thomasmulligan
asked on
foreach issue with Powershell Script, possibly needs a pause between each check.
Hi Guys,
The below script has a problem with the Foreach section.
It works fine most of the time but about once a month it seems to use the wrong $statefile and informs me of a membership change.
It seems to use the statefile created for the Domain admins to compare against the other ones. Maybe I need to include a pause between each check to make sure Powershell has time to create a new statefile for each group check.
import-module activedirectory
$Email = "it@doesntmatter.com"
$SmtpServer = "server.doesntmatter.com"
foreach ($GroupName in "Domain Admins", "Administrators", "schema admins", "Enterprise Admins") {
$StateFile = "C:\Docs\Group Check Files\Members - $GroupName.csv"
$Members = Get-ADGroupMember $GroupName | Select-Object Name
If (!(Test-Path $StateFile)) { $Members | Export-csv $StateFile -NoTypeInformation}
$Changes = Compare-Object $Members $(Import-Csv $StateFile) -Property Name | Select-Object Name, @{n='State';e={ If ($_.SideIndicator -eq "=>") { "Removed" } Else { "Added" } }}
If ($Changes) { Send-MailMessage -From $Email -To $Email -Subject "$GroupName membership change" -BodyAsHtml -Body $($Changes | ConvertTo-Html | Out-String) -SmtpServer $SmtpServer }
The below script has a problem with the Foreach section.
It works fine most of the time but about once a month it seems to use the wrong $statefile and informs me of a membership change.
It seems to use the statefile created for the Domain admins to compare against the other ones. Maybe I need to include a pause between each check to make sure Powershell has time to create a new statefile for each group check.
import-module activedirectory
$Email = "it@doesntmatter.com"
$SmtpServer = "server.doesntmatter.com"
foreach ($GroupName in "Domain Admins", "Administrators", "schema admins", "Enterprise Admins") {
$StateFile = "C:\Docs\Group Check Files\Members - $GroupName.csv"
$Members = Get-ADGroupMember $GroupName | Select-Object Name
If (!(Test-Path $StateFile)) { $Members | Export-csv $StateFile -NoTypeInformation}
$Changes = Compare-Object $Members $(Import-Csv $StateFile) -Property Name | Select-Object Name, @{n='State';e={ If ($_.SideIndicator -eq "=>") { "Removed" } Else { "Added" } }}
If ($Changes) { Send-MailMessage -From $Email -To $Email -Subject "$GroupName membership change" -BodyAsHtml -Body $($Changes | ConvertTo-Html | Out-String) -SmtpServer $SmtpServer }
I hope the closing Curly Brace went missing while doing the copy paste.. :-)
In your script try printing the variables $Members and $(Import-Csv $StateFile) to screen and see if there is any difference..
In your script try printing the variables $Members and $(Import-Csv $StateFile) to screen and see if there is any difference..
ASKER
the curly bracket is there I just missed it when copying to here.....if only the solution could be that easy.
ASKER
I have just tried to run the script manually and it throws up the following errors:
Get-ADGroupMember : A referral was returned from the server
At line:3 char:31
+ $Members = Get-ADGroupMember <<<< $GroupName | Select-Object Name
+ CategoryInfo : NotSpecified: (Administrators:ADGroup) [Get-ADGroupMember], ADException
+ FullyQualifiedErrorId : A referral was returned from the server,Microsoft.ActiveDir
tADGroupMember
Get-ADGroupMember : A referral was returned from the server
At line:3 char:31
+ $Members = Get-ADGroupMember <<<< $GroupName | Select-Object Name
+ CategoryInfo : NotSpecified: (Enterprise Admins:ADGroup) [Get-ADGroupMember], ADException
+ FullyQualifiedErrorId : A referral was returned from the server,Microsoft.ActiveDir
tADGroupMember
Get-ADGroupMember : A referral was returned from the server
At line:3 char:31
+ $Members = Get-ADGroupMember <<<< $GroupName | Select-Object Name
+ CategoryInfo : NotSpecified: (Administrators:ADGroup) [Get-ADGroupMember], ADException
+ FullyQualifiedErrorId : A referral was returned from the server,Microsoft.ActiveDir
tADGroupMember
Get-ADGroupMember : A referral was returned from the server
At line:3 char:31
+ $Members = Get-ADGroupMember <<<< $GroupName | Select-Object Name
+ CategoryInfo : NotSpecified: (Enterprise Admins:ADGroup) [Get-ADGroupMember], ADException
+ FullyQualifiedErrorId : A referral was returned from the server,Microsoft.ActiveDir
tADGroupMember
I am not seeing any issue with the script. If it's reporting some changes then it should be valid.. However if you feel there is a issue then, as I said you need to print the the variables on screen (or include them in mail) and check.. Try the following script which will print both variables on screen.
