We are calling Get_ADDomainController from C# code to get all the DCs in a forest-
Get-ADDomainController -Discover -ForceDiscover -DomainName "abc.xyz.com"
This command works most of the times, but sometimes it does fail with below error-
Get-ADDomainController : The format of the specified domain name is invalid
Can someone please let me know what might be going wrong when the command does not work?
I would like you to go through the following Links. They have mentioned all the possibilities. So it is not easy to pick any one randomly.
I believe your domain contains pre-created read-only domain controller (RODC) accounts.
Link 1 - Microsoft Support
Link 2 - Programmatically Join
If Windows cannot determine the user or computer name. (The format of the specified domain name is invalid. ). Group Policy processing aborted.
Try this: Link 3 - GP Aborting and then GP Update
Hope it helps.
Ideally this should move to ServerVault, but still can be considered in SO cause coding is involved.
Related
First of all, i'm sorry if this question has been posted before.
I couldn't seem to find and answer we could work with, so here goes..
Backstory:
Every 90 days all password of the NT-accounts will expire.
The office staff gets a notification when they're signing in into Windows 10.
However our iPad users (salesmen and technicians who are on the road) don't get a notification about the expiration.
They use an app which requires a NT-account to sign into our sales system.
Now we've found a Powershell script which would e-mail the user about the expiration of his password, but unfortunately we keep getting the following error:
"The parameter "testing" is declared in parameter-set "__AllParameterSets" multiple times."
As we do not have any Powershell programming skills, we have no idea what going wrong in the script.
Could you guys help us?
The following script is being used (ofcourse edited with our SMTP server and e-mail addresses).
https://gallery.technet.microsoft.com/scriptcenter/Password-Expiry-Email-177c3e27
Much obliged :-)
the code you 1st linked to never, EVER mentions parameter sets. not once. [grin]
the code in your 2nd link mentions it # 106 = __AllParameterSets.
that it IS NOT a parameter set attribute, but is some "other thing". it looks like a call to something in python.
there is no other mention anywhere in your linked code of that __AllParameterSets thing.
so, the fix is to remove it OR to rename it something that does not use a powershell keyword. [grin]
Introduction
I've been tasked with creating a user management PowerShell script to be used for one of our customers so that we can easily manage users and automate a lot of our user creation processes.
The Issue
Our customer is insisting on using login scripts over GPO for mapping drives for users. I have added a login script builder to the script, however I cannot for the life of me figure out how to specify which drives actually need adding to the login script.
How Drive Mappings Are Managed
The way drive mappings are managed at our customer's network, is based on job role + Active Directory groups. They request on an E-Form which drives need to be mapped, and we then look through the Active Directory to see which group has permissions to access the requested drives. We then add these groups.
What I Need Help With
I've managed to figure out what code I need to use, however groups aren't being added to the user at all. I can't get it working.
Current Code
Note: This may not all be in order, there may be code in-between on the actual script. This is just relevant code.
Group Assignment
$GroupAssignment = $zzeveryone,$safebootdu,$infosecdrive,$mgmtboarddrive,$anaestheticsdrive,
$adverseirdrive,$breastcancersecsdrive,$bookwisedrive,$patientassessmentdrive,
$clinicaleducationdrive,$clinicaldevdrive,$clinicalauddrive,$CDUdrive,
$CBLettersdrive,$commsdrive,$colorectalscdrive,$colorectaldrive,
$codingdrive,$clinicalsupportdrive,$clinicalstddrive,$dietitiansdrive,
$dermatologydrive,$csudrive,$complaintsdrive,$entdrive,$emudrive,
$ElderlyCaredrive,$dischargedrive,$financedrive,$familyplanningdrive,
$GeneralSurgdrive,$gastrodrive,$infectiondrive,$infoptdrive,
$InfoMangtdrive,$MedStaffingdrive,$MedPhotodrive,$legaldrive,
$MedicalEquipdrive,$orthopticsdrive,$Orthopaedicsdrive,$OccHealthdrive,
$palsdrive,$Pharmacydrive,$Pathologydrive,$PostGraddrive,
$Podiatrydrive,$Respiratorydrive
Add-ADPrincipalGroupMembership -Identity $SAMAccountName -MemberOf $GroupAssignment
Example Group Assignment
$wcservicesdrive = if ($User.'Drives (Seperate with a ;)' -Contains 'women and childrens servicesdomain w&c services') {
Write-Output "domain w&c services"
}
Else {
Write-Output ""
}
$GroupAssignment should cause this to output to the Add-ADPrincipalGroupMembership, however it doesn't.
