Powershell new-aduser attribute was not in the acceptable range - powershell

I'm having an issue with the following Powershell script. It is
a value for the attribute was not in the acceptable range of values Line 1 char 59
Import-Csv .\tableofusers.csv | foreach-object {New-ADUser -Path "ou=ou,dc=dc" -SamAccountName $_.SamAccountName -Name $_.name -DisplayName $_.name -GivenName $_.gn -SurName $_.sn -StreetAddress $_.SA -city $_.city -state $_.state -PostalCode $_.PostalCode -Country $_.Country -officephone $_.officephone -emailaddress $_.emailaddress -AccountPassword (ConvertTo-SecureString "Password1" -AsPlainText -force) -enabled $true -PasswordNeverExpires $false -Passthru}
I have been over it many times I cannot see the issue in or arround on character 59
any help would be welcome

it was country that was the problem, it took a bit but I was able to comment out most of the block until I found that $_.Country did not work

Your piped variable token is wrong, it should be $_ rather than $ ie:
Import-Csv .\tableofusers.csv | foreach-object {New-ADUser -Path "ou=ou,dc=dc" -SamAccountName $_.SamAccountName -Name $_.name -DisplayName $_.name -GivenName $_.gn -SurName $_.sn -StreetAddress $_.SA -city $_.city -state $_.state -PostalCode $_.PostalCode -Country $_.Country -officephone $_.officephone -emailaddress $_.emailaddress -AccountPassword (ConvertTo-SecureString "Password1" -AsPlainText -force) -enabled $true -PasswordNeverExpires $false -Passthru}
This should do the trick.

At a guess the value given to -country in the CSV file was something like United Kingdom instead of the code for the country which is GB.
You can look up a country code by setting the country/region in AD on the address page using the drop down list. Then whilst you have Advanced Features turned on (View>Advanced Features) open the user and on the Attribute Editor tab look look for the value of attribute c to see the code for the country you've set. Put that country code into the CSV file and it should work.

In my case it was using initials with more than 6 characters. Using dots between the initials means that > 6 is already reached when the initials are "A.B.C."

Related

Powershell Instance Parameter

I am automating the creation of user accounts in our Windows AD. I am trying to copy the permissions from one account to another,(like you would if you right click and copied a user inside of the "Active Directory Users and Computers" application) but when using the cmdlet 'New AD-User' and passing in a variable to the 'instance' parameter, it does nothing different than if I do not pass the variable at all.
This is what I am using to obtain the $userInstance variable:
$userInstance = Get-ADUser -Identity $department User
This is the code I am using to create a new user:
New-ADUser `
-SamAccountName $userName `
-UserPrincipalName "$userName#123.COM" `
-Name "$firstName $lastName" `
-GivenName $firstName `
-Surname $lastName `
-Enabled $true `
-DisplayName "$firstName $lastName" `
-City $city `
-PostalCode $zip `
-Company $company `
-State $state `
-EmailAddress $email `
-Department $department `
-Instance $userInstance `
-AccountPassword (ConvertTo-SecureString "1234" -AsPlainText -Force)
When I run this command, it does the same exact thing as if I ran this command without the instance parameter.
New-ADUser `
-SamAccountName $userName `
-UserPrincipalName "$userName#123.COM" `
-Name "$firstName $lastName" `
-GivenName $firstName `
-Surname $lastName `
-Enabled $true `
-DisplayName "$firstName $lastName" `
-City $city `
-PostalCode $zip `
-Company $company `
-State $state `
-EmailAddress $email `
-Department $department `
-AccountPassword (ConvertTo-SecureString "1234" -AsPlainText -Force)
Am I missing something? I do not understand what the 'instance' parameter is supposed to be doing if it only copies certain attributes that are easily obtainable(state, company, city). Is there something out there that actually copies a template account or do I need to write a loop that goes through every single attribute, permission, and group in the template account that provides some sort of meaning to my organization and assign them manually?
What exactly do you mean by "permission"?
Permissions on resources are set based on the objectSid of a user. Since this is unique to every user you can never "copy" them (and related permissions) to a new user.
Group memberships are stored on groups not on users. The memberOf attribute is just a "backLink" so this won't be copied neither.
Group membership needs to be added in a separate step, e.g. by using
Add-ADGroupMember
cmdlet in PowerShell...
"Permissions" might not have been the word I was looking for necessarily. I wanted to create the user and assign them the same groups and directory location as a previous User. I was able to add group membership to my new users by using the method stated by #Oliver Hauck earlier
Add-ADGroupMember
This aided me in my findings, but what I desired was to not have to write long, repetitive switch code for each new employee type, along with their groups, we could onboard. In hopes that someone sees this and doesn't feel intrigued in writing super long, boring switch code, I wanted to share how I achieved this if it helps anyone else in the future. I still obtained the $userInstance variable in the same way, but adding the -Property parameter defined to MemberOf
$userInstance = Get-ADUser -Identity $department User -Properties MemberOf
I then used the $userInstance variable to obtain the properties I needed from it (Groups to copy, Directory Path)
//Obtains the Path from the copied User, without their common name (CN) attached
$path = $userInstance.DistinguishedName.split(",",2)[-1]
I still created the new user with the same command as above but added the -Path parameter to assign the directory path to the New-ADUser cmd
New-ADUser `
-SamAccountName $userName `
-UserPrincipalName "$userName#123.COM" `
-Name "$firstName $lastName" `
-GivenName $firstName `
-Surname $lastName `
-Enabled $true `
-DisplayName "$firstName $lastName" `
-City $city `
-PostalCode $zip `
-Company $company `
-State $state `
-Path $path `
-EmailAddress $email `
-Department $department `
-AccountPassword (ConvertTo-SecureString "1234" -AsPlainText -Force)
And here is how I obtained and assigned the Group Membership to the New User
//Obtains the groups to be copied from the existing User
$refGroups = $userInstance.MemberOf
//Adds AD Group Membership to User
$refGroups | Add-ADGroupMember -Members $userName

