Set-ADGroup -Identity "St.Department.146" -Replace #{"msExchRequireAuthToSendTo"=$true} -verbose
An error occurs when entering a command. :(
Set-ADGroup : An invalid dn syntax has been specified At line:1 char:1
Set-ADGroup $InternalDistro -Replace #{msExchRequireAuthToSendTo = $T ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CategoryInfo : InvalidArgument: (CN=St.Departmen...ublethink,DC=me:ADGroup) [Set-ADGroup], ArgumentExce
ption
FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Comm
ands.SetADGroup
From the error
An invalid dn syntax has been specified
It is clear that the error is occurring due to the Identity Parameter.
You could try the below :
Set-ADGroup -Identity "CN=St.Department.146,OU=Mail Group,OU=STKGroup,DC=doublethink,DC=me" -Replace #{"msExchRequireAuthToSendTo"=$true} -verbose
If you want to avoid any typo, you can do a get group and subsequently pass it to the next step :
$InternalDistro = (Get-ADGroup -filter 'name -eq "St.Department.146"')
Write-Host $InternalDistro[0].DistinguishedName
Set-ADGroup -Identity $InternalDistro[0].DistinguishedName -Replace #{"msExchRequireAuthToSendTo"=$true} -verbose
Ensure there is a output coming in the screen with required DN.
To avoid errors in the Identity parameter, Try and use Get-ADGroup to find the group as object. If that succeeds, pipe the group object through to Set-ADGroup.
Get-ADGroup returns an object with default properties DistinguishedName, GroupCategory, GroupScope, Name, ObjectClass, ObjectGUID, SamAccountName, SID
# try and find the group with that name.
# Use double-quotes around the filter and single-quotes around the name itself.
$groupName = 'St.Department.146'
# instead of property Name, you can also try property DisplayName here
$group = Get-ADGroup -Filter "Name -eq '$groupName'" -ErrorAction SilentlyContinue
if ($group) {
$group | Set-ADGroup -Replace #{msExchRequireAuthToSendTo = $true} -Verbose
}
else {
Write-Warning "A group with name '$groupName' does not exist"
}
In this case, it could very well be the group has a different Name than its DisplayName. In the above code, if you see the warning message that the group does not exist, change
-Filter "Name -eq '$groupName'" into -Filter "DisplayName -eq '$groupName'" and try that.
Related
I am using ActiveDirectory and Powershell to get the description of computers in the AD Group
However, when I try to get batch output, I get InvalidArgument error in powershell
When I use a single line:
Get-AdComputer -Filter * -Identity **COMPUTERNAME **-Properties * | Select-Object name, description
I get the correct response:
Name Description
---- -----------
COMPUTERNAME Computer description
However, when I use the this code to get a batch of results:
$UL = Get-ADGroupMember -identity "Groupname"| Select-Object name
Foreach ($i in $UL.Name)
{
$i.ToString()
Write-Host $i.GetType()
Get-AdComputer -Filter * -Identity "$i" -Properties * | Select-Object name, description
}
I keep getting this error:
Get-ADComputer : Parameter set cannot be resolved using the specified named parameters.
At C:\apps\ActiveDirectory_UserList.ps1:6 char:1
+ Get-AdComputer -Filter * -Identity "$i" -Properties * | Select-Object ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-ADComputer], ParameterBindingException
+ FullyQualifiedErrorId : AmbiguousParameterSet,Microsoft.ActiveDirectory.Management.Commands.GetADComputer
As commented by Abraham Zinala, you cannot use both -Filter and -Identity together as these parameter sets rule eachother out giving you the error message
Parameter set cannot be resolved using the specified named parameters.
Next, Get-ADGroupMember will not just return computer objects,
but also users and other groups can be members of one particular group.
Therefore, if you want to get output for computer objects only, you will need to filter out the other object types.
