I am using ActiveDirectory and Powershell to get the description of computers in the AD Group
However, when I try to get batch output, I get InvalidArgument error in powershell
When I use a single line:
Get-AdComputer -Filter * -Identity **COMPUTERNAME **-Properties * | Select-Object name, description
I get the correct response:
Name Description
---- -----------
COMPUTERNAME Computer description
However, when I use the this code to get a batch of results:
$UL = Get-ADGroupMember -identity "Groupname"| Select-Object name
Foreach ($i in $UL.Name)
{
$i.ToString()
Write-Host $i.GetType()
Get-AdComputer -Filter * -Identity "$i" -Properties * | Select-Object name, description
}
I keep getting this error:
Get-ADComputer : Parameter set cannot be resolved using the specified named parameters.
At C:\apps\ActiveDirectory_UserList.ps1:6 char:1
+ Get-AdComputer -Filter * -Identity "$i" -Properties * | Select-Object ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-ADComputer], ParameterBindingException
+ FullyQualifiedErrorId : AmbiguousParameterSet,Microsoft.ActiveDirectory.Management.Commands.GetADComputer
As commented by Abraham Zinala, you cannot use both -Filter and -Identity together as these parameter sets rule eachother out giving you the error message
Parameter set cannot be resolved using the specified named parameters.
Next, Get-ADGroupMember will not just return computer objects,
but also users and other groups can be members of one particular group.
Therefore, if you want to get output for computer objects only, you will need to filter out the other object types.
Luckily, each group member has a property called objectClass. This is a string containing either 'user', 'computer' or 'group',
so it is realy quite easy to check on that:
# get all members of the group, filter with a Where-Object clause to receive only computer objects
$members = Get-ADGroupMember -Identity "Groupname" | Where-Object {$_.objectClass -eq 'computer'}
foreach ($computer in $members) {
$computer | Get-ADComputer -Properties Description | Select-Object Name, Description
}
By default, Get-ADComputer returns objects with these properties:
DistinguishedName, DNSHostName, Enabled, Name, ObjectClass, ObjectGUID, SamAccountName, SID, UserPrincipalName, so in this case you only have to ask for the extra property Description
Related
Third day noob with Powershell here.
Problem: We have several AD groups which follow a prefix naming convention. For example, "IT_1", "IT_2", "IT_3" and so on. I am attempting to export a csv with member details from each "IT_" group, along with the name of the group.
The output should have the following columns populated with data. The column GroupName will refer to IT_1, IT_2, i.e the name of the group.
"name","GroupName","distinguishedName","objectClass","objectGUID","SamAccountName","SID"
My code can work for a single group. "IT_1". For example:
$groups = Get-ADGroup -Filter 'Name -like "IT_1"'
Get-ADGroupMember $groups `
| Select-Object name, #{Name='GroupName';Expression={$groups.Name}}, distinguishedName, objectClass, objectGUID, SamAccountName, SID `
| Export-Csv -Path "C:\Users\dude\Desktop\users.csv"
However, when I alter the groups variable with a wildcard "IT_*" as per below:
$groups = Get-ADGroup -Filter 'Name -like "IT_*"'
Get-ADGroupMember $groups `
| Select-Object name, #{Name='GroupName';Expression={$groups.Name}}, distinguishedName, objectClass, objectGUID, SamAccountName, SID `
| Export-Csv -Path "C:\Users\dude\Desktop\users.csv"
The following exception is thrown:
Get-ADGroupMember : Cannot convert 'System.Object[]' to the type 'Microsoft.ActiveDirectory.Management.ADGroup' required
by parameter 'Identity'. Specified method is not supported.
At line:3 char:19
+ Get-ADGroupMember $groups `
+ ~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-ADGroupMember], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgument,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
What am I missing here?
I am sure this is a simple fix for an experienced user.