can't create userS via powershell

I can't import users in powershell with a script via an csv file, but If I print the parameters on the screen,it shows them as it should.
what I am doing wrong? in my life plenty with that mustache, but plis focus on the script.
is running windows server 2016 on the powershell ise, on virtualbox
The Script:
If(-Not(Get-ADOrganizationalUnit -Filter {Name -eq "991-5D"}))
{New-ADOrganizationalUnit "991-5D" -Path (Get-ADDomain).DistinguishedName}
If(-Not(Get-ADOrganizationalUnit -Filter {Name -eq "911-5V"}))
{New-ADOrganizationalUnit "911-5V" -Path (Get-ADDomain).DistinguishedName}
$domain=(Get-ADDomain).DNSRoot
Import-Csv -Path "C:\Alumnos.csv" | foreach-object {
[int]$number= $_.X
If($number -ge 10 -and $number -le 26)
{
$UO="991-5D"
}
//there are many others O.U.
$ou= "UO="+$UO+","+$domain
$UPN = $_.LETRA+$_.PATERNO+$_.X+"#"+ "$domain"
$CUENTA= $_.LETRA+$_.PATERNO+$_.X
New-ADUser -SamAccountName $CUENTA -UserPrincipalName $CUENTA -Name $_.NOMBRE
-SurName $_.PATERNO -GivenName $_.NOMBRE -EmailAddress $UPN -AccountPassword
(ConvertTo-SecureString "Leica666" -AsPlainText -force) -Path $ou
-Enabled $true -ChangePasswordAtLogon $true -Verbose}
the data:
X,PATERNO,MATERNO,NOMBRE,SEGUNDO,LETRA
10,ARÉVALO,CORNEJO,NICOLÁS,ALEJANDRO,N
11,BARRIOS,MONTERO,BENJAMÍN,IGNACIO,B
12,BUSTAMANTE,LOYOLA,IGNACIO,HERNANDO,I
13,BUSTOS,GARRIDO,ARTURO,IGNACIO,A
this are the results on each line:
+ New-ADUser -SamAccountName $CUENTA -UserPrincipalName $CUENTA -Name $ ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo:NotSpecified: (CN=IGNACIO,UO=9...da.com:String)
[New-ADUser], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8335,
Microsoft.ActiveDirectory.Management.Commands.NewADUser
the head:
X,PATERNO,MATERNO,NOMBRE,SEGUNDO,LETRA
echo:
#{X=42; PATERNO=PAYACÁN; MATERNO=ZAPATA; NOMBRE=NICOLÁS; SEGUNDO=N; LETRA=}.NOMBRE
I know that reads the file and instead of reading just the column reads all the line($_), and then prints whatever I wrote next to it(".name", ".section", etc).
I've made some variable and format changes to make this code more successful.
$domain=Get-ADDomain
Import-Csv -Path "C:\Alumnos.csv" |
Foreach-Object {
[int]$number= $_.X
If($number -ge 10 -and $number -le 26)
{
$UO="991-5D"
}
$ou = "OU={0},{1}" -f $UO,$domain.DistinguishedName
$UPN = "{0}{1}{2}#{3}" -f $_.LETRA,$_.PATERNO,$_.X,$domain.DNSRoot
$CUENTA= "{0}{1}{2}" -f $_.LETRA,$_.PATERNO,$_.X
New-ADUser -SamAccountName $CUENTA -UserPrincipalName $UPN -Name $_.NOMBRE `
-SurName $_.PATERNO -GivenName $_.NOMBRE -EmailAddress $UPN `
-AccountPassword (ConvertTo-SecureString "Leica666" -AsPlainText -force) -Path $ou `
-Enabled $true -ChangePasswordAtLogon $true -Verbose
}
Explanation:
$domain: I've made this an ADDomain object. This allows the DistinguishedName and DNSRoot properties to be accessed where appropriate.
-f operator: I used the format operator to make it easier to read the string concatenation attempts.
$ou: This is constructed using the DistinguishedName of the domain. This is the proper format for the OU path.
$UPN: This is constructed using the DNSRoot of the domain. It can obviously be different than your domain, but must be in an email address or FQDN format.
Additional Comments:
You are setting -Name to be $_.NOMBRE. This could be problematic because Name must be unique in each OU. Name is used to build the CN, which is where uniqueness is required. If you have NICOLAS in OU 991-5D, you are going to get an error if you try to create another NICOLAS in the same place. IMHO, I would do something different. You could also implement the use of splatting for building the properties of your New-ADUser command, but that is only for readability purposes. Below is an example of splatting:
$NewUserProperties = #{
SamAccountName = $CUENTA
UserPrincipalName = $UPN
Name = $_.NOMBRE
Surname = $_.PATERNO
GivenName = $_.NOMBRE
EmailAddress = $UPN
AccountPassword = (ConvertTo-SecureString "Leica666" -AsPlainText -force)
Path = $ou
Enabled = $true
ChangePasswordAtLogon = $true
}
New-ADUser #NewUserProperties -Verbose

