I'm building a script to automate AD deployments for customers. We have a prepared list of users and groups in CSV files. The groups are organized in a file with the following format. Keep in mind that I'm using the same CSV file to create the AD groups (which happens in a previous step).
Name,Description,Members
GroupName,GroupDescription,"user1,user2,user3"
The code I'm using to add the users to the groups is below:
$groups = Import-CSV -Path $groupCSVPath
$groups | % { Add-ADGroupMember -Identity $_.Name -Members $_.Members }
This results in an error: Get-ADUser : Cannot find an object with identity: 'user1,user2,user3'.
If I attempt the following, it works:
Add-ADGroupMember -Identity "GroupName" -Members user1,user2,user3
The error appears to reference the Get-ADUser command, which does not accept arrays as inputs. However, the Add-ADGroupMember command does. Why am I getting the Get-ADUser error when using the Add-ADGroupMember command and how can I get it to accept an array of values for the AD Username?
Tricky one. The problem turned out to be that the $_.members parameter is being passed to the Add-ADGroupMember cmdlet as a single string rather than an array of separate values, because of the way Import-CSV works. Get-Help Add-ADGroupMember shows that the members parameter expects an array, not a string.
This should work, I've tested it:
$groups | % { Add-ADGroupMember -Identity $_.Name -Members $_.members.split(',') }
Related
Following situation: You have ForeignSecurityPrincipals in your AD Groups. But Remove-ADGroupMember cannot remove them, since it does not support removing "ForeignSecurityPrincipal". Using the DOMAIN\SamAccountName Method is not available as well, since that old domain does not exist any more. On top you are not allowed to use external modules since that company does not want external modules.
I needed this functionality today for a mass-cleanup job, as written without needing extra modules, and without having the old AD available since it was already killed. Found nothing, so I developed this solution and share it.
You have to get the DOMAINSID first, which should be simple. My example uses -Server since the "adminforest" is not the same as the forest of the groups to be modified. It searches all groups from the given OU, selects all groups with members matching the DOMAINSID, and then removes each member matching the DOMAINSID from those groups.
Don't forget to set $WhatIf=$false, else it runs in "we test only" mode.
$Groups = Get-ADGroup -Server other.domain.local -Filter * -SearchBase "OU=Groups,OU=SubOU,OU=Subsidary,DC=OTHER,DC=DOMAIN,DC=LOCAL" -Properties *
$GroupsWithForeignMembers = #($Groups.Where({$_.member -like "*S-1-5-21-2631234548-991234592-3812345124*"}))
$WhatIf=$true
foreach ($Group in $GroupsWithForeignMembers) {
$MemberForeign= #((Get-ADGroup -Server bk.bwl.net -Identity $Group.SamAccountName -Properties member).member.Where({$_ -like "*S-1-5-21-2631234548-991234592-3812345124*"}))
foreach ($Member in $MemberForeign) {
"Removing $Member from $($Group.SamAccountName)" | Tee-Object -Append "GROUPS-cleanup.log"
Set-ADObject -Server other.domain.local -Identity $Group -Remove #{member=$Member} -Verbose -WhatIf:$WhatIf
}
}
I'm trying to use Add-ADGroupMember cmdlet in PowerShell, but I've realized PS doesn't recognize the object if I use the CN, and it only seems to recognize the pre-Windows 2000 logon name.
That attribute had a character limitation of 20 characters, so some of our accounts have different CNs and Pre-Windows 2000 logon names.
My whole process is:
Step 1: Get a list of my users (this gives me the legacy pre-Windows 2000 logon names):
Get-ADUser -Filter {department –notlike “Field”} –SearchBase “OU=Accounts,OU=HQ,OU=Production,DC=MYDC,DC=MYDC1,DC=MYDC2” -Properties department | select name | Out-file C:\Users\Public\Users.txt
Step 2: Add those users to my security group:
$UserList = Get-Content "C:\Users\Public\Users.txt"
$GroupName = "MY-SEC-Group"
$Members = Get-ADGroupMember -Identity $GroupName -Recursive | Select -ExpandProperty SAMAccountName
ForEach ($user in $UserList)
{
If ($Members -contains $user)
{
Write-Host "$user is member of $GroupName"
}
Else
{
Write-Host "$user is not a member. Attempting to add now, run script again for verification"
Add-ADGroupMember -Identity $GroupName -Members $User
}
}
For all accounts where the legacy logon name and the CN are the exact same, there are no issues. But in situations where they are different, I get the error "Object not found"
Is there a better/more up-to-date cmdlet to use? Maybe one that relies on the CN instead of the legacy logon name? Or do I need to add in CN to all my scripts now?
