I am trying to write a PowerShell script to link my GPOs to several OUs on multiple domains. The issue I am having is with the New-GPLink cmdlet. When I run the command I get different errors. I can create and link GPOs in all domains in GPMC.
My domain is setup as a Forest with two domains under it (lets call them DomA and DomB). Then I have a third domain not under that forest (lets call it DomC).
My computer is in DomA and my account is in DomC.
The GPO is created in DomA and well call it GPO_Test_1.
The OU I want to link is at ou=Test,ou=GPO Testing,dc=DomA
If I run:
New-GPLink -Name "GPO_Test_1" -Target "ou=Test,ou=GPO Testing,dc=DomA" -LinkEnabled Yes
I get this error:
New-GPLink : The "GPO_Test_1" GPO was not found in the DomC domain.
Parameter name: gpoDisplayName
At line:1 char:1
+ New-GPLink -Name "GPO_Test_1" -Target "ou=Test,ou=GPO Testin ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Microsoft.GroupPolicy.GPDomain:GPDomain) [New-GPLink], ArgumentExceptio
n
+ FullyQualifiedErrorId : GpoWithNameNotFound,Microsoft.GroupPolicy.Commands.NewGPLinkCommand
So I can see its looking at the domain that my account is on. Not the one that my computer is on.
I tried different parameters resulting in different errors.
-Domain DomA
New-GPLink : A referral was returned from the server. (Exception from HRESULT: 0x8007202B)
-Server DConDomA
New-GPLink : Value does not fall within the expected range.
-Domain DomA -Server DConDomA
New-GPLink : Value does not fall within the expected range.
I read that this may be because my credentials are not passing correctly to the other domain. So I tried the below:
Invoke-Command -ComputerName DConDomA -scriptblock {New-GPLink -Name "GPO_Test_1" -Target "ou=Test,ou=GPO Testing,dc=DomA" -LinkEnabled Yes} -credential $c
The "GPO_Test_1" GPO was not found in the DomC domain.
Again the error referencing domain my account is on ...
Adding the -Server DConDomA inside the script block still gives this error.
New-GPLink : Value does not fall within the expected range.
Tried a few different DCs (including RIDMatser on DomA and DomC) but those results in the same type of errors.
I am not sure what I am missing or doing wrong here.
I found my own answer in is Microsoft documentation. Seems I just missed it. My Domain parameter has to be the FQDN where as I using the short name.
https://learn.microsoft.com/en-us/powershell/module/grouppolicy/new-gplink?view=windowsserver2022-ps
-Domain
Specifies the domain for this cmdlet. You must specify the fully qualified domain name (FQDN) of the domain.
This note explained why it was checking the domain where my account was as well.
"If you do not specify the Domain parameter, the domain of the user that is running the current session is used. If the cmdlet is being run from a computer startup or shutdown script, the domain of the computer is used. For more information, see the Notes section in the full Help."
Related
I'm given the task to migrate all the printers installed on workstations via GPO to another server.
As for now all printers are installed in a local decentralized Distribution Point, we want to move on a centralized Distribution Point/Print Server.
On mine DC, via Group Policy Management Editor, I've a lot of printers in
Computer Configuration\Preferences\Control Panel Settings\Printers
All printers are mapped from \DP00x\Printer and given a local name.
What i want to change is the \DP00x to \CentralDP01\Printer in the GPO.
I've managed via powershell to create all printer ports, install all printers and publish/list in the directory all of them.
Given that they are more than 100, I wish to automate the process to edit the GPO editing, so that i don't need to open each policy and each printer to modify the destination.
I've tried the cmdlet Get-GPRegistryValue because I know (at least) that printers are installed on HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers
but i get this error every time:
Get-GPRegistryValue : The following Group Policy registry setting was not found: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers".
Parameter name: keyPath
At line:1 char:1
+ Get-GPRegistryValue -Guid 6b464ed9-66c8-47fa-8327-1fe9b074a0d7 -Key H...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (Microsoft.Group...tryValueCommand:GetGPRegistryValueCommand) [Get-GPRegistryValue], ArgumentException
+ FullyQualifiedErrorId : UnableToRetrievePolicyRegistryItem,Microsoft.GroupPolicy.Commands.GetGPRegistryValueCommand
I tried as well Get-GPPrefRegistryValue
Get-GPPrefRegistryValue -Context Computer -Guid 6b464ed9-66c8-47fa-8327-1fe9b074a0d7 -Key HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers
But error looks the same:
Get-GPPrefRegistryValue : The Preference registry setting "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers" was not found in the
"x-x-x-x-x-x" GPO in the x-x-x-x-x-x-x.com domain.
