I am trying use powershell to add OU called Calder under an OU called Branches but I keep getting the error New-ADOrganizationalUnit : The server is unwilling to process the request., Also I am running powershell as a admin
Here is what I put in powershell
New-ADOrganizationalUnit "Calder" -Path "OU=Branches, DC=company.epl, DC=local
Here is the full error
New-ADOrganizationalUnit : The server is unwilling to process the
request At line:1 char:1
+ New-ADOrganizationalUnit "Calder" -Path "OU=Branches, DC=company.epl …
+ + CategoryInfo :NotSpecified: (OU=Calder, OU+Br...y.epl, DC=local:Strin g) [New-ADOrganizationalUnit] :
ActiveDirectoryServer:O,Microsoft.ActiveDirectory.Management.Commands.NewADOrganizationalUnit
I've generally seen this error when I've got my fully qualified DN mistyped. If that is the case, using a search to grab the intended OU object helps.
PS> $MYOU = Get-ADOrganizationalUnit -filter 'Name -like "Branches"'
PS> $MYOU.DistinguishedName
OU=Branches,dc=MyCompany,dc=ccTLD
PS> New-ADOrganizationalUnit "Calder" -Path $MYOU.DistinguishedName
PS> Get-ADOrganizationalUnit -filter 'Name -like "Calder"'
City :
Country :
DistinguishedName : OU=Calder,OU=Branches,dc=MyCompany,dc=ccTLD
LinkedGroupPolicyObjects : {}
ManagedBy :
Name : Calder
ObjectClass : organizationalUnit
ObjectGUID : 559c4242-505a-c165-15d5-562b5fb99103
PostalCode :
State :
StreetAddress :
If it's not just an incorrect OU path, try appending -Verbose to the command and see if there's a better indication of what exactly went awry.
Related
I try to use the Get-User command with a simple Filter.
Get-User -Filter "(Manager -eq 'Max, Mustermann')"
The problem is that i get this exception:
Cannot bind parameter 'Filter' to the target. Exception setting "Filter": "The value "Max, >Mustermann" could not be converted to type
Microsoft.Exchange.Data.Directory.ADObjectId.
"(Manager -eq 'Max, Mustermann')" at position 34."
In C:\Users\JAKO\AppData\Local\Temp\tmp_4vtu0s13.ymv\tmp_4vtu0s13.ymv.psm1:38356 Zeichen:9
$steppablePipeline.End()
~~~~~~~~~~~~~~~~~~~~~~~~
CategoryInfo : WriteError: (:) [Get-User], ParameterBindingException
FullyQualifiedErrorId : >ParameterBindingFailed,Microsoft.Exchange.Management.RecipientTasks.GetUser
As far as I understand the Problem its because of the comma, so i tryed some workaorunds.
Get-User -Filter "(Manager -like 'Max, Mustermann')"
Here I dont get an exception but there are no Users that get returned.
Get-User -Filter "(Manager -eq 'Max"," Mustermann')"
The same as with the other workaround. No exception but no Users are Matching.
I also made sure that i have Users that would match this specift query, by using this command
Get-User -Filter | Format-List Manager
How can I write my Filter input so it matches "Max, Mustermann"?
From the filtering documentation for the Manager attribute:
This filter requires the distinguished name or canonical distinguished name of the manager (a mailbox or mail user). For example, Get-User -Filter "Manager -eq 'CN=Angela Gruber,CN=Users,DC=contoso,DC=com'" or Get-Mailbox -Filter "Manager -eq 'contoso.com/Users/Angela Gruber'".
To find the distinguished name of a manager, replace with the name, alias, or email address of the recipient, and run this command: Get-Recipient -Identity "<RecipientIdentity>" | Format-List Name,DistinguishedName.
So now we know why the filter isn't working (a distinguished name is expected), and how to obtain the correct value (by using Get-Recipient):
# Fetch manager's user account object
$targetUser = Get-Recipient -Filter "SimpleDisplayName -eq 'Max, Mustermann'"
# Fetch reports
Get-User -Filter "Manager -eq '$($targetUser.DistinguishedName)'"
I would need your help with the use of New-AdGroup command.
The goal of my script is to verify if an Active Directory group exists and if it doesn't exist the script create the group and add the member of the group in a specific OU.
But my problem is when I use the script with a combination of OU and one of them contains some spaces in its name (ex : "OU=Servers of Files"), the script returns an error.
Example: I need to add the group in "OU=Fileserver1" which is a sub OU of "OU=Servers of Files" which is a sub OU of "OU=Groupes".
When I call New-AdGroup with a path's value : "Ou=ServerFile1,OU=Servers of Files,OU=Groupes,DC=Contoso,DC=lan", I get the following error.