Any ideas?
when running
Get-WinEvent -FilterHashtable #{Path="U:\test\SavedSecurity.evtx";ID="4624";}
with no admin-rights everything works fine.
Even
Get-WinEvent -FilterHashtable #{Path="U:\test\SavedSecurity.evtx";}
with no filters works fine.
But running
Get-WinEvent -FilterHashtable #{Path="U:\test\SavedSecurity.evtx";ProviderName="Microsoft-Windows-Security-Auditing";ID="4624";}
fails with UnauthorizedAccessException?
I cannot filter via ProviderName without being admin, but can read all events as big list?
What I'm trying to do is: filter all logon-logoff events from several eventlogs (in one folder) with information, if the login was local or remote and export them to a CSV. I cannot use Get-Event because it cannot handle events from custom-paths somewhere on the disk. To get closer I split everything to figure out whats wrong.
Your last example is wrong. Either search in a file given by path or search in data given by a provider.
You tried to access data in different ways with differents access rights (Path vs. Provider). In one case you are searching in a file you are owning (exported Log file). In this case you have sufficient rights. But you have possibly no right to search in data given by provider Microsoft-Windows-Security-Auditing. You need Admin rights to do the latter. There is no workaround.
With most ActiveDirectory commands, you can add a parameter: -server. This parameter has proven to be extremely useful to me, since where I am working seems to have some kind of slow updating system, and when I don't only use one of the servers, my programs can lag and completely bug.
I'm also trying to modify the ACL of a folder. To do this, I have a function that takes the -PassThru of a New-ADGroup command, and then pipes this into a custom function.
The custom function creates and returns new AccessRules (which are added to array $AccessRules), which are then added to an $acl variable:
$AccessRules |
%{$acl.AddAccessRule($_)}
This inconsistently returns errors: Sometimes, it runs smoothly, but other times, it returns the classic "Some or all identity references could not be translated". I am 90% sure this comes from the fact that it is not checking the right server, because even between
Get-ADGroup -filter {name -eq "[group name]"}
and
Get-ADGroup -filter {name -eq "[group name]"} -Server [server name/address]
I only get results for the second.
Is there a way I could add a similar -Server Parameter to something like .AddAccessRule()? Perhaps a slightly different method?
You can use a neat trick specified in this answer. You create a New-PSDrive to your AD using a certain server, then you call cd or set-location to that drive, voila, any .NET functions called (and any cmdlets that are not otherwise redirected to a different server) will use that server to process the requests, resolve AD entities into SIDs, etc, without you waiting for AD replication.
When I run get-user|get-member in powershell with the exchange add-in I noticed there is no description property.
Does anyone know if it has been renamed to something else or another way of accessing it?
If you aren't looking to change the description this should work:
[PS] C:\>$ANR = "testuser#example.com"
[PS] C:\>$foo = [adsi]("LDAP://" + (get-user $ANR).DistinguishedName)
[PS] C:\>$foo.description
My Description
If you are wanting to edit, you will need to get further into System.DirectoryServices & look at how to write objects back to AD. It would likely be simpler to use quest of another package that does some wrapping. If you want to roll your own there are gobs of blogs on AD programming in Powershell.
Exchange itself provides minimal interaction with AD - essentially, it gives you some AD stuff because AD and Exchange are so connected, but it doesn't try to expose all of AD's functionality.
Check out quest.com/powershell; that is an add-in library (it's free), and it has a cmdlet called Get-QADUser which will get you what you need - somewhat more easily, and in a more PowerShell-ish fashion, than using ADSI (which is also completely legit for what you're after).
get-user? do you mean get-qaduser from the quest cmdlet suite?
if so, I believe not all properties are retrieved by default. There's an -Include parameter that lets you specify additional properties to retrieve from AD, IIRC.
It works on the console; however in the CSV file, it keeps appending
System.DirectoryServices.PropertyValueCollection
to the end of each line instead of the value
When I run it on the prompt by typing out the distinguishedname, the ldap query works..
$tmp =adsi
$tmp.description
bill
any ideas?
solved it.. its just $tmp.description.value