We Keep Coding

PowerShell: get-adgroupmember and ignore ForeignSecurityPrincipals account

The objective is to get the group members and ignore the ForeignSecurityPrincipal account (no deletion, just ignore). this group 'zzapsdba_c' has ForeignSecurityPrincipal account which it caused get-adgroupmember to error out. Note: I would need a solution using Microsoft Powershell cmdlets. I already have alternative solution using get-qadgroupmember (Quest/dell powershell cmdlets) which I do not wish to use because it is not native.
I am using powershell, v4.0
here is my code that failed.
get-adgroupmember zzapsdba_c -server nw
here is the error:
get-adgroupmember : An unspecified error has occurred
At line:1 char:1
+ get-adgroupmember zzapsdba_c -server nw
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (zzapsdba_c:ADGroup) [Get-ADGroupMember], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

You should be able to get the members of the group by using getting the members attribute and looking up those distinguishednames. Like this:
Get-ADGroup -Identity zzapsdba_c -Properties Members -Server nw | Select-Object -ExpandProperty Members | Get-ADObject -Server nw
I tend to use this normally as Get-AdGroupMember can also have problems with groups containing more than 1000 members unless you change the default ADWS configuration on the Domain Controllers.
If you still wan't to ignore the ForeignSecurityPrincipal objects then this should work.
Get-ADGroup -Identity zzapsdba_c -Properties Members -Server nw | Select-Object -ExpandProperty Members | Get-ADObject -Server nw | Where-Object { $_.ObjectClass -ne "ForeignSecurityPrincipal" }

Move-ADobject - Move user from one forest to another forest?

I am able to do this cross domain within a forest, but between two forest it is failing.
So the question in the first place... is it possible to move user between forests using powershell>
When I tried this across forest, I get this error:
Move-ADObject -Identity "CN=test4,OU=temp,DC=IDENTITYIQ,DC=LAB" -TargetPath "OU=TestOU,DC=connectivity,DC=lab" -TargetServer ConnDC01W16.connectivity.lab -Verbose -AuthType Negotiate -Server IIQDC01W16.IDENTITYIQ.LAB
Move-ADObject : The naming context could not be found
At line:1 char:14
+ Move-ADObject <<<< -Identity "CN=test4,OU=temp,DC=IDENTITYIQ,DC=LAB" -TargetPath "OU=TestOU,DC=connectivity,DC=lab"
-TargetServer ConnDC01W16.connectivity.lab -Verbose -AuthType Negotiate -Server IIQDC01W16.IDENTITYIQ.LAB
+ CategoryInfo : NotSpecified: (CN=test4,OU=temp,DC=IDENTITYIQ,DC=LAB:ADObject) [Move-ADObject], ADException
+ FullyQualifiedErrorId : The naming context could not be found,Microsoft.ActiveDirectory.Management.Commands.MoveADObject

Yes it works but only if you have at least a one way forest trust to the target forest.

Powershell - Add-Adgroupmember objectclass:contact to a distribution group error Cannont find[..]

I'm working on a simple script that should add a contact to a distribution group depending of the week of the year. My bug is that my script can add objectclass:User but when I try with a contact GUID the script give me that error:
Add-ADGroupMember : Cannot find an object with identity: '123dd2345-12f0-542b-c3e6-5774bac431aa' under: 'DC=MY,DC=DOMAIN'.
At line:1 char:25
+ get-adgroup $ADGroup | Add-ADGroupMember -members $zvar.ObjectGUID
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (123dd2345-12f0-542b-c3e6-5774bac431aa:ADPrincipal) [Add-ADGroupMember], ADIdentityNotFoundException
+ FullyQualifiedErrorId : SetADGroupMember.ValidateMembersParameter,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember
The part of the script that I use is looking like that:
$zvar = get-adobject -filter {displayname -eq "Valentine, John (CELL)" } #this is my contact displayname that is put in a variable with necessary properties
get-adgroup "Dist - Support group" | Add-ADGroupMember -members $zvar.ObjectGUID #this is my Distribution group, whatever the properties I put to my contact object I get the error message above i.e. $zvar.name, $zvar.distinguishedname, etc
If I replace the value "Valentine, John (CELL)" by the ObjectClass:user "Valentine,John" the command will succeed without error.
Am I using the command correctly ?
I could probably use the Quest-module but I'd like to avoid using a third party.
Thanks in advance