Encoding limit exceeded

I have a pretty lengthy script that takes either user input or data from a .csv file to create AD accounts. Not all the time, but sometimes I receive the following error while running it:
New-ADUser : The server has returned the following error: encoding limit exceeded.
Is there a limit on the amount of variables I can use? Because I do have quite a few.. here's what the sample code looks like where it sometimes get stuck:
If($GuardAccount){
If($Clone){
If($Attribute6){
$newuser = New-ADUser -SamAccountName $Username -Enabled $true -Name $DisplayName -Path $Path -AccountPassword $Password `
-GivenName $FirstName -Surname $LastName -Initials $Initials -DisplayName $DisplayName -City $City `
-Company $Company -Department $Department -Country $Country -State $State `
-StreetAddress $Street -PostalCode $Postal -OfficePhone $Telephone -Fax $Fax -Description $Description `
-Title $Title -Office $Office -Instance $Cloneuser -UserPrincipalName "$Username#business.com" -PassThru `
-OtherAttributes #{
'extensionattribute6'=$Attribute6;
}
...
So what does encoding limit exceeded mean? Is there any way around it?
I've tried googling for answers but there doesn't seem to be much info on this error.

Feeding Variables in new-aduser -path option in powershell

Here is the Command I am trying to work with:
New-ADUser -name "$firstName $lastName" -SamAccountName "$firstName.$lastName" -GivenName "$firstName" -Surname "$lastName" -DisplayName "$firstName $lastName" -Path "OU=Employees,OU=$Dpart,DC=OPR,DC=Local" -Enabled $true -AccountPassword $PWD -ChangePasswordAtLogon $true -EmailAddress "$firstName.$lastName#opr.org"
The Error Message I get:
ObjectNotFound: (CN=FIRST LAST...DC=OPR,DC=Local:String)
Once I remove the $Dpart from the -Path the command fires off correctly, but does not place the person into the correct OU. The command is filtered before hand and matches the name inside AD of the sub OU.
How can I use a variable inside the path command? I know it's simple, but I am just starting off with powershell.
New-ADUser -name "$firstName $lastName" -SamAccountName "$firstName.$lastName" -GivenName "$firstName" -Surname "$lastName" -DisplayName "$firstName $lastName" -Path "OU=$Dpart,OU=Employees,DC=OPR,DC=Local" -Enabled $true -AccountPassword $PWD -ChangePasswordAtLogon $true -EmailAddress "$firstName.$lastName#opr.org"
It was so obvious that a snake would have bit me...
Lowest level OU first, then each level up after that. So, OU=$Dpart, OU=Employees

365 Powershell Load User Info

I'm new to Exchange 365 and Powershell. I have user information that I want to add and am trying to use the Powershell code below. However, it errors out on me. Thoughts?
Here is the code:
$input=Import-Csv D:\Users.csv
foreach($line in $input)
{
Set-MsolUser -UserPrincipalName $line.UserPrincipalName -Title $line.Title -City $line.City -Country $line.Country -Department $line.Department -Fax $line.Fax -MobilePhone $line.MobilePhone -Office $line.Office -PhoneNumber $line.PhoneNumber -PostalCode $line.PostalCode -State $line.State -StreetAddress $line.StreetAddress
}
The error I get is attached says: method invocation failed because system object doesn't contain a method Foreach.
Try pipelining the CSV directly like Matt's suggestion:
Import-Csv D:\Users.csv | ForEach-Object{Set-MsolUser -UserPrincipalName $_.UserPrincipalName -Title $_.Title -City $_.City -Country $_.Country -Department $_.Department -Fax $_.Fax -MobilePhone $_.MobilePhone -Office $_.Office -PhoneNumber $_.PhoneNumber -PostalCode $_.PostalCode -State $_.State -StreetAddress $_.StreetAddress}