Add AD group not working [Powershell command] - powershell

I am figuring out how to add the AD group to my AD user within the same domain using powershell command but I cant get it work as expected. The example I found was mainly using DN instead of sAMAccountname. This is the example I found in Microsoft website
These are all of my attempt on the powershell command but none of it was working. The powershell CLI was run as an user that contain sufficient privilege for updating the AD
Get-ADGroup -Server myserver.com -SearchBase "OU=test,dc=myserver,dc=com" -filter {name -like "groupA"} | Add-ADGroupMember -Members 3090
3090 is the user sAMAccountname.If I tried Get-ADGroup -Server myserver.com -SearchBase "OU=test,dc=myserver,dc=com" -filter {name -like "groupA"} , its able to return a correct group name but I am not sure why after I added Add-ADGroupMember -Members 3090, the command seem like not working anymore. Here are the combination of different command but none of them were working. I need to add the group to user base on sAMAccountname or User Principle Name instead of DN because my users were not located in the same OU
Attempt 1
Get-ADGroup -Server myserver.com -SearchBase "OU=test,dc=myserver,dc=com" -filter {name -like "groupA"} | Add-ADGroupMember -Members "3090"
Attempt 2
Add-ADGroupMember -Identity groupA -Members 3090
Attempt 3
$User = Get-ADUser -Identity "3090" -Server "myserver.com"
$Group = Get-ADGroup -Identity "groupA" -Server "myserver.com"
Add-ADGroupMember -Identity $Group -Members $User -Server "myserver.com"
No error was displayed in my powershell CLI

Related

Bulk Disable PowerShell Script Not Executing

I am kinda new to powershell and started a role in support. Working on a powershell script that will do the following things:
Disable a user account
Remove all AD Groups except for Domain Users
Edit the description
Move AD object to a disabled users OU
I think I can probalby change the "$TargetOU = OUPath" because the disabled users OU is never really going to change...if that's the issue then i'll feel like a dumby lol.
I am trying and failing to complete this! I don't know what is going wrong. Powershell isn't faulting out or anything it is just not executing?
Thank you for any help!
My code is here:
Import-Module ActiveDirectory
$TargetOU = "OU=DisabledUsers"
Import-Csv "C:temp\DisableTest.csv" | ForEach-Object {
$samAccountName = $_."samAccountName"
Get-AdPrincipalGroupMembership -Identity $samAccountName {Where-Object -Property Name -Ne -Value 'Domain Users' | Remove-AdGroupMember -Members $samAccountName}
Get-ADUser -Identity $samAccountName | Disable-ADAccount
Get-ADUser -Identity $samAccountName -Description "Disabled Per Request XXXX"
Move-ADObject -Identity $UserDN -TargetPath $TargetOU
}
Need it to do four things:
Disable a user account
Remove all AD Groups except for Domain Users
Edit the description
Move AD object to a disabled users OU
You have several issues:
$TargetOU = "OU=DisabledUsers"
This should be the full distinguished name, so something like OU=DisabledUsers,DC=example,DC=com
Get-AdPrincipalGroupMembership -Identity $samAccountName {Where-Object -Property Name -Ne -Value 'Domain Users' | Remove-AdGroupMember -Members $samAccountName}
The sytax here is messed up. You want to pipe (|) the results from Get-AdPrincipalGroupMembership into Where-Object, but you have braces ({). The closing brace at the end of the line is thus unnecessary. The Where-Object cmdlet also lets you simplify the syntax to something more readable, like Where Name -ne 'Domain Users'.
Get-ADUser -Identity $samAccountName -Description "Disabled Per Request XXXX"
This should be Set-ADUser, which is explains why this isn't changing anything.
Move-ADObject -Identity $UserDN -TargetPath $TargetOU
You haven't defined $UserDN, so it's not going to find the user. And as already mentioned , the target path should be the full distinguished name.
You're also looking up the account several times. Every time you pass just the username, it has to search for the account. As you have it, it would be searching for the account 5 times. You can avoid that (and speed things up) by calling Get-ADUser once and passing the result into each of the other commands.
And just for simplicity, you can omit -Identity since the first parameter is assumed to be the identity.
Putting everything together, it would look something like this:
Import-Module ActiveDirectory
$TargetOU = "OU=DisabledUsers,DC=example,DC=com" #Change this to the real value
Import-Csv "C:temp\DisableTest.csv" | ForEach-Object {
$user = Get-ADUser $_."samAccountName"
Get-AdPrincipalGroupMembership $user | Where Name -ne 'Domain Users' | Remove-AdGroupMember -Members $user
Disable-ADAccount $user
Set-ADUser $user -Description "Disabled Per Request XXXX"
Move-ADObject $user -TargetPath $TargetOU
}

