I am able to do this cross domain within a forest, but between two forest it is failing.
So the question in the first place... is it possible to move user between forests using powershell>
When I tried this across forest, I get this error:
Move-ADObject -Identity "CN=test4,OU=temp,DC=IDENTITYIQ,DC=LAB" -TargetPath "OU=TestOU,DC=connectivity,DC=lab" -TargetServer ConnDC01W16.connectivity.lab -Verbose -AuthType Negotiate -Server IIQDC01W16.IDENTITYIQ.LAB
Move-ADObject : The naming context could not be found
At line:1 char:14
+ Move-ADObject <<<< -Identity "CN=test4,OU=temp,DC=IDENTITYIQ,DC=LAB" -TargetPath "OU=TestOU,DC=connectivity,DC=lab"
-TargetServer ConnDC01W16.connectivity.lab -Verbose -AuthType Negotiate -Server IIQDC01W16.IDENTITYIQ.LAB
+ CategoryInfo : NotSpecified: (CN=test4,OU=temp,DC=IDENTITYIQ,DC=LAB:ADObject) [Move-ADObject], ADException
+ FullyQualifiedErrorId : The naming context could not be found,Microsoft.ActiveDirectory.Management.Commands.MoveADObject
Yes it works but only if you have at least a one way forest trust to the target forest.
Related
Unable to pass a variable to the Identity parameter in Powershell.
$username = "John.Doe"
Get-ADUser -Identity "$username"
Get-ADUser : Cannot find an object with identity: 'John.Doe' under: 'DC=contoso,DC=com'.
At line:1 char:1
+ Get-ADUser -Identity "$username"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (John.Doe:ADUser) [Get-ADUser], ADIdentityNotFoundException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,M
icrosoft.ActiveDirectory.Management.Commands.GetADUser
If I just put Get-ADUser -Identity "John.Doe" the results come back just fine.
The -Identity parameter accepts the following:
A distinguished name
A GUID (objectGUID)
A security identifier (objectSid)
A SAM account name (sAMAccountName)
If you want to search based on another attribute, then you need to use the -Filter switch. For example, to find user based on UserPrincipalName, you can do the following:
Get-ADUser -Filter "UserPrincipalName -eq 'John.Doe#contoso.com'"
See Get-ADUser for more details.
I know it is old question but It might be the answer. It might help some one down the line.
I came across the same issue and it stumped me 1 hour. Finally I used $username = $username.trim() . So obviously the variable has space which need to be trimmed.
The objective is to get the group members and ignore the ForeignSecurityPrincipal account (no deletion, just ignore). this group 'zzapsdba_c' has ForeignSecurityPrincipal account which it caused get-adgroupmember to error out. Note: I would need a solution using Microsoft Powershell cmdlets. I already have alternative solution using get-qadgroupmember (Quest/dell powershell cmdlets) which I do not wish to use because it is not native.
I am using powershell, v4.0
here is my code that failed.
get-adgroupmember zzapsdba_c -server nw
here is the error:
get-adgroupmember : An unspecified error has occurred
At line:1 char:1
+ get-adgroupmember zzapsdba_c -server nw
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (zzapsdba_c:ADGroup) [Get-ADGroupMember], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember
You should be able to get the members of the group by using getting the members attribute and looking up those distinguishednames. Like this:
Get-ADGroup -Identity zzapsdba_c -Properties Members -Server nw | Select-Object -ExpandProperty Members | Get-ADObject -Server nw
I tend to use this normally as Get-AdGroupMember can also have problems with groups containing more than 1000 members unless you change the default ADWS configuration on the Domain Controllers.
If you still wan't to ignore the ForeignSecurityPrincipal objects then this should work.
Get-ADGroup -Identity zzapsdba_c -Properties Members -Server nw | Select-Object -ExpandProperty Members | Get-ADObject -Server nw | Where-Object { $_.ObjectClass -ne "ForeignSecurityPrincipal" }
I'm working on a simple script that should add a contact to a distribution group depending of the week of the year. My bug is that my script can add objectclass:User but when I try with a contact GUID the script give me that error:
Add-ADGroupMember : Cannot find an object with identity: '123dd2345-12f0-542b-c3e6-5774bac431aa' under: 'DC=MY,DC=DOMAIN'.