Get-ADGroupMember returns objects that point to the concrete user in ActiveDirectory and contain different fields including distinguishedName, SamAccountName , SID, Name and so on. In your code you create a txt file with Names (not SamAccountName) but use SamAccountName in Get-ADGroupMember. So, you just compare names with SamAccountName values (that's incorrect).
Just replace
select name | Out-file C:\Users\Public\Users.txt
with
select SamAccountName | Out-file C:\Users\Public\Users.txt
SamAccountName (just as SID) is the unique attribute in AD -
https://blogs.technet.microsoft.com/389thoughts/2017/02/03/uniqueness-requirements-for-attributes-and-objects-in-active-directory/ so, you should use it in your code.
I'm trying to remove all computers from the wk_test security group and then add all the computers in the default 'Computers' container in AD to the (now-empty) wk_test security group.
However, I don't want to export the computers to a list and then import them back into the security group.
I have the first part of the script working properly, and it removes the computers from the wk_test group with no errors. My issue is adding the computers to the wk_test group from the "computers" container.
Remove-ADGroupMember "wk_test" -Members (Get-ADGroupMember "wk_test") -Confirm:$false
Add-ADGroupMember -Identity "wk_test" -Members (Get-ADComputer -SearchBase "CN=computers,DC=ad,dc=org") -filter*
I think the main problem is that I am attempting to copy from the computers container. Most of the advice on the internet refers to copying from an OU and not a container.
The Add-ADGroupMember documentation says:
You cannot pass user, computer, or group objects through the pipeline to this cmdlet.
Which I think is what you are trying to do.
I've used this method before to add computers from an OU to a group:
Get-ADComputer -SearchBase "CN=computers,DC=ad,dc=org" -Filter * | foreach {Add-ADGroupMember "wk_test" -Members $_.DistinguishedName }
But I think you could also modify your code like this, but I've not tested this as I'm not on domain at the moment.
$Computers = Get-ADComputer -SearchBase "CN=computers,DC=ad,dc=org" -filter* | select -ExpandProperty DistinguishedName
Add-ADGroupMember -Identity "wk_test" -Members $Computers
If you are moving them, why not use Move-ADObject.
So it would be:
Get-ADGroupMember "wk_test" | Move-ADObject -TargetPath <ou path>
I can't seem to display groups of an active directory security group. I use the command
get-adgroupmember $group -server $serverName.
It doesn't return an error. It just returns empty results.
So i tried the command
get-adgroup $group -server $serverName -properties memberof
The memberof section is blank.
The one thing that stands out about this security group is that they were originally from another forest. We converted them over to the new forest with sidhistory in place.
The groups show up in "active directory for user and computers" gui. Any thoughts?
Group members added as external contacts , will always escape from get-adgroupmember .
Antidot is
get-adgroup "groupname" -properties member | select -expand member | get-adobject
you are missing the -Identity
get-adgroupmember -Identity $group -Server $serverName | Select SamAccountName
This may be the wrong approach, but I have used the last couple of days experimenting with the foreach in PowerShell (I use Ver. 5 of PowerShell).
What I am looking for is a way to add a list of computers that I already have into a list of AD groups that I already have. So I used Get-Content for importing the 2 .txt files, and I also learned that AD groups in PowerShell uses -Identity instead of name I don't know the reason for that decision. But nevertheless I came up with this:
$Apps = Get-Content C:\Scripts\Apps.txt
$Computers = Get-Content C:\Scripts\Computers.txt
foreach ($App in $Apps) {
Add-ADGroupMember $Apps -Identity $Computers
}
My problem is that it works of I only have 1 AD group in the Apps.txt file. If I add more groups PowerShell goes all red on me, and then my computer starts crying.
In Computers.txt I have listed the computer accounts with a $ at the end, and they are on seperate lines, like this:
PC1$
PC2$
In Apps.txt the AD groups are on seperated lines without any commas or semmicolons or anything.
Change $Apps to $App in the line Add-ADGroupMember $Apps -Identity $Computers
and also the -Identity parameter is the AD Group name. You also will need to use the -Members parameter for the users. E.g.
Add-ADGroupMember -Identity $App -Members $Computers