The objective is to get the group members and ignore the ForeignSecurityPrincipal account (no deletion, just ignore). this group 'zzapsdba_c' has ForeignSecurityPrincipal account which it caused get-adgroupmember to error out. Note: I would need a solution using Microsoft Powershell cmdlets. I already have alternative solution using get-qadgroupmember (Quest/dell powershell cmdlets) which I do not wish to use because it is not native.
I am using powershell, v4.0
here is my code that failed.
get-adgroupmember zzapsdba_c -server nw
here is the error:
get-adgroupmember : An unspecified error has occurred
At line:1 char:1
+ get-adgroupmember zzapsdba_c -server nw
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (zzapsdba_c:ADGroup) [Get-ADGroupMember], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
You should be able to get the members of the group by using getting the members attribute and looking up those distinguishednames. Like this:
Get-ADGroup -Identity zzapsdba_c -Properties Members -Server nw | Select-Object -ExpandProperty Members | Get-ADObject -Server nw
I tend to use this normally as Get-AdGroupMember can also have problems with groups containing more than 1000 members unless you change the default ADWS configuration on the Domain Controllers.
If you still wan't to ignore the ForeignSecurityPrincipal objects then this should work.
Get-ADGroup -Identity zzapsdba_c -Properties Members -Server nw | Select-Object -ExpandProperty Members | Get-ADObject -Server nw | Where-Object { $_.ObjectClass -ne "ForeignSecurityPrincipal" }
Related
I'm trying to get an AD Security Group down to a manageable size, but due to display limits in Powershell, this is proving difficult for me. The group is down to 47,720 now after removing all disabled AD accounts. Now I'm trying to filter it down to Enabled users that live in this particular OU. Below is what I've used with success in the console.
Get-ADGroup "very_large_secgroup" -properties Member | Select-Object -expandproperty member | get-aduser -Filter * -SearchBase "OU=PurgeStudents,OU=DisabledAccounts,DC=contoso,DC=com" | Select-Object SamAccountName,DistinguishedName
When I try to count this, or pipe it via Out-File though, I get:
get-aduser : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its properties do not match any of the parameters that
take pipeline input.
At line:1 char:92
+ ... ty member | get-aduser -Filter * -SearchBase "OU=PurgeStudents,OU=Dis ...
Any assistance would be greatly appreciated, as I am a novice in Powershell magic.
Instead of using -Filter *, you could filter for all previous retrieved users. And there is a cmdlet to get the members of a group:
Get-ADGroupMember -Identity "very_large_secgroup" -Recursive | Foreach-Object {Get-ADUser -Filter "Name -like $_.Name" -SearchBase "OU=PurgeStudents,OU=DisabledAccounts,DC=contoso,DC=com" | Select-Object -Properties SamAccountName, DistinguishedName}
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 3 years ago.
Improve this question
I'm trying to build a script identifying all members and nested members of the Administrators group. My company currently has 20+ domains, majority of which are not integrated. Instead, we simply build a trust between domains following acquisition. The problem is the Administrators group for these domains often has members from one of the external but trusted domains. If i run Get-ADGroupMember I have no problem, but if I run Get-ADGroupMember -Recursive it errors our. I'm assuming the issue is PS trying looking for the nested membeship of a group located on one of our trusted domains but looking only on the current domain of the Administrators group.
PowerShell Script (replaced server with example domain):
$ADGroup = Get-ADGroup -identity "administrators" -Server example.domain.com
Get-ADGroupMember -Identity $ADGroup -Server example.domain.com -Recursive | Out-GridView
Resulting Error Message (replaced server with example domain):
PS H:\> $ADGroup = Get-ADGroup -identity "administrators" -Server example.domain.com
Get-ADGroupMember -Identity $ADGroup -Server example.domain.com -Recursive | Out-GridView
Get-ADGroupMember : There is no such object on the server
At line:2 char:1
+ Get-ADGroupMember -Identity $ADGroup -Server example.domain.com -Recursive | Out- ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (CN=Administrato...e,DC=domain,DC=com:ADGroup) [Get-ADGroupMember], ADIdentityNotFoundExc
eption
+ FullyQualifiedErrorId : There is no such object on the server,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
From the docs for Get-ADGroupMember:
Notes
This cmdlet does not work when a group has members located in a
different forest, and the forest does not have Active Directory Web
Service running.
Yes your assumption is correct. (Without an exact error message) You can only enumerate membership from one domain at a time. i.e.