Came across this problem as well today: You cannot add an AD Object of class "objectClass=contact" to a group using the Add-ADGroupMember cmdlet.
However, the members of a an AD group are simply stored in the multivalued property "member", and every *-ADObject and related command supports the -Add, -Replace, -Clear and -Replace parameters.
Thus, this works to add a single user:
Set-ADGroup -Identity "GroupName" -Add #{'member'=$contact.DistinguishedName};
And this removes the user:
Set-ADGroup -Identity "GroupName" -Remove #{'member'=$contact.DistinguishedName};

As #mjolinor comment, the exchange cmdlet would be the solution, but I don't have what it need to use it. So I will use Quest-cmdlet. With that it's working.

Trying to bulk update phone number in AD via Powershell

I'm trying to import and replace telephone numbers in AD via a Powershell script from an exported and updated CSV file.
The script I'm using is:
Import-Csv C:\test2.csv | ForEach-Object {
Set-ADUser -Identity $_.samAccountName -Replace #{
telephoneNumber=$_.OfficePhone;HomePhone=$_.HomePhone;MobilePhone=$_.MobilePhone}
}
The formatting of the CSV is:
samaccountname,OfficePhone,HomePhone,MobilePhone
Username,Phone no, phone no, phone no
When trying to import it I get the error:
C:\Users\account\Desktop\ps2.ps1:2 char:13
+ Set-ADUser <<<< -Identity $_.samAccountName -Replace #{telephoneNumber=$_.OfficePhone;HomePhone=$_.HomePhone;Mobil
ePhone=$_.MobilePhone}
+ CategoryInfo : InvalidOperation: (1305:ADUser) [Set-ADUser], ADInvalidOperationException
+ FullyQualifiedErrorId : replace,Microsoft.ActiveDirectory.Management.Commands.SetADUser
Does anyone have any idea?

Only thing I see is that the -Replace operator requires that you use LDAP display fields and MobilePhone does not exist. Use Mobile instead.
Check out this site for a great table listing all the LDAP user attributes. Or you can use the MSDN page which is considerably less useful because it doesn't show LDAP display names unless you click on links for each field.

It works fine.
Import-Csv E:\test.csv | ForEach-Object {Set-ADUser -Identity $_.samAccountName -Replace #{Mobile=$_.MobilePhone}}

Display groups a user belongs to by searching their email address - Quest Powershell Active Roles Management Shell

This is the command I'm using currently:
$user = Get-QADUser -email user#domain.com -enabled ; $user.memberOf |
Get-QADGroup | findstr Green
"Green" is just an identifying marker on group names.
Sometimes this command works just fine. It displays to me, based on the email address input, all groups that match "Green" that the user belongs to.
Sometimes, however, it does not... and I get this:
Get-QADGroup : Cannot validate argument on parameter 'Identity'. The
argument is null or empty. Supply an argument that is not null or
empty and then try the command again. At line:1 char:97
+ $user = Get-QADUser -email user#domain.com -enabled ; $user.memberOf | Get-QADGroup <<<< | findstr Green
+ CategoryInfo : InvalidData: (:) [Get-QADGroup], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Quest.ActiveRoles.ArsPowerShellSnapIn.Powershell.Cmdlet
s.GetGroupCmdlet
I've been googling and trying modifications of and variations on this for weeks on and off, and no luck. I'm hoping someone can explain the inconsistent behavior and provide a better or just more consistently working command.

Give this a try:
Get-QADMemberOf -Identity user#domain.com -Name Green