Parameter name: keyPath
At line:1 char:1
+ Get-GPPrefRegistryValue -Context Computer -Guid 6b464ed9-66c8-47fa-83 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (Microsoft.Group...tryValueCommand:GetGPPrefRegistryValueCommand) [Get-GPPrefRegistryValue], ArgumentException
+ FullyQualifiedErrorId : UnableToRetrievePreferenceRegistryItem,Microsoft.GroupPolicy.Commands.GetGPPrefRegistryValueCommand
I found a workaround. Backup the GPO, manually edit the XML with the new value and import back the GPO.
I don't fancy the idea of manually editing because it can lead to errors and with over 100+ GPOs I can have alot of errors.
Can anyone help me?
Maybe i'm using the wrong commands, but so far documentations state to use GPO Module.
Unfortunately the GroupPolicy commands are limited to registry key settings only, and printer-preferences fall outside that. You can safely edit the live GPO xml files themselves though (or use Backup-GPO/Restore-GPO).
If you're only replacing the server name, this should work fine. Try it on a test GPO, updating the path as needed:
$guid = (Get-GPO -Name 'Test GPO')
# Check the GPO version before changes:
Get-GPO -guid $guid
$domain = 'domain.com'
$path = "\\$domain\SYSVOL\$domain\Policies\{$guid}\User\Preferences\Printers\Printers.xml"
# Update the path in the GPO xml:
(Get-Content $path -Raw) -replace 'DP00x','CentralDP01' | Set-Content $path
# Validate the GPO version/change date have updated - might take a while if xml is on a different DC:
Get-GPO -guid $guid
Updated SFB-prem to CU9 but for some reason unable to move test user to Teams or SFBO. anyone facing this issue?
I tried to used PS commands and SFB admin portal but same results
$cred=Get-Credential
$url="https://admxxxx.online.lync.com/HostedMigration/hostedmigrationService.svc"
Move-CsUser -Identity teamstestuser02#xxx.com -Target sipfed.online.lync.com -Credential $cred -HostedMigrationOverrideUrl $url
Move-CsUser : Unable to connect to some of the servers in pool
"XXX.com" due to a Distributed Component Object Model (DCOM) error.
Verify that Front End service is running on servers in this pool. If
the pool is set up for load balancing, verify that load balancer is
configured correctly. At line:2 char:1
+ Move-CsUser -Identity teamstestuser02#XXXX.com -Target "sip ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (CN=TeamsTestUse...p,xx.xxcom:OCSADUser) [Move-CsUser],
MoveUserException
+ FullyQualifiedErrorId : MoveError,Microsoft.Rtc.Management.AD.Cmdlets.MoveOcsUserCmdlet
Have you run this on the FrontEnd Server itself?
I have hit and misses with Move-CsUser when it targets SkypeOnline
Potential mitigations I found:
-Run on FE
-Specify undocumented Switch -DomainController to point it at a writable DC
https://learn.microsoft.com/en-us/skypeforbusiness/hybrid/move-users-between-on-premises-and-cloud should have all the juice you need, make sure that the user you are running this command as (i.E. logged into the FE) has CsServerAdministrator and the $Cred has Global Admin or User Admin + Skype For Business Admin
Hope that helps :)
I used -UseOAuth switch on the Frond End server and the issue resolved. Some users return errors for Rollback, and nothing works for these users until I used force switch, which they lost their contacts and meeting info.
Here's the command I run:
$Credentials = Get-Credential # Feed in credentials for some.domain.com
Get-ADForest -Server some.domain.com -Credential $Credentials
And it reports:
Get-ADForest : Could not find a forest identified by: 'some.domain.com'
I've tried all kinds of different things for the -Server parameter, including using the hostname.domain.name.com and nothing works. Is it possible it is being blocked?
However, if I run a:
Get-ADUser username -Server 'some.domain.com' -Credential $Credentials
It returns the value...
First of all, you need to go through the documentation for Get-ADForest to understand what might be happening in your case:
The Get-ADForest cmdlet gets the Active Directory forest specified by
the parameters. You can specify the forest by setting the Identity or
Current parameters..........
To retrieve the forest of the local computer or current logged on user
(CLU), set the Current parameter to LocalComputer or LoggedOnUser. When
you set the Current parameter, you do not need to set the Identity
parameter.......
When the Current parameter is set to LocalComputer or LoggedOnUser,
the cmdlet uses the Server and Credential parameter values to
determine the domain and the credentials to use to identify the domain
of the forest according to the following rules......