Get-ADGroup MyGroup -Server ContosoDC01 | Get-ADGroupMember -Recursive -Server ContosoDC01
Adding -Server highlights that you can only specify one domain that you can enumerate from at a time. Indeed, a straight up Get-ADGroupMember will list the distinguished names and SID's for the users/groups, including the SID's for the users/groups from the other domains. But that is all that AD stores, the SID of the user/group. It does not store the membership.
To get the membership requires another, separate, call to the other domain to enumerate; and most of the time, cross domain permissions are not set up to allow your current account access to the other domain, and you get:
Get-ADGroupMember : The operation being requested was not performed because the user has not been authenticated
Unable to pass a variable to the Identity parameter in Powershell.
$username = "John.Doe"
Get-ADUser -Identity "$username"
Get-ADUser : Cannot find an object with identity: 'John.Doe' under: 'DC=contoso,DC=com'.
At line:1 char:1
+ Get-ADUser -Identity "$username"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (John.Doe:ADUser) [Get-ADUser], ADIdentityNotFoundException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,M
icrosoft.ActiveDirectory.Management.Commands.GetADUser
If I just put Get-ADUser -Identity "John.Doe" the results come back just fine.
The -Identity parameter accepts the following:
A distinguished name
A GUID (objectGUID)
A security identifier (objectSid)
A SAM account name (sAMAccountName)
If you want to search based on another attribute, then you need to use the -Filter switch. For example, to find user based on UserPrincipalName, you can do the following:
Get-ADUser -Filter "UserPrincipalName -eq 'John.Doe#contoso.com'"
See Get-ADUser for more details.
I know it is old question but It might be the answer. It might help some one down the line.
I came across the same issue and it stumped me 1 hour. Finally I used $username = $username.trim() . So obviously the variable has space which need to be trimmed.
I've built a script that is supposed to query for users across the forest and do a few things:
Set ExtensionAttribute2
Add the user to a domain-specific group in their own domain
Add the user to a group in the root domain
When I run this against a GC in the root domain of the forest, users in the root domain are processed just fine. Users in child domains process step #3 just file, but steps #1 and #2 cause errors.
Edit for clarification: These commands are being run against a 2012 domain controller in the root forest that is also a global catalog server. I'm running these commands as an Enterprise Admin with access to all child domains. Using these same credentials and the same server I can make all of these edits manually using Active Directory Users and Computers.
Here is the script that I've created:
$csvpath = ".\users.csv"
$groupcbr = Get-ADGroup "CN=test group,OU=Test OU,DC=contoso,DC=com"
Import-CSV -Path $csvpath | Foreach-Object {
$userprincipalname = $_.userprincipalname
$activationkey = $_.activationkey
Get-ADUser -Filter {userprincipalname -like $userprincipalname} -SearchBase "DC=contoso,DC=com" -Server "ROOTGC.contoso.com:3268" | Foreach-Object {
$dn = $_.DistinguishedName
#Set default as root domain
$domain = "contoso"
$domainserver = "ROOTGC.contoso.com"
$groupscript = Get-ADGroup -Identity "$domain Test Group Users"
If ($dn -like "*DC=childdomain1*") {
$domain = "childdomain1"
$domainserver = "childgc1.childdomain1.contoso.com"
$groupscript = Get-ADGroup -Identity "$domain Test Group Users" -Server "ROOTGC.contoso.com:3268"
}
If ($dn -like "*DC=childdomain2*") {
$domain = "childdomain2"
$domainserver = "childgc2.childdomain2.contoso.com"
$groupscript = Get-ADGroup -Identity "$domain Office 365 Users" -Server "ROOTGC.contoso.com:3268"
}
Write-Host "$domain | $userprincipalname [$($_.SamAccountName)] will get $activationkey added, and put into groups: $groupscript | [$dn]"
#Set ExtensionAttribute2
SET-ADUSER -Identity $dn -replace #{ExtensionAttribute2="$activationkey"}
#Add the user to their own domain-based group
Add-ADGroupMember -Identity $groupscript -Members $_
#Add the user to the root domain's universal group
Add-ADGroupMember -Identity $groupcbr -Members $_
}
}
Again, the users in the root domain process just fine. The users in the child domains hit errors on #1 (set the extensionattribute2) and #2 (add the their local domain group).
