While building out yet another SharePoint 2013 development environment, I decided to change a number of service accounts and delete the old ones from Active Directory. Everything seems fine until I ended up trying to go the http://centralAdmin:5555/admin/FarmCredentialManagement.aspx page to add some other ones. Instead of the page, I got an error message the logged the error the ULS:

Application error when access /_admin/FarmCredentialManagement.aspx, Error=Some or all identity references could not be translated.

I used


To show me all the managed accounts and it became obvious to show the accounts that had been deleted in AD but not cleaned up from the farm.

UserName             PasswordExpiration    Automatic ChangeSchedule
——–             ——————    ——— ————–
LABS\svcSP.FarmAdmin 7/4/2013 5:49:43 AM   False
LABS\svcSP.MySite…                       False
LABS\svcSP.Search… 7/4/2013 5:49:44 AM   False
LABS\svcSP.Services  7/4/2013 5:49:45 AM   False
LABS\svcSP.Portal…                       False
LABS\svcSP.MySite_AP 7/17/2013 3:08:12 AM  False
LABS\svcSP.Portal_AP 7/17/2013 3:08:19 AM  False
LABS\svcSP.Search_AP 7/17/2013 3:16:07 AM  False

A quick check documented the broken ones: (All on one line)

Get-SPManagedAccount | ? {$_.PasswordExpiration -eq $ null}

UserName             PasswordExpiration    Automatic ChangeSchedule
——–             ——————    ——— ————–
LABS\svcSP.MySite…                       False
LABS\svcSP.Portal…                       False


And a further one deleted it: (All on one line)

Get-SPManagedAccount | ? {$_.PasswordExpiration -eq $null}

| Remove-SPManagedAccount

Hope that helps anyone…


SharePoint Snippets


Following along with my previous post about Powershell Snippets, here is my post for my own SharePoint Snippets, some of which are “PowerShelly.”

View SharePoint 2010 Developer Dashboard Setting:


Change SharePoint 2010 Developer Dashboard

(supports On,Off,OnDemand) (use single line)

ContentService.DeveloperDashboardSettings.DisplayLevel = 
([Enum]::Parse([Microsoft.SharePoint.Administration.SPDeveloperDashboardLevel], “Off”));


While part of recent SharePoint 2007 to SharePoint 2010 migration project, the testers were validating the population of SharePoint security groups. However, they did not have the tools to see the members of a particular Active Directory or tools to match match an obfuscated user name to an individual with a known name. It presented a problem.

Enter PowerShell and a little .Net:

$name = $args[0]

$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.PageSize = 1000
$objSearcher.SearchRoot = $objDomain
$objSearcher.Filter = ("(&(objectClass=*)(|(cn=$name)(sAMAccountName=$name)))")
$colProplist = "name","objectClass","member","memberOf","cn"
foreach ($i in $colPropList)
    $objSearcher.PropertiesToLoad.Add($i) > $null

$colResults = $objSearcher.FindAll()

foreach ($objResult in $colResults)
    $properties = $objResult.Properties;
    if ($properties.objectclass.Contains("user"))
        Write-Output "$($ is a user;"
        Write-Output "`t`tMember Of:"
        foreach($memberof in $properties.memberof)
            $objItem = New-Object System.DirectoryServices.DirectoryEntry "LDAP://$memberof"
            Write-Output "`t`t`t$($"        }
    if ($properties.objectclass.Contains("group"))
        Write-Output "$($ is a group;"
        Write-Output "`tMembers Of:"
        foreach($member in $properties.member)
            $objItem = New-Object System.DirectoryServices.DirectoryEntry "LDAP://$member"
            Write-Output "`t`t`t$($"

A little appropriation from other scripts found on the interwebs and about 20 minutes into something that allows for quick usage to translate an obfuscated user name (n82l2ldf90) into a display name and see what Active Directory groups they are part of as well as entering a group name and seeing quickly who in a member of that group.

It does support the wildcard syntax that is built into the DirectorySearcher object. The magic happens on line 4 which basically says, show me all the things in AD, that have a cn property or a sAMAccountName property that matches the value provided on the command line as argument 1. The following is some sample output showing the output when searching for a user and when searching for a group:

.\Find-ADUserOrGroup.ps1 nlampr* produces:
Nelson Lamprecht is a user;
Member Of:
SharePoint Farm Admins - Test
Site Collection Admins
Organization Management

.\Find-ADUserOrGroup.ps1 " Site Collection Admins" produces:

Site Collection Admins is a group;
Members Of:
Nelson Lamprecht
Guy 2
Guy 1
I am interested in your feedback!