Luckily, each group member has a property called objectClass. This is a string containing either 'user', 'computer' or 'group',
so it is realy quite easy to check on that:
# get all members of the group, filter with a Where-Object clause to receive only computer objects
$members = Get-ADGroupMember -Identity "Groupname" | Where-Object {$_.objectClass -eq 'computer'}
foreach ($computer in $members) {
$computer | Get-ADComputer -Properties Description | Select-Object Name, Description
}
By default, Get-ADComputer returns objects with these properties:
DistinguishedName, DNSHostName, Enabled, Name, ObjectClass, ObjectGUID, SamAccountName, SID, UserPrincipalName, so in this case you only have to ask for the extra property Description
I have a .csv file that I am using to modify custom attributes on users in Active Directory, but PowerShell does not like the script:
Import-Csv -path c:\users\user\desktop\doc.csv | ForEach-Object {
Set-ADUser $_.mail -replace #{
ExtensionAttribute1 = $_.ExtensionAttribute1
}
}
I get the following error:
Set-ADUser : replace
At line:2 char:4
Set-ADUser $_.mail -replace #{
CategoryInfo: InvalidOperation: (user123:ADUser) [Set-ADUser], ADInvalidOperationException
FullyQualifiedErrorId: ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.SetADUser
The CSV only has 2 columns:
extensionAttribute1,mail
Any help would be appreciated
The -Identity parameter for Set-ADUser does not take an email address.
It needs either the DistinguishedName, objectGUID, SID or SamAccountName. You can also pipe a user object directly to the cmdlet.
Because of that, you need to first try to find the user with Get-ADUser and if that succeeds set the attribute.
Import-Csv -Path 'c:\users\user\desktop\doc.csv' | ForEach-Object {
$user = Get-ADUser -Filter "EmailAddress -eq '$($_.mail)'" -ErrorAction SilentlyContinue
if ($user) {
$user | Set-ADUser -Replace #{ extensionAttribute1 = $_.extensionAttribute1 }
}
else {
Write-Warning "No user with email address '$($_.mail)' found.."
}
}
PS. I always use the exact LDAP name inside the Hash for the key name when using -Add, -Replace etc. Case sensitive.
I'm not so good at PowerShell. I have this script which worked before that I've have used to update the manager attribute in Active Directory, however, now after just replacing the file its no longer working
$Users = Import-CSV C:\Documents\Managers.csv
ForEach ($User in $Users) {
$user= Get-ADUser -Filter "displayname -eq '$($Users.EmployeeFullName)'"|select -ExpandProperty samaccountname
$manager=Get-ADUser -Filter "displayname -eq '$($Users.'Line Manager Fullname')'"|select -ExpandProperty DistinguishedName
Set-ADUser -Identity $user -Replace #{manager=$manager}
}
when running the script it returns:
Set-ADUser : Cannot validate argument on parameter 'Identity'. The argument is null. Provide a valid value for the argument, and then try running the command again.
At line:6 char:22
+ Set-ADUser -Identity $user -Replace #{manager=$manager}
+ ~~~~~
+ CategoryInfo : InvalidData: (:) [Set-ADUser], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.SetADUser
the "EmployeeFullName" and "Line Manager FullName" format in the .csv is set as i.e. joe bloggs, see below CSV file example.
EmployeeFullname Line Manager Fullname
---------------- ---------------------
Kieran Rhodes Tracey Barley
Lewis Pontin Tracey Barley
Lizzy Wilks Rodney Bennett
I also noticed if I remove and try to retype "$Users.EmployeeFullName" it no longer picks up the "EmployeeFullName" from the csv file.
Anyone know what I'm doing wrong here please?
Below would be an example:
$Users = Import-CSV C:\Documents\Managers.csv
ForEach ($User in $Users) {
$user = Get-ADUser -Filter "displayname -eq '$($User.EmployeeFullName)'"
$manager = (Get-ADUser -Filter "displayname -eq '$($User.'Line Manager Fullname')'").DistinguishedName
Set-ADUser -Identity $User -Replace #{manager=$manager}
}
Note: you don't need to dig down to the samAccountName property because Set-ADUser will take the full fidelity object for the -Identity argument. You also don't need to use Select... -ExpandProperty you can just parenthetically dot reference the distinguishedName property.
Also you can use the instancing capability in the AD cmdlets:
$Users = Import-CSV C:\Documents\Managers.csv
ForEach ( $User in $Users )
{
$User = Get-ADUser -Filter "displayname -eq '$($User.EmployeeFullName)'" -Properties Manager
$Manager = (Get-ADUser -Filter "displayname -eq '$($User.'Line Manager Fullname')'").DistinguishedName
$User.Manager = $Manager
Set-ADUser -Instance $User
}
In this case you call back the Manager property set it with a simple assignment statement than give the $User variable as the argument to the -Instance parameter of Set-ADUser
When attempting to clear msExchDelegateListBL for AD User then I got the following the error message.
