Create group with same name in different OU - server

I am trying to create group with same name in Different OU however it is showing the group is already existed with same name.
is there way to create group with same name in Different OUs ?
Thanks,

It depends what you mean by "name".
The name and cn attributes always have the same values, and are what appear in the distinguishedName. You can have two objects with the same name or cn in different OUs. For example:
CN=GroupName,OU=FirstOU,DC=example,DC=com
CN=GroupName,OU=SecondOU,DC=example,DC=com
However, the sAMAccountName is different, and it must be unique across the whole domain. So if you create two groups with the same name, the sAMAccountName still must be different.
The displayName is something else too. For groups, this only really matters for distributions lists, and it is the name that would appear in Outlook, for example. There are no uniqueness constraints on displayName. You can have two with the same displayName even in the same OU.

Related

What is the correct way to set an AD user country?

I have to maintain a PowerShell script which transfer the employees informations from our database into our Active Directory.
This script runs every night automatically with elevated rights that I do not posess. In other words, I cannot "test" the script. To run the script, I have to commit my changes and create a PR that will trigger a deployment when accepted and wait until the next morning to see if it worked.
The informations are usually updated without any problems, except for the country. I tried updating the fields countryCode, c and co and it didn't work because we received an error like "value was not in the acceptable range...". Apparently this error happens when you try to update one of these 3 fields separately.
I found how to update them all at once and I was going to make the changes but I was surprised to discover that there is another field called Country.
I have a few questions :
Why does that Country field even exist ? Aren't countryCode, c and co enough ?
Should I update Country or should I update the countryCode, c and co ?
Why are there 4 different fields in the AD just to hold the country ?
I'd like to know more about this because I really want to get this right on the second try (the first one failed, hence why I'm here) Thanks in advance for your help !
Why does that Country field even exist ? Aren't countryCode, c and co enough ?
It doesn't actually exist - the Country property exposed by the ActiveDirectory module maps directly to the c attribute in the AD schema - it's just an alias.
Should I update Country or should I update the countryCode, c and co?
Given the answer above, no, you don't need to set Country when you set c.
Why are there 4 different fields in the AD just to hold the country ?
As we've established, there are only 3:
c is part of LDAPv3 specification (see RFC2256) to ensure compatibility with X500 DITs.
co was (to my best knowledge) included in the original schema for NT domains for the same reason
countryCode was introduced in the AD schema to help administrative tools enforce input validation of country names - unlike co, it's an enumeration type, and tools like "Active Directory Users and Computers" populate the Country dropdown with the possible enumeration values and then sets all three fields based on the chosen values
If you have null values for the users you need to change the country to, it worked for me like this, hope this helps somebody, it gave me some headaches until I figured it out.
$users = get-aduser -SearchBase "ou=RandomOU, Ou=AnotherOU, DC=Domain, Dc=local" -Filter * -Properties c,co,countrycode | Where-Object{$_.co -eq $null}
$users | Set-ADUser -Replace #{c="RO";co="Romania";countrycode=642}

I need to list properties of a Get-UnifiedGroup command including one array

I am trying to create a report for all our MS Teams groups including relevant parameters like name, groupid, when was it changed for a last time, AND (which is the core of my problem) people that are managing the Team.
But, "ManagedBy" is displayed as an array (which it is), so the result is truncated (in most cases). How do I make a list of various properties, display them "fully" when one of them is an array?
What I get when listing the group is something like that:
get-unifiedgroup -Identity 1234-xxxyyy-5678-aaabbb | select displayname, whenchanged, managedby
DisplayName WhenChanged ManagedBy
----------- ----------- ---------
GroupOne 9/26/2019 6:50:40 AM {Name1, Name2, Name3, Name4, Name5...}
Not much code to show, its just a simple command above...
Expected result is to have a full "list" out of that array, something that you do with select -ExpandProperty... but this is not applicable when you are trying to list multiple properties.
Couldn't you store the group object in a variable and then reference the property?
$Group = get-unifiedgroup -Identity 1234-xxxyyy-5678-aaabbb
$Group.ManagedBy
Though if your end goal is to create a report (CSV file?), if you output what you have, the entire array will show up. It only gets truncated in the console, but the full array value is still there.

Error :An attempt was made to add an object to the directory with a name that is already in use

if the user exist in AD.I am trying to add by adding 1 at end and then adding it to AD but it showing this exception
It would be helpful if you show your code so we can see exactly what you are doing. But I suspect I might know.
There are 3 attributes that are enforced unique in AD:
sAMAccountName (commonly called the "username") has to be unique on the domain
userPrincipalName has to be unique in the forest
cn attribute (or the "name") has to be unique in the OU
So I suspect you added a "1" to one of them, but not all.
If you're not sure how to do that properly, then update your question with the code you are using and we can help.

SPWeb.EnsureUser has limitations?

We're converting all SP permissions into ActiveDirectory groups (one per uninherited object, per role level). I wanted the group names to reflect where the permissions were/are, so I assigned each group with a name that matched the site structure:
sitecollection|site|list|Full Control
Active Directory had issues with the pipes and the potential length, so I reconfigured everything to use the description of the Active Directory object instead. The actual CN of the group is -someNumber- (-1-,-2-, etc).
I ran across an interesting phenomena while adding the groups into SharePoint under the same role level; I had to start the groups at 1000 else the EnsureUser couldn't find the group no matter what.
$web.EnsureUser('c:0-.f|myprovider|-1-') says it doesn't exist, whereas $web.EnsureUser('c:0-.f|myprovider|-1000-') does just fine.
Is there some sort of limitation to the number of characters a SAM Account Name / Principal Name must be when being searched by SharePoint?
You need to include the Domain name in EnsureUser - Domain\Username
Or you can just add i:0#.f|myprovider| to the username so it looks like i:0#.f|myprovider|myuser and pass the result into EnsureUser. In my case "myprovider" is the name of my custom membership provider.

How to display list Active Directory users that arent in specific AD Groups

I have a requirment to create a report/text file that displays the users that arent in specific AD groups. I know displaying users that are in specific AD groups is easy enough with Powershell.
Surely its possible to display the users that ARENT in specific AD groups with powershell also ??
One approach:
Export all users
Export users that are members of that specific group
Do excel work to find out users that aren't members
However, if the task is to perform it with powershell only, you have to do your research how to perform those steps without excel.
Export a list of all users 'cn' in your active directory to a text file
Get-ADUser | Select-Object sAMAccountname > c:\temp\directory list
Depending on group sizes .netFramework has issues with groups with a large number of members (1500+) use 'dsget' to get a list of members in the group and store these into a variable
$groupName = dsget group "groupname" -members
compose foreach statement
if you need the actual code syntax -
http://stackoverflow.com/questions/22145586/powershell-compare-csv-to-ad