I am using get-adgroupmember command to fetch all the users in an AD group. -recursive is helping me fetch members from child groups if any in the parent group as well.
However, get-adgroupmember has an upper limit of 5000 entries only.
To tackle this if i use:
Get-ADGroup -Identity "DEPT_120_SA" -server "A" -Properties * | select-object -expandproperty members |get-aduser
this doesnt work as my Parent AD has child ADs and -recursive is not accepted by get-adgroup.
Error:
Get-ADGroup : A parameter cannot be found that matches parameter name
'recursive'. At line:2 char:79
+ Get-ADGroup -Identity "DEPT_120_SA" -server "mhf.mhc" -Properties * -recursive <<<< | select-object -expandproperty members
+ CategoryInfo : InvalidArgument: (:) [Get-ADGroup], ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.ActiveDirectory.Management.Commands.GetADGroup
my aim is to display username and their mail iDS and this works for me:
Get-ADGroupMember -server $domain -identity $s -Recursive -ErrorAction Stop | Get-AdUser -Properties mail -ErrorAction Stop | select sAmAccountName, Mail
Any workaround ? (I am willing to write a recursive function to fetch large groups, but there must be a shorter and direct way)
The 5000 limit applies only to Get-ADGroupMembers not Get-ADUsers, so we can use the LDAP_MATCHING_RULE_IN_CHAIN matching rule (OID 1.2.840.113556.1.4.1941).
For example:
Get-AdUser -LdapFilter "(memberOf:1.2.840.113556.1.4.1941:=cn=group,cn=users,DC=ad,DC=local)"
where cn=group,cn=users,DC=ad,DC=local is the distinguished name of the group you want members for.
Related
I am using ActiveDirectory and Powershell to get the description of computers in the AD Group
However, when I try to get batch output, I get InvalidArgument error in powershell
When I use a single line:
Get-AdComputer -Filter * -Identity **COMPUTERNAME **-Properties * | Select-Object name, description
I get the correct response:
Name Description
---- -----------
COMPUTERNAME Computer description
However, when I use the this code to get a batch of results:
$UL = Get-ADGroupMember -identity "Groupname"| Select-Object name
Foreach ($i in $UL.Name)
{
$i.ToString()
Write-Host $i.GetType()
Get-AdComputer -Filter * -Identity "$i" -Properties * | Select-Object name, description
}
I keep getting this error:
Get-ADComputer : Parameter set cannot be resolved using the specified named parameters.
At C:\apps\ActiveDirectory_UserList.ps1:6 char:1
+ Get-AdComputer -Filter * -Identity "$i" -Properties * | Select-Object ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-ADComputer], ParameterBindingException
+ FullyQualifiedErrorId : AmbiguousParameterSet,Microsoft.ActiveDirectory.Management.Commands.GetADComputer
As commented by Abraham Zinala, you cannot use both -Filter and -Identity together as these parameter sets rule eachother out giving you the error message
Parameter set cannot be resolved using the specified named parameters.
Next, Get-ADGroupMember will not just return computer objects,
but also users and other groups can be members of one particular group.
Therefore, if you want to get output for computer objects only, you will need to filter out the other object types.
Luckily, each group member has a property called objectClass. This is a string containing either 'user', 'computer' or 'group',
so it is realy quite easy to check on that:
# get all members of the group, filter with a Where-Object clause to receive only computer objects
$members = Get-ADGroupMember -Identity "Groupname" | Where-Object {$_.objectClass -eq 'computer'}
foreach ($computer in $members) {
$computer | Get-ADComputer -Properties Description | Select-Object Name, Description
}
By default, Get-ADComputer returns objects with these properties:
DistinguishedName, DNSHostName, Enabled, Name, ObjectClass, ObjectGUID, SamAccountName, SID, UserPrincipalName, so in this case you only have to ask for the extra property Description
I'm trying to get this Powershell script to transfer group membership from one user to another in Active Directory. I am getting the error below stating it can't find the object with identity. This is odd because the user is in AD in the domain that I called upon and the first user that I am transferring the membership from is found without any issues. Any ideas?
Get-ADUser -server "ngcore01.test.hawaii.local" -Identity user11 -Properties memberof |
Select-Object -ExpandProperty memberof
Add-ADGroupMember -Member user22
This is the error:
Add-ADGroupMember : Cannot find an object with identity: 'user22' under: 'DC=test,DC=hawaii,DC=local'.
At line:3 char:1
+ Add-ADGroupMember -Members user22
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (user22:ADGroup) [Add-ADGroupMember], ADIdentityNotFoundException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.