Get-ADUser -Identity "User01" -Properties * | set-aduser -clear msExchDelegateListBL
Message :
set-aduser : The attribute cannot be modified because it is owned by the system
At line:1 char:49
+ ... ity "User01" -Properties * | set-aduser -clear msExchDelegateListBL
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (CN=User01...,DC=corp:ADUser) [Set-ADUser], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8369,Microsoft.ActiveDirectory.Management.Commands.SetADUser
LAST UPDATE :
$userDN = Get-ADUser -Filter {(Enabled -eq $true -and sAMAccountName -like "TEST*") -or (Enabled -eq $true -and sAMAccountName -like "PROD*")} -SearchBase "OU=COMPANY,DC=contoso,DC=local" -SearchScope Subtree -Properties * |select-object distinguishedname,samaccountname
foreach($userToClean in $userDN) {
$delegates = Get-ADUser $userToClean.samaccountname -Properties msExchDelegateListBL | select -ExpandProperty msExchDelegateListBL
Write-Host “======================================================”
write-host “List of Delegated accounts that are backlinked:” $Delegates
Write-Host “======================================================”
foreach ($delegate in $delegates) {
Set-ADUser $delegate -Remove #{msExchDelegateListLink = "$($userToClean.distinguishedname)"}
}
Write-Host “======================================================”
Write-Host “If the following get-aduser cmdlet searching for backlinds is empty, then all delegated backlinks have been removed”
Get-ADUser $userToClean.samaccountname -Properties msExchDelegateListBL | select -ExpandProperty msExchDelegateListBL
Write-Host “======================================================”
}
The msExchDelegateListBL attribute is adjusted by the system after a user is removed from (or added to) the msExchDelegateListLink of the delegate.
When users are granted permission to a shared mailbox, the default behaviour of automapping means that the shared mailbox has msExchDelegateListLink set to the DN of the users, and the backlink property (msExchDelegateLinkListBL hidden in AD by default) on each user is populated with the DN of the shared mailbox. Whenever the link attribute is updated, the backlink is automatically updated.
I found a good read about that, including PowerShell code.
For your question I suggest to scroll down to To remove all BLs all at once chapter and adapt the code in there to suit your needs as you have done in your edit.
Personally, I would change the top line in your code into
$userDN = Get-ADUser -Filter "Enabled -eq 'True'" -SearchBase "OU=COMPANY,DC=contoso,DC=local" -SearchScope Subtree |
Where-Object { $_.SamAccountName -match '^(TEST|PROD)' }
since user properties SamAccountName and DistinguishedName are returned by the Get-ADUSer cmdlet by default.
I am trying to delete all users within an OU using powershell, I have the below which gets stuck when it comes to the SAMAccount name, I want it to delete all the found users.
What am I doing wrong here please?
$search="OU=Staff,OU=Users,DC=Testing, DC=Local"
$deletes= Get-ADUser -SearchBase $search -filter * -properties SamAccountName | Select-Object SamAccountName
$numusers=($deletes.count)
echo "$numusers Users Found"
foreach ($delete in $deletes)
{
echo "Deleting user account $delete . . . "
remove-aduser -identity $delete -confirm:$false
}
This is the output. Seemingly going wrong here -- Cannot convert the "#{SamAccountName=bbonhomme}"
7 Users Found
Deleting user account #{SamAccountName=bbonhomme} . . .
Remove-ADUser : Cannot bind parameter 'Identity'. Cannot convert value "#{SamAccountName=bbonhomme}" to type
"Microsoft.ActiveDirectory.Management.ADUser". Error: "Cannot convert the "#{SamAccountName=bbonhomme}" value of type
"Selected.Microsoft.ActiveDirectory.Management.ADUser" to type "Microsoft.ActiveDirectory.Management.ADUser"."
At C:\Users\Administrator\Desktop\import\getadusers.ps1:11 char:29
+ remove-aduser -identity #delete -confirm:$false
+ ~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Remove-ADUser], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.ActiveDirectory.Management.Commands.RemoveADUser
Replace the
$deletes= Get-ADUser -SearchBase $search -filter * -properties SamAccountName | Select-Object SamAccountName
by
$deletes= Get-ADUser -SearchBase $search -filter * -properties SamAccountName
Adding Select-Object implies converting ADUser "object" to "Psobject". By consequence subsequent command remove-ADuser does not recognize this type of object.
Replace also :
remove-aduser -identity $deletes -confirm:$false
By
remove-aduser -identity $delete.SamAccountName -confirm:$false
changed $deletes by $delete (you cannot specify a collection in -Identity parameter)