGroups.Count -ge 1) {
diff --git a/Diagnostics/HealthChecker/DataCollection/ExchangeInformation/Get-ExchangeInformation.ps1 b/Diagnostics/HealthChecker/DataCollection/ExchangeInformation/Get-ExchangeInformation.ps1
index 4b43ca1c2f..5c27f88ec9 100644
--- a/Diagnostics/HealthChecker/DataCollection/ExchangeInformation/Get-ExchangeInformation.ps1
+++ b/Diagnostics/HealthChecker/DataCollection/ExchangeInformation/Get-ExchangeInformation.ps1
@@ -208,16 +208,31 @@ function Get-ExchangeInformation {
         if ($getExchangeServer.IsEdgeServer -eq $false) {
             $params = @{
                 ComputerName           = $Server
-                ScriptBlockDescription = "Getting Exchange Server Members"
+                ScriptBlockDescription = "Getting Exchange Server Local Group Members"
                 CatchActionFunction    = ${Function:Invoke-CatchActions}
                 ScriptBlock            = {
-                    [PSCustomObject]@{
-                        LocalGroupMember  = (Get-LocalGroupMember -SID "S-1-5-32-544" -ErrorAction Stop)
-                        ADGroupMembership = (Get-ADPrincipalGroupMembership (Get-ADComputer $env:COMPUTERNAME).DistinguishedName)
+                    try {
+                        $localGroupMember = Get-LocalGroupMember -SID "S-1-5-32-544" -ErrorAction Stop
+                    } catch {
+                        Write-Verbose "Failed to run Get-LocalGroupMember. Inner Exception: $_"
                     }
+                    $localGroupMember
                 }
             }
-            $computerMembership = Invoke-ScriptBlockHandler @params
+            $localGroupMember = Invoke-ScriptBlockHandler @params
+
+            # AD Module cmdlets don't appear to work in remote context with Invoke-Command, this is why it is now moved outside of the Invoke-ScriptBlockHandler.
+            try {
+                $adPrincipalGroupMembership = (Get-ADPrincipalGroupMembership (Get-ADComputer ($Server.Split(".")[0]) -ErrorAction Stop).DistinguishedName -ErrorAction Stop)
+            } catch {
+                # Current do not add Invoke-CatchActions as we want to be aware if this doesn't fix some things.
+                Write-Verbose "Failed to get the AD Principal Group Membership. Inner Exception: $_"
+            }
+
+            $computerMembership = [PSCustomObject]@{
+                LocalGroupMember  = $localGroupMember
+                ADGroupMembership = $adPrincipalGroupMembership
+            }
         }
 
         [array]$serverMonitoringOverride = Get-MonitoringOverride -Server $Server