Management.Commands.AddADGroupMember
The error message shows that the Add-ADGroupMember cmdlet has difficulties finding a group with Identity user22 and that is because you do not supply this Identity value. (See: Add-ADGroupMember)
The memberof property returned by Get-ADUser is a collection of DistinguishedNames of the user’s direct group membership and you need to loop over the returned values in this collection to use as -Identity parameter on the call to Add-ADGroupMember
Try
(Get-ADUser -Server "ngcore01.test.hawaii.local" -Identity user11 -Properties memberof).memberof | ForEach-Object {
Add-ADGroupMember -Identity $_ -Members user22
}
I got a problem with my powershell script, I need to get all users from group, I have the group id which I can use to get the group. The problem I have is that my solution isn't working for all group and I don't get what is wrong.
I have some group name
eAM
eGR
eTE
eDF
eMP-arts
e-CV
The 3 first isn't working and the other one yes. Here the script I use
$like = "*" + $branch
foreach ($member in (Get-ADGroupMember (Get-ADGroup -filter {name -like $like}))){
# Do something
}
And the error I get for which isn't working
Get-ADGroupMember : can't convert «System.Object[]» in «Microsoft.ActiveDirectory.Management.ADGroup»,
requiered by «Identity» param. The specified method is not supported
+ Get-ADGroupMember (Get-ADGroup -filter {name -like "*AM"})
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument : (:) [Get-ADGroupMember], ParameterBindingException
+ FullyQualifiedErrorId : cannotConvertArgument,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
Thanks in advance for your help,
MYT
The error thells you that Get-ADGroupMember does not accept an array of groups, but a single group. You'd also get errors if Get-AdGroup would not return any results. Instead, pipe the commands:
Get-ADGroup -Filter {name -like $like} | Get-ADGroupMember | Foreach-Object {
}
Please note that accounts can belong to multiple groups so same member could be returned multiple times.
I am trying to pull together a PS script to automatically add computers to a security group that are not part of another group.
In this case, add all computers to group_b that are not part of group_a.
This is what I tried..
#get list of computers from group_a
$tpmobjects = Get-ADGroupMember -Identity "group_a" | Select name
#add computers to group_b that are not in group_a
Get-ADComputer -Filter {SamAccountName -notlike $tpmobjects} | Foreach-Object { Add-ADPrincipalGroupMembership -Identity $_.SamAccountName -MemberOf "group_b" }
The error I get is...
Get-ADComputer : Type: 'System.Object[]' is not supported for extended attribute 'SamAccountName'.
At line:2 char:1
+ Get-ADComputer -Filter {SamAccountName -notlike $tpmobjects}...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-ADComputer], ArgumentException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.GetADComputer
Anyone have a way to do this?
Thanks.
What happens is that Get-ADGroupMember returns multiple objects and the -Filter parameter doesn't support matching against multiple objects.
There are multiple ways around this, but the easiest is to simply filter the output from Get-ADGroupMember with Where-Object:
$Computers = Get-ADGroupMember group_a |Where-Object {$_.objectClass -eq 'computer'}
You also don't need to wrap Add-ADPrincipalGroupMembership in ForEach-Object, it accepts pipeline input, and an ADComputer object can be bound to the -Identity parameter directly without problems:
$Computers |Add-ADPrincipalGroupMembership -MemberOf group_a
I have the following line of code, which is supposed to get all Active Directory groups beginning with the # symbol and then remove a user from those groups;
Get-ADGroup -Filter 'name -like "#*"' | Remove-ADGroup -identity [USERID]
Get-ADGroup works great, it successfully grabs all of the groups beginning with #, however I get the following error for each and every # group when piped through to Remove-ADGroup;
Remove-ADGroup : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its properties do not match any of the parameters that take pipeline input.
At line:1 char:41
+ Get-ADGroup -Filter 'name -like "#*"' | Remove-ADGroup -identity [USERID]
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: CN=#Workplace,O...ife,DC=co,DC=uk:PSObject) [Remove-ADGroup], ParameterBindingException
+ FullyQualifiedErrorId : InputObjectNotBound,Microsoft.ActiveDirectory.Management.Commands.RemoveADGroup
I can't figure out why the pipe won't work.
Remove-ADGroup will remove the group entirely - this is definitely not what you want.
Use Remove-ADGroupMember instead:
Get-ADGroup -Filter 'name -like "#*"' | Remove-ADGroupMember -Members [USERID]