The -Identity parameter of Get-ADGroupMember does not allow an array, so you need to loop over the results from Get-ADGroup
Get-ADGroup -Filter 'Name -like "IT_*"' | ForEach-Object {
$groupName = $_.Name
$_ | Get-ADGroupMember |
Select-Object name, #{Name='GroupName';Expression={$groupName}},
distinguishedName, objectClass, objectGUID, SamAccountName, SID
} | Export-Csv -Path "C:\Users\dude\Desktop\users.csv" -NoTypeInformation
Inside the ForEach-Object loop, the $_ automatic variable represents the ADGroup object for each iteration
I'm creating Distribution Lists, and trying to populate the AD Description field. Set-ADGroup appears to be the correct cmdlet for this task, however I'm having trouble using it inside a simple script, or using a variable to pass along the required parameters or objects.
This works:
Get-ADGroup -Identity "CN=My Group Name,OU=Distribution,OU=Groups,DC=subdomain,DC=domain,DC=tld"
But this doesn't:
$GroupDn = Get-Group -Identity "My Group Name" | Select-Object DistinguishedName
Get-ADGroup -Identity $GroupDn
And fails with this error:
get-adgroup : Cannot find an object with identity: '$GroupDn' under:
'DC=subdomain,DC=domain,DC=tld'. At line:1 char:1
+ get-adgroup -Identity '$GroupDn'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: ($GroupDn:ADGroup) [Get-ADGroup], ADIdentityNotFoundException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADGroup
$GroupDn is storing this object:
PS D:\Scripts> $groupdn
DistinguishedName
-----------------
CN=My Group Name,OU=Distribution,OU=Groups,DC=subdomain,DC=domain,DC=tld
I assumed this is because Get-ADGroup is expecting string input, but I also know this is Powershell and objects and all that is the magic, the secret sauce, but my roux appears to be lumpy and I'm missing some key point.
So, is string input what I should be handling here? If so, what's the right way to get that DN into a string?
Or what part of the object secret sauce am I missing?
As requested.
The problem with your code is that it gets the distinghuished name as PSCustomObject with a property called 'DistinghuishedName', where you really want to get this property as String.
If you change that to (using Exchange Get-Group):
$GroupDn = Get-Group -Identity "My Group Name" | Select-Object -ExpandProperty DistinguishedName
or (using ActiveDirectory Get-ADGroup):
$GroupDn = Get-ADGroup -Identity "My Group Name" | Select-Object -ExpandProperty DistinguishedName
The variable $GroupDn will then contain just the DistinghuishedName of the group as string that can be used as -Identity parameter for other AD commands.
Get-ADGroup can also be used in another type of syntax, namely by passing an object through the pipeline. This object needs to have at least one of these properties: DistinguishedName, GUID, SID or SamAccountName.
$GroupObject = Get-Group -Identity "My Group Name"
$GroupObject | Get-ADGroup
Using this syntax, you do not need to set the Identity parameter.
I was also able to pipe like this:
Get-Group | % { Get-ADGroup -Identity $_.DistinguishedName }
It still seems not to play well with different domains though, but this would definitely work for groups in the same domain. The key as to why something like Get-Group | Select DistinguishedName or Get-Group | Get-ADGroup doesn't work is to use the Get-Member cmdlet. So running something like:
Get-Group | Get-Member
Get-Group | Select DistinguishedName | Get-Member
Should return something like this:
TypeName: Deserialized.Microsoft.Exchange.Data.Directory.Management.WindowsGroup
TypeName: Selected.System.Management.Automation.PSCustomObject
And as you can see from there, that is not what would be accepted from a pipeline into the Get-ADGroup cmdlet.
I am using get-adgroupmember command to fetch all the users in an AD group. -recursive is helping me fetch members from child groups if any in the parent group as well.
However, get-adgroupmember has an upper limit of 5000 entries only.
To tackle this if i use:
Get-ADGroup -Identity "DEPT_120_SA" -server "A" -Properties * | select-object -expandproperty members |get-aduser
this doesnt work as my Parent AD has child ADs and -recursive is not accepted by get-adgroup.