At line:1 char:25
+ get-adgroup $ADGroup | Add-ADGroupMember -members $zvar.ObjectGUID
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (123dd2345-12f0-542b-c3e6-5774bac431aa:ADPrincipal) [Add-ADGroupMember], ADIdentityNotFoundException
+ FullyQualifiedErrorId : SetADGroupMember.ValidateMembersParameter,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember
The part of the script that I use is looking like that:
$zvar = get-adobject -filter {displayname -eq "Valentine, John (CELL)" } #this is my contact displayname that is put in a variable with necessary properties
get-adgroup "Dist - Support group" | Add-ADGroupMember -members $zvar.ObjectGUID #this is my Distribution group, whatever the properties I put to my contact object I get the error message above i.e. $zvar.name, $zvar.distinguishedname, etc
If I replace the value "Valentine, John (CELL)" by the ObjectClass:user "Valentine,John" the command will succeed without error.
Am I using the command correctly ?
I could probably use the Quest-module but I'd like to avoid using a third party.
Thanks in advance
Came across this problem as well today: You cannot add an AD Object of class "objectClass=contact" to a group using the Add-ADGroupMember cmdlet.
However, the members of a an AD group are simply stored in the multivalued property "member", and every *-ADObject and related command supports the -Add, -Replace, -Clear and -Replace parameters.
Thus, this works to add a single user:
Set-ADGroup -Identity "GroupName" -Add #{'member'=$contact.DistinguishedName};
And this removes the user:
Set-ADGroup -Identity "GroupName" -Remove #{'member'=$contact.DistinguishedName};
As #mjolinor comment, the exchange cmdlet would be the solution, but I don't have what it need to use it. So I will use Quest-cmdlet. With that it's working.
This is the command I'm using currently:
$user = Get-QADUser -email user#domain.com -enabled ; $user.memberOf |
Get-QADGroup | findstr Green
"Green" is just an identifying marker on group names.
Sometimes this command works just fine. It displays to me, based on the email address input, all groups that match "Green" that the user belongs to.
Sometimes, however, it does not... and I get this:
Get-QADGroup : Cannot validate argument on parameter 'Identity'. The
argument is null or empty. Supply an argument that is not null or
empty and then try the command again. At line:1 char:97
+ $user = Get-QADUser -email user#domain.com -enabled ; $user.memberOf | Get-QADGroup <<<< | findstr Green
+ CategoryInfo : InvalidData: (:) [Get-QADGroup], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Quest.ActiveRoles.ArsPowerShellSnapIn.Powershell.Cmdlet
s.GetGroupCmdlet
I've been googling and trying modifications of and variations on this for weeks on and off, and no luck. I'm hoping someone can explain the inconsistent behavior and provide a better or just more consistently working command.
Give this a try:
Get-QADMemberOf -Identity user#domain.com -Name Green
I am trying to writing a script to move a user to a new database and then export their mailbox to pst, but I need to verify if the user is in the correct database to begin with from a user input.
I am trying a command like:Get-Mailbox -Database "Archive Mailbox Database" -Identity Fbloggs
Then I would error trap if the user is not found. This line does not work however with error:
Parameter set cannot be resolved using the specified named parameters.
+ CategoryInfo : InvalidArgument: (:) [Get-Mailbox], ParameterBindingException
+ FullyQualifiedErrorId : AmbiguousParameterSet,Get-Mailbox
Many thanks for any help.
NA
Try with the Filter parameter (you can also use Name instead of Alias):
Get-Mailbox -Database "Archive Mailbox Database" -Filter {Alias -eq 'Fbloggs'}
Or the other way around:
(Get-Mailbox -Identity Fbloggs).Database.Name
Or
Get-Mailbox -Database "Archive Mailbox Database" | Where-Object {$_.Name -eq 'Fbloggs'}