Get all groups of AD users with filter - Powershell

I'm trying to get all groups that start with the following string from a user "DIR-*". With the following command I get all the groups of the user.
Get-ADUser -Identity $username -Properties memberof | Select-Object -ExpandProperty memberof
I then tried to filter with this, but that doesn't work because the list remains empty.
Get-ADUser -Identity $username -Properties memberof | Select-Object -ExpandProperty memberof | Where-Object {$_.CN -like "DIR-*"}
Unfortunately, I am still a complete beginner when it comes to Powershell, but I need the command promptly.
I thank you for any help.

I need to copy computers from the default active directory "container" to security group using powershell

I'm trying to remove all computers from the wk_test security group and then add all the computers in the default 'Computers' container in AD to the (now-empty) wk_test security group.
However, I don't want to export the computers to a list and then import them back into the security group.
I have the first part of the script working properly, and it removes the computers from the wk_test group with no errors. My issue is adding the computers to the wk_test group from the "computers" container.
Remove-ADGroupMember "wk_test" -Members (Get-ADGroupMember "wk_test") -Confirm:$false
Add-ADGroupMember -Identity "wk_test" -Members (Get-ADComputer -SearchBase "CN=computers,DC=ad,dc=org") -filter*
I think the main problem is that I am attempting to copy from the computers container. Most of the advice on the internet refers to copying from an OU and not a container.
The Add-ADGroupMember documentation says:
You cannot pass user, computer, or group objects through the pipeline to this cmdlet.
Which I think is what you are trying to do.
I've used this method before to add computers from an OU to a group:
Get-ADComputer -SearchBase "CN=computers,DC=ad,dc=org" -Filter * | foreach {Add-ADGroupMember "wk_test" -Members $_.DistinguishedName }
But I think you could also modify your code like this, but I've not tested this as I'm not on domain at the moment.
$Computers = Get-ADComputer -SearchBase "CN=computers,DC=ad,dc=org" -filter* | select -ExpandProperty DistinguishedName
Add-ADGroupMember -Identity "wk_test" -Members $Computers
If you are moving them, why not use Move-ADObject.
So it would be:
Get-ADGroupMember "wk_test" | Move-ADObject -TargetPath <ou path>

Joining user to groups based on template user strange behaviour

I'm writing a script in PowerShell that creates users. This script adds the user to groups based on a template user with the department name. When used in my script like so:
Get-ADUser -Filter {name -eq "Temp$($Department.LookupValue)"} -Properties memberof |
Select-Object -ExpandProperty memberof |
Add-ADGroupMember -Members $sAMAccountName
this unfortunately doesn't work, nor does it give any errors.
However, when I run just the line of code it works just fine
Get-ADUser -Filter {name -eq "TempICT"} -Properties memberof |
Select-Object -ExpandProperty memberof |
Add-ADGroupMember -Members usern
As noted in the comments, you can cycle through the group names with foreach-object using Add-ADGroupMember, but this is going to result in a call to AD for every group the user needs to be added to. It may be more efficient to use the Add-ADPrincipalGroupMemebership cmdlet, which will add the user to multiple groups in a single operation:
$Groups = Get-ADUser -Filter {name -eq "TempICT"} -Properties memberof |
Select-Object -ExpandProperty memberof
Add-ADPrincipalGroupMembership -Identity $sAMAccountname -MemberOf $Groups
The following line of code does work, I guess the problem was with the filter not being able to process the dot notation. Get-ADUser "Temp$departmentsn" -Properties memberof | Select-Object -ExpandProperty memberof | Add-ADGroupMember -Members $gebruiker
It's not 100% how I wanted it since I now search for the netbiosname instead of the name property but it works. Because of the 20 character limitation for netbiosnames I had to make a substring to make it work for all my departments.

powershell get-adgroupmember is not returning groups that are from a different forest

I can't seem to display groups of an active directory security group. I use the command
get-adgroupmember $group -server $serverName.
It doesn't return an error. It just returns empty results.
So i tried the command
get-adgroup $group -server $serverName -properties memberof
The memberof section is blank.
The one thing that stands out about this security group is that they were originally from another forest. We converted them over to the new forest with sidhistory in place.
The groups show up in "active directory for user and computers" gui. Any thoughts?
Group members added as external contacts , will always escape from get-adgroupmember .
Antidot is
get-adgroup "groupname" -properties member | select -expand member | get-adobject
you are missing the -Identity
get-adgroupmember -Identity $group -Server $serverName | Select SamAccountName