Error:
Get-ADGroup : A parameter cannot be found that matches parameter name
'recursive'. At line:2 char:79
+ Get-ADGroup -Identity "DEPT_120_SA" -server "mhf.mhc" -Properties * -recursive <<<< | select-object -expandproperty members
+ CategoryInfo : InvalidArgument: (:) [Get-ADGroup], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.ActiveDirectory.Management.Commands.GetADGroup
my aim is to display username and their mail iDS and this works for me:
Get-ADGroupMember -server $domain -identity $s -Recursive -ErrorAction Stop | Get-AdUser -Properties mail -ErrorAction Stop | select sAmAccountName, Mail
Any workaround ? (I am willing to write a recursive function to fetch large groups, but there must be a shorter and direct way)
The 5000 limit applies only to Get-ADGroupMembers not Get-ADUsers, so we can use the LDAP_MATCHING_RULE_IN_CHAIN matching rule (OID 1.2.840.113556.1.4.1941).
For example:
Get-AdUser -LdapFilter "(memberOf:1.2.840.113556.1.4.1941:=cn=group,cn=users,DC=ad,DC=local)"
where cn=group,cn=users,DC=ad,DC=local is the distinguished name of the group you want members for.
I've been trying to get a list of all the groups in our AD environment (with the description) and their members and output it to a CSV file. Ideally the users would be shown under their group. The script I've been trying to use is:
Import-Module ActiveDirectory
Get-ADGroup -Filter * -Properties Description |
Select-Object Name, Description |
ForEach-Object {
Get-ADGroupMember -Identity $_.DistinguishedName -Recursive |
Get-ADObject -Properties SamAccountname, Title, Department |
Select-Object Name, SamAccountName, Title, Department, DistinguishedName, ObjectClass
} | Export-Csv -Path c:\temp\ADGrab.csv -NoTypeInformation
The error I keep getting is as follows:
Get-ADGroupMember : Cannot validate argument on parameter 'Identity'. The argument
is null or empty. Supply an argument that is not null or empty and then try the
command again.
At C:\Users\j_kennedy_ta\AppData\Local\Temp\9\2898ceb2-a6cf-4fbf-9341-e651dad2145d.ps1:4 char:28
+ Get-ADGroupMember -Identity <<<< $_.distinguishedname -Recursive |
+ CategoryInfo : InvalidData: (:) [Get-ADGroupMember], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
Without the nasty Select-Object and with group information in the CSV file:
Import-Module ActiveDirectory
Get-ADGroup -Filter * -Properties Description |
ForEach-Object {
# Store for later use
$groupName = $_.Name
$groupDescription = $_.Description
Get-ADGroupMember -Identity $_.DistinguishedName -Recursive |
Get-ADObject -Properties SamAccountname, Title, Department |
Select-Object Name, SamAccountName, Title, Department, DistinguishedName, ObjectClass, ` # Mind the gap
# Calculated properties with group information
#{ name = "GroupName"; expression = $groupName }, `
#{ name = "GroupDescription"; expression = $groupDescription }
} | Export-Csv -Path c:\temp\ADGrab.csv -NoTypeInformation
I am trying to pull together a PS script to automatically add computers to a security group that are not part of another group.
In this case, add all computers to group_b that are not part of group_a.
This is what I tried..
#get list of computers from group_a
$tpmobjects = Get-ADGroupMember -Identity "group_a" | Select name
#add computers to group_b that are not in group_a
Get-ADComputer -Filter {SamAccountName -notlike $tpmobjects} | Foreach-Object { Add-ADPrincipalGroupMembership -Identity $_.SamAccountName -MemberOf "group_b" }
The error I get is...
Get-ADComputer : Type: 'System.Object[]' is not supported for extended attribute 'SamAccountName'.
At line:2 char:1
+ Get-ADComputer -Filter {SamAccountName -notlike $tpmobjects}...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-ADComputer], ArgumentException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.GetADComputer
Anyone have a way to do this?
Thanks.
What happens is that Get-ADGroupMember returns multiple objects and the -Filter parameter doesn't support matching against multiple objects.
There are multiple ways around this, but the easiest is to simply filter the output from Get-ADGroupMember with Where-Object:
$Computers = Get-ADGroupMember group_a |Where-Object {$_.objectClass -eq 'computer'}
You also don't need to wrap Add-ADPrincipalGroupMembership in ForEach-Object, it accepts pipeline input, and an ADComputer object can be bound to the -Identity parameter directly without problems:
$Computers |Add-ADPrincipalGroupMembership -MemberOf group_a