New-ADGroup : Objet de l’annuaire non trouvé At line:29 char:5
+ New-ADGroup -Name "$DLGroupName" -Path "$Orga" -GroupCategory "Se ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (CN=G_GROUP1...ONTOSO,DC=lan:String) [New-ADGroup],
ADIdentityNotFoundException
+ FullyQualifiedErrorId : Objet de l’annuaire non trouvé,Microsoft.ActiveDirectory.Management.Commands.NewADGroup
The problem is caused by "OU=Servers of Files" because I tried with an OU without spaces and it was working.
Please find a part of the script below, let me know how I can manage spaces under a path :
#Variable
$CurrentDomain = Get-ADDomain | Select -Property DistinguishedName
$TargetOU = "OU=FileServer1,OU=Servers of Files,OU=Groupes" #
$OrganizationalUnitDN = $TargetOU+","+ $CurrentDomain.DistinguishedName
$Orga = $OrganizationalUnitDN
$DLGroupName = "DL_FileServer1_TEST"
$Description = "\\FileServer1\Share\Test"
New-ADGroup -Name "$DLGroupName" -Path "$Orga" -GroupCategory "Security" -GroupScope "Global" -Description "$Description" -PassThru
Note : $Orga = Ou=ServerFile1,OU=Servers of Files,OU=Groupes,DC=Contoso,DC=lan
When we encounter weird bugs like this, a good first test is to manually run the command with no variables to find the root cause of the error. Doing this shows us that we don't need to escape spaces with a \ or \20 sequence and that route won't help us.
Because I can run your command with no errors when I manually expand the variables like so:
New-ADGroup -Name "DL_FileServer1_TEST" -Path "OU=Servers Of Files,DC=FoxDeploy,DC=local" `
-GroupCategory "Security" -GroupScope "Global" -Description "Test" -PassThru
DistinguishedName : CN=DL_FileServer1_TEST1,OU=Servers Of Files,DC=FoxDeploy,DC=local
GroupCategory : Security
GroupScope : Global
Name : DL_FileServer1_TEST1
ObjectClass : group
ObjectGUID : 5889f8ea-9d80-4609-ad47-92e50a574088
SamAccountName : DL_FileServer1_TEST1
SID : S-1-5-21-3818945699-900446794-3716848007-32100
Now that I know this works, I know I can then store the values in variables to make it cleaner to read, like this:
$params = #{
Name = "DL_FileServer1_TEST1";
Path = "OU=Servers Of Files,DC=FoxDeploy,DC=local";
GroupCategory = "Security";
GroupScope = "Global";
Description = "My Test Group"
PassThru = $true
}
New-ADGroup #params
If I had to guess, I bet that you need to run the entire script to populate all of the variables, and instead you are rerunning the last command over and over but one of the variables is $null.
If that doesn't work...
If not that, then are we sure the container of Ou=ServerFile1 actually exists too?
I want to import a csv, then delete from AD several objects
$ImportComputer = "C:\Users\deng\Desktop\ComputerLastlogondateformatBis.csv"
Import-Module ActiveDirectory
foreach ($Computer in(Import-Csv -Path C:\Users\deng\Desktop\ComputerLastlogondateformatBis.csv))
{
Remove-ADObject -Identity $Computer.'Computer'
these two object exist in AD, but I cannot seem to find out why it is not working.
see below error message:
Remove-ADObject : Cannot find an object with identity: 'fr-borr-mac' under: 'DC=PII,DC=net'.
At C:\Users\deng\OneDrive - Aptus Health\Script\Export.ps1:7 char:1
+ Remove-ADObject -Identity $Computer.'Computer'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (fr-borr-mac:ADObject) [Remove-ADObject], ADIdentityNotFoundException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.RemoveADObject
Remove-ADObject : Cannot find an object with identity: 'jlinmacfr' under: 'DC=PII,DC=net'.
At C:\Users\deng\OneDrive - Aptus Health\Script\Export.ps1:7 char:1
+ Remove-ADObject -Identity $Computer.'Computer'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Content of the CSV below:
Computer
--------
fr-borr-mac
jlinmacfr
Could anyone give input on this?
The -Identity parameter on the *-ADObject commands expect either a DistinguishedName or Guid value. If you are wanting to work with SamAccountName or some other attribute, you should consider using the *-ADComputer or using -Filter to find your objects.
# Using Remove-ADObject
Remove-ADObject -Filter "SamAccountName -eq '$($Computer.Computer)'"
# Using Remove-ADComputer
Remove-ADComputer -Identity $Computer.Computer
Alternatively, you can use Get-ADComputer or Get-ADObject to retrieve your object first and then pipe that into Remove-ADObject.
