Solved

Set-ADGroup cannot find group created earlier in script (PowerShell)

Posted on 2012-03-28
6
1,744 Views
Last Modified: 2012-08-13
I'm working on a script to create Security and Distribution groups so that they will follow our naming standards. In the script I use New-DistributionGroup to create the group, Set-DistributionGroup to add some Custom attributes, and then want to use Set-ADGroup to add a Description. (aside: what a pain that New-DistributionGroup can't do these things!) Despite setting sleep times up to 30 seconds, Set-ADGroup always fails with:

Set-ADGroup : Cannot find an object with identity: 'AcctTesting1' under: [our domain].
Yet if I remove the line of code from Set-ADGroup, run the script, and then immediately run the Set-ADGroup code, it works perfectly.

Here is the relevant portion of the script: (our domain name removed)

    $GroupTypeName = "Assignment"
    $OU = $BaseOU + "AssignmentGroups"
    New-DistributionGroup -Name $SAMname -Alias $Alias -DisplayName $DisplayName -ManagedBy `
        "CN=Administrator,CN=Users,[our domain]" -OrganizationalUnit $OU `
        -SamAccountName $SAMname -Type Security
    Set-DistributionGroup -Identity $SAMname -CustomAttribute10 "ASSIGNMENT GROUP" `
        -CustomAttribute11 $PRMCode
    echo "Waiting for new group to replicate"
    Start-Sleep -s 20
    Set-ADGroup -Identity $SAMname -Description "$Alias AssignmentGroup"

Open in new window


I'm relatively new to PowerShell scripting, so if you have ideas on how to fix this, I'd appreciate a little detail!

Dann
0
Comment
Question by:danncox
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 27

Expert Comment

by:KenMcF
ID: 37779801
How many Domain Controllers do you have?

You could try to use the -Server and -DomainController switches

The -server is used with the set-adgroup

-DomainController is used with the new-distrobution group cmdlet

Or another thing you could do is a loop using get-adgroup to verify the group exists before using set
0
 

Author Comment

by:danncox
ID: 37779808
I did try specifying the DC (we have three in this, our main site) - forgot to mention that.

Can you show me how that loop might look?

Thanks!
0
 
LVL 27

Assisted Solution

by:KenMcF
KenMcF earned 150 total points
ID: 37779838
without testing try something like this. You will probably get errors when running becuase it can not find the group at first. You could use try\catch to remove the errors. I can test later.

Do {
$r = Get-adgroup test123
}
Until(
($r | Measure-Object).count -ge 1
)
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:danncox
ID: 37779844
Thanks,

I'll have to give that a try tomorrow - time to go home, now!
0
 

Accepted Solution

by:
danncox earned 0 total points
ID: 37784414
KenMcF,
Your solution, above, worked, but Get-ADGroup throws an error message which cannot be suppressed with ErrorAction or WarningAction SilentlyContinue.

Doing some more searching, I found information on StackOverflow (http://stackoverflow.com/questions/6307127/hiding-errors-when-using-get-adgroup), and used it to do this:
Write-Host -NoNewline "Waiting for replication"
Do
    {
	If($Idx -gt 0) {Start-sleep -s 5}
	$r = Get-ADGroup -Filter {SamAccountName -eq $SAMname}
	Write-Host -NoNewline "."
	$Idx = $Idx + 1
    }
Until($r)

Open in new window


This does the trick.  I've found, by playing with which DC handles the job, that the number of attempts can vary from one to fifteen.  However the DC that's fastest before lunch may be slowest after lunch...

Anyway, your idea got me on the right track, so thanks!
0
 

Author Closing Comment

by:danncox
ID: 37800056
Solution posted by KenMcF worked, with some problems, but led me on the path to find my own solution.  I hope I've done this right, to award all the points to KenMcF.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The following article is intended as a guide to using PowerShell as a more versatile and reliable form of application detection in SCCM.
The Nano Server Image Builder helps you create a custom Nano Server image and bootable USB media with the aid of a graphical interface. Based on the inputs you provide, it generates images for deployment and creates reusable PowerShell scripts that …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question