Here are the errors:
Setting ExtensionAttribute2:
SET-ADUSER : A referral was returned from the server
At C:\***\Untitled1.ps1:52 char:3
+ SET-ADUSER -Identity $dn -replace #{ExtensionAttribute2="$activationkey"}
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (CN=User1...contoso,DC=com:ADUser) [Set-ADUser], ADReferralException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8235,Microsoft.ActiveDirectory.Management.Commands.SetADUser
Adding to the local domain group:
Add-ADGroupMember : The server is unwilling to process the request
At C:\***\Untitled1.ps1:53 char:3
+ Add-ADGroupMember -Identity $groupscript -Members $_
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (CN=ChildDomain1 Tes...contoso,DC=com:ADGroup) [Add-ADGroupMember], ADInvalidOperationException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8245,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember
I've searched all over the place but haven't found any way to figure this out yet. I've tried the following (and more):
Added -Server "ROOTGC.contoso.com:3268" to each command to see if that helped, but all it did was break those commands for everyone (including the root users who were working already).
Tried to add the individual domain servers for each domain to the end of the command (as per the variable that I populated: $domainserver), but all of the child domain DC's are Windows 2003; the servers don't accept the connection.
Moved pieces of code around to various places (making it less efficient, but what the heck - I'm trying anything).
What am I missing? Help me please!! I had to go through my CSV file manually and set what needed to be set because it had to get done tonight, but I'm going to be processing thousands of users in the next 2 weeks.
The server you run this against must have a copy of the global catalog, otherwise it won't be able to resolve the referrals. Or you must run the command against a DC of the target domain. Also, your user must have Enterprise Admin privileges in order to be able to create/modify/delete objects in other domains of the forest (or appropriate delegations must be made in the target domains).
Another problem is that the shiny AD cmdlets won't work without the Active Directory Web Service, which isn't available prior to Windows Server 2008 R2, running on all involved DCs. You can work around that by handling the foreign security principals and directory objects yourself, though:
$fsp = New-Object Security.Principal.NTAccount('DOM1', 'username')
$sid = $fsp.Translate([Security.Principal.SecurityIdentifier]).Value
$dn = Get-ADGroup -Identity 'groupname' | select -Expand distinguishedName
$group = New-Object DirectoryServices.DirectoryEntry("LDAP://$dn")
[void]$group.member.Add("<SID=$sid>")
$group.CommitChanges()
$group.Close()
With that said: you do realize that Windows Server 2003 will reach end-of-life the day after tomorrow, don't you? Why are your DCs still running that antique version?
I'm working on a simple script that should add a contact to a distribution group depending of the week of the year. My bug is that my script can add objectclass:User but when I try with a contact GUID the script give me that error:
Add-ADGroupMember : Cannot find an object with identity: '123dd2345-12f0-542b-c3e6-5774bac431aa' under: 'DC=MY,DC=DOMAIN'.
At line:1 char:25
+ get-adgroup $ADGroup | Add-ADGroupMember -members $zvar.ObjectGUID
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (123dd2345-12f0-542b-c3e6-5774bac431aa:ADPrincipal) [Add-ADGroupMember], ADIdentityNotFoundException
+ FullyQualifiedErrorId : SetADGroupMember.ValidateMembersParameter,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember
The part of the script that I use is looking like that:
$zvar = get-adobject -filter {displayname -eq "Valentine, John (CELL)" } #this is my contact displayname that is put in a variable with necessary properties
get-adgroup "Dist - Support group" | Add-ADGroupMember -members $zvar.ObjectGUID #this is my Distribution group, whatever the properties I put to my contact object I get the error message above i.e. $zvar.name, $zvar.distinguishedname, etc
If I replace the value "Valentine, John (CELL)" by the ObjectClass:user "Valentine,John" the command will succeed without error.
Am I using the command correctly ?
I could probably use the Quest-module but I'd like to avoid using a third party.
Thanks in advance
Came across this problem as well today: You cannot add an AD Object of class "objectClass=contact" to a group using the Add-ADGroupMember cmdlet.
However, the members of a an AD group are simply stored in the multivalued property "member", and every *-ADObject and related command supports the -Add, -Replace, -Clear and -Replace parameters.
Thus, this works to add a single user:
Set-ADGroup -Identity "GroupName" -Add #{'member'=$contact.DistinguishedName};
And this removes the user:
Set-ADGroup -Identity "GroupName" -Remove #{'member'=$contact.DistinguishedName};
As #mjolinor comment, the exchange cmdlet would be the solution, but I don't have what it need to use it. So I will use Quest-cmdlet. With that it's working.