Get-ADObject -Filter "SamAccountName -eq '$($Computer.Computer)'" | Remove-ADObject
See the Remove-ADObject documentation for the following excerpt regarding explicitly binding to -Identity:
Specifies an Active Directory object by providing one of the following
property values. The identifier in parentheses is the Lightweight
Directory Access Protocol (LDAP) display name for the attribute. The
acceptable values for this parameter are:
A distinguished name
A GUID (objectGUID)
For piping an object into Remove-ADObject, the following excerpt applies, which is why you can use a Get-AD* command and pipe the result into the Remove-ADObject:
This parameter can also get this object through the pipeline or you
can set this parameter to an object instance.
Derived types, such as the following, are also accepted:
Microsoft.ActiveDirectory.Management.ADGroup
Microsoft.ActiveDirectory.Management.ADUser
Microsoft.ActiveDirectory.Management.ADComputer
Microsoft.ActiveDirectory.Management.ADServiceAccount
Microsoft.ActiveDirectory.Management.ADFineGrainedPasswordPolicy
Microsoft.ActiveDirectory.Management.ADDomain
I am writing a PowerShell script (in a PowerShell 5.1 environnement) and I need to list all users from groups set in a folder's permissions. But some groups are not relevant so when I try to Get-ADGroupMember on it, I've got an expected error.
To discard this error, I tried the following :
Get-ADGroupMember Fake_Group -Server ad.example.com 2>&1 $null
Get-ADGroupMember Fake_Group -Server ad.example.com 2>&1 | Out-Null
But in both cases, the result is the same : error is displayed.
get-aduser : Cannot find an object with identity: 'Fake_Group' under 'DC=example.com'.
At line:1 char:1
+ Get-ADGroupMember Fake_Group -Server ad.example.com 2>&1 | ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Fake_Group:ADGroup) [Get-ADGroupMember], ADIdentityNotFoundException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
So my question is : why is this error still displayed ?
And then, how could I discard this error or is there a better way to list users from groups set in a folder's permissions than just try to Get-ADGroupMember on the whole result of Get-Acl even on no relevant object ?
Because Out-Null does nothing in this regard, you would need to use try/catch statements and might even need to add -ErrorAction Stop as not all errors in AD commands are terminating errors:
Try{
Get-ADGroupMember $GROUPNAME -Server $SEVRER -ErrorAction Stop
#The group is found, do whatever you want here
}Catch{
Write-Host "Some error occured"
}
Firstly,
I am very new to powershell. Everytime I think i get the logic i go WTF.. If this was bash it would be so easy etc..
what am I trying to do exactly ...
Get all computers from AD that Meet the Xiopwb* criteria. Once i have the list I need to change the permissions on the \\Xiopwb20\Nsiwebroot Directory to ONLY INCLUDE Domain Administrators and A Security group "webadmins"
My Logic:
Get all computers from AD that meet Xio*PWB*
Take just the NAME of objects in that list
for ever "name" in that list do Get-ACL \\Name from list\Nsiwebroot
remove *
add user / group.
What I have:
PS C:\Windows\system32> Get-ADComputer -filter * | Where-Object {$_.Name -like "xiopwb*"} | Select Name | ForEach-Object { Get-Acl \\$_.Name\nsiwebroot}
all up to the "ForEach" works... I get just the names of the PC's that I need etc..
Simple as possible I don't need a 100 line script.
Thanks
** update **
it is double \ its just not showing it... no idea why
Looks like it is doing what I want to a degree. However its spitting out the format funky. #{Name=XIOPWB09}
PS C:\Windows\system32> Get-ADComputer -filter * | Where-Object {$_.Name -like "xiopwb*"} | Select Name | ForEach-Object {get-acl "\\$_\D$\nsiwebroot"}
get-acl : Cannot find path '\#{Name=XIOPWB09}\D$\nsiwebroot' because it does not exist.
At line:1 char:99
+ ... opwb*"} | Select Name | ForEach-Object {get-acl "\$_\D$\nsiwebroot"}
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:) [Get-Acl], ItemNotFoundException
+ FullyQualifiedErrorId : GetAcl_PathNotFound_Exception,Microsoft.PowerShell.Commands.GetAclCommand
get-acl : Cannot find path '\#{Name=XIOPWB06}\D$\nsiwebroot' because it does not exist.
At line:1 char:99
+ ... opwb*"} | Select Name | ForEach-Object {get-acl "\$_\D$\nsiwebroot"}
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:) [Get-Acl], ItemNotFoundException
+ FullyQualifiedErrorId : GetAcl_PathNotFound_Exception,Microsoft.PowerShell.Commands.GetAclCommand
"Select Name" returns an Object with Table Header Name. "Select -ExpandProperty Name" is What needed here, which will convert it o String.
Regards,
kvprasoon