I have 2 server in my company one is Us.local(<--main domain) and 2nd is India.local
we get the bulk termination in our india.local domain and I want to remove all AD groups from the tab. I am using the below mentioned script to remove all members of groups.
Note: There is no issue with users account we can disable and remove groups manually
$users= import-CSv -Path C:\Users\Desktop\DisableUsers.csv
$totalcount = $users.Count
write-host $totalcount
$currentCount = 1
Foreach ($u in $users)
{
#Remove members from DL (AD)
Get-ADUser -Server:"addc45.india.local" $u.UserID -Properties MemberOf | Select -Expand MemberOf | %{Remove-ADGroupMember $_ -member $u.UserID -Confirm:$false }
Write-host "Disabled" $u.UserID $currentCount "/" $totalcount
$currentCount++
}
I am getting the below mentioned error every time I use powershell.
Remove-ADGroupMember : A referral was returned from the server
At line:15 char:125
+ ... emberOf | %{Remove-ADGroupMember $_ -member $u.UserID -Confirm:$false ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (CN=VDI-IN-EQ-SV...health,DC=local:ADGroup) [Remove-ADGroupMember], ADReferralException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8235,Microsoft.ActiveDirectory.Management.Commands.RemoveADGroupMember
Remove-ADGroupMember : Cannot find an object with identity: 'IN100040' under: 'DC=US,DC=local'.
At line:15 char:125
+ ... emberOf | %{Remove-ADGroupMember $_ -member $u.UserID -Confirm:$false ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (IN100040:ADPrincipal) [Remove-ADGroupMember], ADIdentityNotFoundException
+ FullyQualifiedErrorId : SetADGroupMember.ValidateMembersParameter,Microsoft.ActiveDirectory.Management.Commands.RemoveADGroupMember
Related
i have a csv file formatted like this
oldniveau1,oldniveau2,oldniveau3,newniveau1,newniveau2,newniveau3
0UA_Ventes,CIS countries,Contracts,0UA_Ventes,CIS countries,Contracts_1
my goal is to extract active directory group name by formatting the path given in csv file
i have a script that work i give all the line in sigle variable but wheni use the loop i have error message
$csv=Import-Csv $pth\filerN3.csv -Delimiter "," | Foreach-Object {
$n1 = $_.oldniveau1
$n2 = $_.oldniveau2
$n3 = $_.oldniveau3
$n4 = $_.newniveau1
$n5 = $_.newniveau2
$n6 = $_.newniveau3
$adminn3group = "m^" + $n1 + "^" + $n2 + "^" + $n3
$newadmingroup= "m^" + $n4 + "^" + $n5 + "^" + $n6
$writegroup= "g^" + $n1 + "^" + $n2 + "^" + $n3
$newwritegroup="g^" + $n4 + "^" + $n5 + "^" + $n6
$readgroup="g^" + $n1 + "^" + $n2 + "^" + $n3 + "^R"
$newreadgroup="g^" + $n4 + "^" + $n5 + "^" + $n6 + "^R"
$currentmanagermembers = Get-ADGroupMember -Identity $adminn3group -ErrorAction SilentlyContinue
Add-ADGroupMember -Identity $newadmingroup -Members $currentmanagermembers -ErrorAction SilentlyContinue
Remove-ADGroupMember -Identity $adminn3group -Members $currentmanagermembers -confirm:$false -ErrorAction SilentlyContinue
###############
Get-ADGroupMember $writegroup |
Add-ADPrincipalGroupMembership `
-MemberOf $newwritegroup
Get-ADGroupMember $writegroup |
Remove-ADPrincipalGroupMembership `
-MemberOf $writegroup -confirm:$false -ErrorAction SilentlyContinue
###############
Get-ADGroupMember $readgroup |
Add-ADPrincipalGroupMembership `
-MemberOf $newreadgroup
Get-ADGroupMember $readgroup |
Remove-ADPrincipalGroupMembership `
-MemberOf $readgroup -confirm:$false -ErrorAction SilentlyContinue
########"
}
so without the loop for the csv when i use 6 variable to fix each one it work and all the user are moved
but with the loop
i have this error any idea why ?
Get-ADGroupMember : Cannot validate argument on parameter 'Identity'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.
At C:\temp\addN3MGR\move_central.ps1:28 char:54
+ ... entmanagermembers = Get-ADGroupMember -Identity $adminn3group -Error ...
+ ~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Get-ADGroupMember], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
Add-ADGroupMember : Cannot validate argument on parameter 'Identity'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At C:\temp\addN3MGR\move_central.ps1:30 char:29
+ Add-ADGroupMember -Identity $newadmingroup -Members $currentmanagerme ...
+ ~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Add-ADGroupMember], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember
The issue was due to empty member for some security group so I changed the command were processed and it worked
I'm a beginner in Powershell and not very comfortable yet with try and catch.
Get-ADGroup $adminn3group -ErrorAction SilentlyContinue|Get-ADGroupMember | % {Add-ADGroupMember $newadmingroup -Members $_ }
Get-ADGroup $adminn3group -ErrorAction SilentlyContinue|Get-ADGroupMember | % {Remove-ADGroupMember $adminn3group -Members $_ -confirm:$false}
Get-ADGroup $writegroup -ErrorAction SilentlyContinue|Get-ADGroupMember | % {Add-ADGroupMember $newwritegroup -Members $_ }
Get-ADGroup $writegroup -ErrorAction SilentlyContinue|Get-ADGroupMember | % {Remove-ADGroupMember $writegroup -Members $_ -confirm:$false}
Get-ADGroup $readgroup -ErrorAction SilentlyContinue|Get-ADGroupMember | % {Add-ADGroupMember $newreadgroup -Members $_ }
Get-ADGroup $readgroup -ErrorAction SilentlyContinue|Get-ADGroupMember | % {Remove-ADGroupMember $readgroup -Members $_ -confirm:$false}
I am receiving error message when running the following script, any idea why?