-- If the Server and Credential parameters are specified:
The domain is set to the domain of the specified server and the cmdlet
checks to make sure that the server is in the domain of the
LocalComputer or LoggedOnUser. Then the credentials specified by the
Credential parameter are used to get the domain. An error is
returned when the server is not in the domain of the LocalComputer or
LoggedOnUser.
I believe the error which you're receiving is because the last line is not being satisfied. Please verify the same in your case because it seems the server which you're specifying is either not in the domain of the LocalComputer or the LoggedOnUser.
First of all, the two examples you mention, are two different CMDlets. Let's not confuse the two of them.
About Get-ADForest:
Judging upon the information from this fact sheet about Get-ADForest
Would it help you to use -Identity "some.domain.com" instead? From what i can gather, either you use the -Identity switch(which is mandatory), or you pipe an object to the CMDlet.
The Identity switch takes these values:
A fully qualified domain
A GUID (objectGUID)
A DNS host name
A NetBIOS name
Test:
Get-ADForest -Identity 'some.domain.com' -Credential $Credentials
I would like to set Edge as an Assigned Access to a User.
I'm using the following PowerShell Command:
Set-AssignedAccess -AppUserModelId Microsoft.MicrosoftEdge -UserName xy
But I always get the following error (translated from German):
System error 1376 has occurred.
The specified local group does not exist.
New-CimInstance : A general error has occurred, for which
no specific error code is available.
C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\AssignedAccess\AssignedAccess.psm1:300
Zeichen:13
+ New-CimInstance -ClassName WEDL_AssignedAccess -Property ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (WEDL_AssignedAccess:CimInstance) [New-CimInstance], CimException
+ FullyQualifiedErrorId : MI RESULT 1,Microsoft.Management.Infrastructure.CimCmdlets.NewCimInstanceCommand
The local user exists, and the app exists too. I also logged in with the user I want to set the assignedaccess to make sure the profile is set u0p correctly
This happened on two different Windows 10 (build 14393) machines
I'm on PSVersion:
PS C:\WINDOWS\system32> $psversiontable.psversion.toString()
5.1.14393.1944
Does anybody know how to solve this?
Ran in to this yesterday. From what i could tell the "local group" thats referenced is actually the admin group.
I ran the following commands in an elevated powershell prompt:
Net localgroup administrators /add.
This creates a local Administrators group.
Net localgroup administratörer administrators /add.
This adds the administrators group to the local admin group (Administratörer is the Swedish localization of Administrators, use the local version depending on your country and replace it).
After this is done, run your previous commands.
Give it a try, hope it helps :)
//Chris
Set-AssignedAccess -UserName weakusername -AUMID Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge
I am having some problems with handling errors/exceptions regarding the invoke-command.
I am trying to catch errors when the target computer does not exist, however the message i am shown and the way the script in the catch block acts makes me think there is something i missed or miss understood.
this is the portion of the script with the problem:
$session = New-Pssession -computername $computerName
Invoke-Command -session $session -ScriptBlock $command -ArgumentList $sqlServerName, $userToGivePermisions
Remove-PSsession -session $session
Basically i want to handle errors when $computerName is not a valid computer on the network. I purposely gave it a wrong name to test it out and i get the following error:
[dcd] Connecting to remote server failed with the following error message : WinRM cannot process the request. The following error occured while using Kerberos authentication: The network path was not found.
Possible causes are:
-The user name or password specified are invalid.
-Kerberos is used when no authentication method and no user name are specified.
-Kerberos accepts domain user names, but not local user names.
-The Service Principal Name (SPN) for the remote computer name and port does not exist.
-The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
-Check the Event Viewer for events related to authentication.
-Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport.
Note that computers in the TrustedHosts list might not be authenticated.
-For more information about WinRM configuration, run the following command: winrm help config. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportException
+ FullyQualifiedErrorId : PSSessionOpenFailed
[dcd] is the name of the non existing machine. I put the code in a try catch and did a check on the error message using a -contains. The condition ALWAYS came out false and i tried almost ever single word in the error above.
When i displayed the error message in the catch block using $_.exception.message i got a different error about $session being null.
When i did a -contains using words in the displayed error message about $session it still returned false for every word i tested.
I don't understand which of these is the error and why isn't the -contains ever returning true. I added the -ea stop to all 3 lines to catch all the non terminating errors but to no avail.
Anyone have any idea what is going on?
-contains checks whether an element is in an array or not. e.g:
1,2,3 -contains 2 # Is True
"a","bc","d" -contains "b" # Is False
Try the -match or the -like operators instead. Have a look at the comparison operator documentation.