And regarding the error, what if you run the following two lines in powershell?
import-module activedirectory
$Email = "it@doesntmatter.com"
$SmtpServer = "server.doesntmatter.com"
foreach ($GroupName in "Domain Admins", "Administrators", "schema admins", "Enterprise Admins") {
$StateFile = "C:\Docs\Group Check Files\Members - $GroupName.csv"
$Members = Get-ADGroupMember $GroupName | Select-Object Name
If (!(Test-Path $StateFile)) { $Members | Export-csv $StateFile -NoTypeInformation}
Write-Host "Value of Var StateFile"
$(Import-Csv $StateFile)
Write-Host "Value of Var Members"
$Members
$Changes = Compare-Object $Members $(Import-Csv $StateFile) -Property Name | Select-Object Name, @{n='State';e={ If ($_.SideIndicator -eq "=>") { "Removed" } Else { "Added" } }}
If ($Changes) { Send-MailMessage -From $Email -To $Email -Subject "$GroupName membership change" -BodyAsHtml -Body $($Changes | ConvertTo-Html | Out-String) -SmtpServer $SmtpServer }
}And regarding the error, what if you run the following two lines in powershell?
import-module activedirectory
Get-ADGroupMember "Enterprise Admins" | Select-Object NameASKER
I tried running Get-ADGroupMember for each group individually.
Domain Admins and Schema Admins run no problem and return the output as expected.
Enterprise Admins and Administrators both throw up the error:
Get-ADGroupMember : A referral was returned from the server
At line:1 char:18
+ Get-ADGroupMember <<<< 'enterprise admins'
+ CategoryInfo : NotSpecified: (enterprise admins:ADGroup) [Get-ADGroupMember], ADException
+ FullyQualifiedErrorId : A referral was returned from the server,Microsoft.ActiveDir
tADGroupMember
Domain Admins and Schema Admins run no problem and return the output as expected.
Enterprise Admins and Administrators both throw up the error:
Get-ADGroupMember : A referral was returned from the server
At line:1 char:18
+ Get-ADGroupMember <<<< 'enterprise admins'
+ CategoryInfo : NotSpecified: (enterprise admins:ADGroup) [Get-ADGroupMember], ADException
+ FullyQualifiedErrorId : A referral was returned from the server,Microsoft.ActiveDir
tADGroupMember
It seems Get-ADGroupMember not able to read group members. By default, any user authenticated to the domain can view any group members, perhaps someone has modified permissions on the group object. Can you check the enterprise admins and Administrators group and see if you have necessary permission to view the group member?
Also are you able to view group member using ADUC?
Also are you able to view group member using ADUC?
ASKER
i have just checked this and I can confirm that Authenticated Users have Read permissions to all of the groups.
Im also logged on to a DC and using the ADUC I can view the members of these groups but when I run the get-adgroupmember (while still on the same session) it gives the error.
Thanks for your quick responses on this.
Im also logged on to a DC and using the ADUC I can view the members of these groups but when I run the get-adgroupmember (while still on the same session) it gives the error.
Thanks for your quick responses on this.
That's strange.. I cannot think of an issue which would create this error other than a permission issue or a name mismatch of the group. Both seems invalid here.. :-(
Is this the same groups which you get change alert mail notification?
Is this the same groups which you get change alert mail notification?
ASKER
Yes, I get an Alert for Enterprise admins and Administrators.
The only reason it gives the alert is because it cant get the members.
The only reason it gives the alert is because it cant get the members.
yes.. that's the reason..
Do you have Quest Active directory cmdlets installed on any computer in domain?
Do you have Quest Active directory cmdlets installed on any computer in domain?
ASKER
No, I dont have the Quest AD cmdlets installed. Should I try it with those?
Run following commands and see if you get any result
Get-ADGroup -Filter {Name -Like "enterprise Admins"}
Get-ADGroup -Filter {Name -Like "Administrators"}
You can also try with Quest AD cmdlets..
http://www.quest.com/powershell/activeroles-server.aspx
Get-ADGroup -Filter {Name -Like "enterprise Admins"}
Get-ADGroup -Filter {Name -Like "Administrators"}
You can also try with Quest AD cmdlets..
http://www.quest.com/powershell/activeroles-server.aspx
ASKER
Yes, Get-ADGroup finds both of these groups.
I just tried running the script again and it runs no problem.
Does anyone have any idea why this just stops working and wont get the membership of these groups, then starts working again when I haven't changed anything?
I just tried running the script again and it runs no problem.
Does anyone have any idea why this just stops working and wont get the membership of these groups, then starts working again when I haven't changed anything?
ASKER
Can anyone tell me how to add in a condition that if it fails to find the group membership it wont send the normal alert, it will do something else.
I cannot think of any reason for why it's not working...
Can anyone tell me how to add in a condition that if it fails to find the group membership it wont send the normal alert, it will do something else.You can check the value of $Members before sending alert.. Try this..If $Members is null then script wont send any alert..
import-module activedirectory
$Email = "it@doesntmatter.com"
$SmtpServer = "server.doesntmatter.com"
foreach ($GroupName in "Domain Admins", "Administrators", "schema admins", "Enterprise Admins") {
$StateFile = "C:\Docs\Group Check Files\Members - $GroupName.csv"
$Members = Get-ADGroupMember $GroupName | Select-Object Name
If (!(Test-Path $StateFile)) { $Members | Export-csv $StateFile -NoTypeInformation}
If ($Members){
$Changes = Compare-Object $Members $(Import-Csv $StateFile) -Property Name | Select-Object Name, @{n='State';e={ If ($_.SideIndicator -eq "=>") { "Removed" } Else { "Added" } }}
If ($Changes) { Send-MailMessage -From $Email -To $Email -Subject "$GroupName membership change" -BodyAsHtml -Body $($Changes | ConvertTo-Html | Out-String) -SmtpServer $SmtpServer }
}
}ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks very much for your help with this.
Open in new window
It does not appear there is a closing tag "}"
HTH,
Kent