PS C:\Users\npevltdisdddtda_1> $userList = Import-Csv C:\temp\Text.csv
foreach ($user in $userList) {
# Get-ADUser -Filter "SamAccountName -eq '$($user.SamAccountName)'" | {Set-ADUser -SmartCardLogonRequired:$true}
Get-ADUser -filter "SamAccountName -eq '$($user.SamAccountName)'" | {Set-ADUser -SmartcardLogonRequired:$true}
}
At line:5 char:77
+ ... ($user.SamAccountName)'" | {Set-ADUser -SmartcardLogonRequired:$true}
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Expressions are only allowed as the first element of a pipeline.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : ExpressionsMustBeFirstInPipeline
I need to change multiple AD Attributes value as per: https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_exchon-mso_o365b/recipient-type-values/7c2620e5-9870-48ba-b5c2-7772c739c651
Therefore I have created this simple script snippet below:
$properties = 'Name,sAMAccountName,msExchRemoteRecipientType,msExchRecipientDisplayType,msExchRecipientTypeDetails,proxyAddresses' -split ','
$ADUserAttributesValues = Get-ADUser -identity $Input -Properties $properties |
Select-Object Name,
msExchRemoteRecipientType,
msExchRecipientDisplayType,
msExchRecipientTypeDetails
# Set The attributes value for Remote Shared Mailboxes
$replace = #{
msExchRemoteRecipientType = 100
msExchRecipientDisplayType = -2147483642
msExchRecipientTypeDetails = 34359738368
}
Set-ADUser -Identity $ADUserAttributesValues.sAMAccountName -Replace $replace
However, I get this error:
Set-ADUser -Identity $ADUserAttributesValues.ToString() -Replace $replace
Set-ADUser : Cannot find an object with identity: '' under: 'DC=Domain,DC=com'.
At line:47 char:9
+ Set-ADUser -Identity $ADUserAttributesValues.ToString() -Repl ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:ADUser) [Set-ADUser], ADIdentityNotFoundException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.SetADUser
changing it into sAMAccountName
Set-ADUser -Identity $ADUserAttributesValues.sAMAccountName -Replace $replace
Set-ADUser : Cannot find an object with identity: '' under: 'DC=Domain,DC=com'.
At line:47 char:9
+ Set-ADUser -Identity $ADUserAttributesValues.sAMAccountName -Repl ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:ADUser) [Set-ADUser], ADIdentityNotFoundException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.SetADUser
also not working either.
Running Powershell as an admin
I would like to have a script that I can run daily to add users from "cn=users,dc=costco,dc=com" to an AD group "groupname" "CN=groupname,OU=Groups,DC=costco,DC=com"
$When = (Get-Date).AddDays(-1).Date
Get-ADUser -SearchBase 'cn=users,dc=costco,dc=com' -Filter { whenCreated -ge $When } | add-adgroupmember -MemberOf 'groupname'
it errors out with
Add-ADGroupMember : A parameter cannot be found that matches parameter
name 'MemberOf'. At line:2 char:111
+ ... ilter { whenCreated -ge $When } | add-adgroupmember -MemberOf 'groupname ...
+ ~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Add-ADGroupMember], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember
I have also tried with the help of a redditor
When = (Get-Date).AddDays(-1).Date
Get-ADUser -SearchBase 'CN=users,dc=costo,dc=com' -Filter { whenCreated -ge $When } | ForEach-Object { Add-ADGroupMember -Identity 'Groupname' -Members $_ }
Error:
Add-ADGroupMember : Insufficient access rights to perform the
operation At line:2 char:109
+ ... ach-Object {Add-ADGroupMember -Identity ‘groupname’ -Members $_ } ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (groupname:ADGroup) [Add-ADGroupMember], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8344,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember
To make your first example work, you need to supply the pipeline value to the command, instead of trying to pass it in on the actual pipeline.
Try:
$group = "NewUsers"
Get-ADUser -SearchBase 'cn=users,dc=costco,dc=com' -Filter { whenCreated -ge $When } | %{ Add-ADGroupMember -Identity $Group -Members $_.samaccountname }
I'm trying to run the command below to remove e Send On Behalf permission, but i'm getting an exception and it removes all the users that have access, instead of the one I specify in my script
$owner = "lpeter"
$remove = "jdoe"
$grantlist = Get-Mailbox $owner -DomainController tordc01 | select -ExpandProperty GrantSendOnB
$grantlist = $grantlist |?{$_.Name -ne $remove}
Set-Mailbox $owner -GrantSendOnBehalfTo $null -DomainController tordc01
$grantlist | %{
Set-Mailbox $owner -GrantSendOnBehalfTo #{Add=$_.Name} -Confirm $true
} -DomainController tordc01
here is the exception :
ForEach-Object : Cannot bind parameter 'Process'. Cannot convert the
"-DomainController" value of type "System.String" to type
"System.Management.Automation.ScriptBlock". At line:1 char:15
+ $grantlist | % <<<< {Set-Mailbox $owner -GrantSendOnBehalfTo #{Add=$_.Name} -Confirm $true} -DomainController tordc01
+ CategoryInfo : InvalidArgument: (:) [ForEach-Object], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.PowerShell.Commands.ForEachObjectCommand
The exception is pretty self-explanatory, you're trying to supply the -DomainController parameter to ForEach-Object, instead of to Set-Mailbox
Change the last statement to:
$grantlist | %{
Set-Mailbox $owner -GrantSendOnBehalfTo #{Add=$_.Name} -Confirm:$true -DomainController tordc01
}