Solved

Set-ADGroup cannot find group created earlier in script (PowerShell)

Posted on 2012-03-28
6
1,663 Views
Last Modified: 2012-08-13
I'm working on a script to create Security and Distribution groups so that they will follow our naming standards. In the script I use New-DistributionGroup to create the group, Set-DistributionGroup to add some Custom attributes, and then want to use Set-ADGroup to add a Description. (aside: what a pain that New-DistributionGroup can't do these things!) Despite setting sleep times up to 30 seconds, Set-ADGroup always fails with:

Set-ADGroup : Cannot find an object with identity: 'AcctTesting1' under: [our domain].
Yet if I remove the line of code from Set-ADGroup, run the script, and then immediately run the Set-ADGroup code, it works perfectly.

Here is the relevant portion of the script: (our domain name removed)

    $GroupTypeName = "Assignment"
    $OU = $BaseOU + "AssignmentGroups"
    New-DistributionGroup -Name $SAMname -Alias $Alias -DisplayName $DisplayName -ManagedBy `
        "CN=Administrator,CN=Users,[our domain]" -OrganizationalUnit $OU `
        -SamAccountName $SAMname -Type Security
    Set-DistributionGroup -Identity $SAMname -CustomAttribute10 "ASSIGNMENT GROUP" `
        -CustomAttribute11 $PRMCode
    echo "Waiting for new group to replicate"
    Start-Sleep -s 20
    Set-ADGroup -Identity $SAMname -Description "$Alias AssignmentGroup"

Open in new window


I'm relatively new to PowerShell scripting, so if you have ideas on how to fix this, I'd appreciate a little detail!

Dann
0
Comment
Question by:danncox
  • 4
  • 2
6 Comments
 
LVL 27

Expert Comment

by:KenMcF
Comment Utility
How many Domain Controllers do you have?

You could try to use the -Server and -DomainController switches

The -server is used with the set-adgroup

-DomainController is used with the new-distrobution group cmdlet

Or another thing you could do is a loop using get-adgroup to verify the group exists before using set
0
 

Author Comment

by:danncox
Comment Utility
I did try specifying the DC (we have three in this, our main site) - forgot to mention that.

Can you show me how that loop might look?

Thanks!
0
 
LVL 27

Assisted Solution

by:KenMcF
KenMcF earned 150 total points
Comment Utility
without testing try something like this. You will probably get errors when running becuase it can not find the group at first. You could use try\catch to remove the errors. I can test later.

Do {
$r = Get-adgroup test123
}
Until(
($r | Measure-Object).count -ge 1
)
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:danncox
Comment Utility
Thanks,

I'll have to give that a try tomorrow - time to go home, now!
0
 

Accepted Solution

by:
danncox earned 0 total points
Comment Utility
KenMcF,
Your solution, above, worked, but Get-ADGroup throws an error message which cannot be suppressed with ErrorAction or WarningAction SilentlyContinue.

Doing some more searching, I found information on StackOverflow (http://stackoverflow.com/questions/6307127/hiding-errors-when-using-get-adgroup), and used it to do this:
Write-Host -NoNewline "Waiting for replication"
Do
    {
	If($Idx -gt 0) {Start-sleep -s 5}
	$r = Get-ADGroup -Filter {SamAccountName -eq $SAMname}
	Write-Host -NoNewline "."
	$Idx = $Idx + 1
    }
Until($r)

Open in new window


This does the trick.  I've found, by playing with which DC handles the job, that the number of attempts can vary from one to fifteen.  However the DC that's fastest before lunch may be slowest after lunch...

Anyway, your idea got me on the right track, so thanks!
0
 

Author Closing Comment

by:danncox
Comment Utility
Solution posted by KenMcF worked, with some problems, but led me on the path to find my own solution.  I hope I've done this right, to award all the points to KenMcF.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now