Solved

foreach issue with Powershell Script, possibly needs a pause between each check.

Posted on 2013-01-07
18
1,046 Views
Last Modified: 2013-01-10
Hi Guys,

The below script has a problem with the Foreach section.
It works fine most of the time but about once a month it seems to use the wrong $statefile and informs me of a membership change.
It seems to use the statefile created for the Domain admins to compare against the other ones. Maybe I need to include a pause between each check to make sure Powershell has time to create a new statefile for each group check.


import-module activedirectory
$Email = "it@doesntmatter.com"
$SmtpServer = "server.doesntmatter.com"

foreach ($GroupName in "Domain Admins", "Administrators", "schema admins", "Enterprise Admins") {
  $StateFile = "C:\Docs\Group Check Files\Members - $GroupName.csv"
  $Members = Get-ADGroupMember $GroupName | Select-Object Name
  If (!(Test-Path $StateFile)) { $Members | Export-csv $StateFile -NoTypeInformation}

  $Changes = Compare-Object $Members $(Import-Csv $StateFile) -Property Name | Select-Object Name, @{n='State';e={ If ($_.SideIndicator -eq "=>") { "Removed" } Else { "Added" } }}

  If ($Changes) { Send-MailMessage -From $Email -To $Email -Subject "$GroupName membership change"  -BodyAsHtml -Body $($Changes | ConvertTo-Html | Out-String) -SmtpServer $SmtpServer }
0
Comment
Question by:thomasmulligan
  • 9
  • 8
18 Comments
 
LVL 17

Expert Comment

by:Kent Dyer
ID: 38750695
Right after:

foreach ($GroupName in "Domain Admins", "Administrators", "schema admins", "Enterprise Admins")
{

Open in new window


It does not appear there is a closing tag "}"

HTH,

Kent
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38750813
I hope the closing Curly Brace went missing while doing the copy paste.. :-)

In your script try printing the variables $Members and $(Import-Csv $StateFile) to screen and see if there is any difference..
0
 

Author Comment

by:thomasmulligan
ID: 38750871
the curly bracket is there I just missed it when copying to here.....if only the solution could be that easy.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:thomasmulligan
ID: 38750929
I have just tried to run the script manually and it throws up the following errors:

Get-ADGroupMember : A referral was returned from the server
At line:3 char:31
+   $Members = Get-ADGroupMember <<<<  $GroupName | Select-Object Name
    + CategoryInfo          : NotSpecified: (Administrators:ADGroup) [Get-ADGroupMember], ADException
    + FullyQualifiedErrorId : A referral was returned from the server,Microsoft.ActiveDirectory.Management.Commands.Ge
   tADGroupMember

Get-ADGroupMember : A referral was returned from the server
At line:3 char:31
+   $Members = Get-ADGroupMember <<<<  $GroupName | Select-Object Name
    + CategoryInfo          : NotSpecified: (Enterprise Admins:ADGroup) [Get-ADGroupMember], ADException
    + FullyQualifiedErrorId : A referral was returned from the server,Microsoft.ActiveDirectory.Management.Commands.Ge
   tADGroupMember
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38751013
I am not seeing any issue with the script. If it's reporting some changes then it should be valid.. However if you feel there is a issue then, as I said you need to print the the variables on screen (or include them in mail) and check.. Try the following script which will print both variables on screen.

import-module activedirectory
$Email = "it@doesntmatter.com"
$SmtpServer = "server.doesntmatter.com"

foreach ($GroupName in "Domain Admins", "Administrators", "schema admins", "Enterprise Admins") {
  $StateFile = "C:\Docs\Group Check Files\Members - $GroupName.csv"
  $Members = Get-ADGroupMember $GroupName | Select-Object Name
  If (!(Test-Path $StateFile)) { $Members | Export-csv $StateFile -NoTypeInformation}

Write-Host "Value of Var StateFile"
$(Import-Csv $StateFile)
Write-Host "Value of Var Members"
$Members

	$Changes = Compare-Object $Members $(Import-Csv $StateFile) -Property Name | Select-Object Name, @{n='State';e={ If ($_.SideIndicator -eq "=>") { "Removed" } Else { "Added" } }}

  If ($Changes) { Send-MailMessage -From $Email -To $Email -Subject "$GroupName membership change"  -BodyAsHtml -Body $($Changes | ConvertTo-Html | Out-String) -SmtpServer $SmtpServer }
}

Open in new window



And regarding the error, what if you run the following two lines in powershell?
import-module activedirectory
Get-ADGroupMember "Enterprise Admins" | Select-Object Name

Open in new window

0
 

Author Comment

by:thomasmulligan
ID: 38751042
I tried running Get-ADGroupMember for each group individually.
Domain Admins and Schema Admins run no problem and return the output as expected.

Enterprise Admins and Administrators both throw up the error:

Get-ADGroupMember : A referral was returned from the server
At line:1 char:18
+ Get-ADGroupMember <<<<  'enterprise admins'
    + CategoryInfo          : NotSpecified: (enterprise admins:ADGroup) [Get-ADGroupMember], ADException
    + FullyQualifiedErrorId : A referral was returned from the server,Microsoft.ActiveDirectory.Management.Commands.Ge
   tADGroupMember
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38751102
It seems Get-ADGroupMember not able to read group members. By default, any user authenticated to the domain can view any group members, perhaps someone has modified permissions on the group object. Can you check the enterprise admins and Administrators group and see if you have necessary permission to view the group member?

Also are you able to view group member using ADUC?
0
 

Author Comment

by:thomasmulligan
ID: 38751152
i have just checked this and I can confirm that Authenticated Users have Read permissions to all of the groups.
Im also logged on to a DC and using the ADUC I can view the members of these groups but when I run the get-adgroupmember (while still on the same session) it gives the error.

Thanks for your quick responses on this.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38751224
That's strange.. I cannot think of an issue which would create this error other than a permission issue or a name mismatch of the group. Both seems invalid here.. :-(

Is this the same groups which you get change alert mail notification?
0
 

Author Comment

by:thomasmulligan
ID: 38751328
Yes, I get an Alert for Enterprise admins and Administrators.
The only reason it gives the alert is because it cant get the members.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38751355
yes.. that's the reason..
Do you have Quest Active directory cmdlets installed on any computer in domain?
0
 

Author Comment

by:thomasmulligan
ID: 38754225
No, I dont have the Quest AD cmdlets installed. Should I try it with those?
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38754391
Run following commands and see if you get any result
Get-ADGroup -Filter {Name -Like "enterprise Admins"}
Get-ADGroup -Filter {Name -Like "Administrators"}

You can also try with Quest AD cmdlets..
http://www.quest.com/powershell/activeroles-server.aspx
0
 

Author Comment

by:thomasmulligan
ID: 38762435
Yes, Get-ADGroup finds both of these groups.
I just tried running the script again and it runs no problem.

Does anyone have any idea why this just stops working and wont get the membership of these groups, then starts working again when I haven't changed anything?
0
 

Author Comment

by:thomasmulligan
ID: 38762564
Can anyone tell me how to add in a condition that if it fails to find the group membership it wont send the normal alert, it will do something else.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38762594
I cannot think of any reason for why it's not working...
Can anyone tell me how to add in a condition that if it fails to find the group membership it wont send the normal alert, it will do something else.
You can check the value of $Members before sending alert.. Try this..If $Members is null then script wont send any alert..
import-module activedirectory
$Email = "it@doesntmatter.com"
$SmtpServer = "server.doesntmatter.com"

foreach ($GroupName in "Domain Admins", "Administrators", "schema admins", "Enterprise Admins") {
  $StateFile = "C:\Docs\Group Check Files\Members - $GroupName.csv"
  $Members = Get-ADGroupMember $GroupName | Select-Object Name
If (!(Test-Path $StateFile)) { $Members | Export-csv $StateFile -NoTypeInformation}
If ($Members){
$Changes = Compare-Object $Members $(Import-Csv $StateFile) -Property Name | Select-Object Name, @{n='State';e={ If ($_.SideIndicator -eq "=>") { "Removed" } Else { "Added" } }}

 If ($Changes) { Send-MailMessage -From $Email -To $Email -Subject "$GroupName membership change"  -BodyAsHtml -Body $($Changes | ConvertTo-Html | Out-String) -SmtpServer $SmtpServer }
 }
}

Open in new window

0
 
LVL 40

Accepted Solution

by:
Subsun earned 500 total points
ID: 38762606
If you want alert if it fails to find the group membership, then try..

import-module activedirectory
$Email = "it@doesntmatter.com"
$SmtpServer = "server.doesntmatter.com"

foreach ($GroupName in "Domain Admins", "Administrators", "schema admins", "Enterprise Admins") {
  $StateFile = "C:\Docs\Group Check Files\Members - $GroupName.csv"
  $Members = Get-ADGroupMember $GroupName | Select-Object Name
  If (!(Test-Path $StateFile)) { $Members | Export-csv $StateFile -NoTypeInformation}
  If ($Members){
  $Changes = Compare-Object $Members $(Import-Csv $StateFile) -Property Name | Select-Object Name, @{n='State';e={ If ($_.SideIndicator -eq "=>") { "Removed" } Else { "Added" } }}

 If ($Changes) { Send-MailMessage -From $Email -To $Email -Subject "$GroupName membership change"  -BodyAsHtml -Body $($Changes | ConvertTo-Html | Out-String) -SmtpServer $SmtpServer }
 }
 Else {Send-MailMessage -From $Email -To $Email -Subject "$GroupName membership read failed"  -Body "$GroupName membership read failed" -SmtpServer $SmtpServer}
}

Open in new window

0
 

Author Closing Comment

by:thomasmulligan
ID: 38762717
Thanks very much for your help with this.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question