foreach issue with Powershell Script, possibly needs a pause between each check.

Hi Guys,

The below script has a problem with the Foreach section.
It works fine most of the time but about once a month it seems to use the wrong $statefile and informs me of a membership change.
It seems to use the statefile created for the Domain admins to compare against the other ones. Maybe I need to include a pause between each check to make sure Powershell has time to create a new statefile for each group check.


import-module activedirectory
$Email = "it@doesntmatter.com"
$SmtpServer = "server.doesntmatter.com"

foreach ($GroupName in "Domain Admins", "Administrators", "schema admins", "Enterprise Admins") {
  $StateFile = "C:\Docs\Group Check Files\Members - $GroupName.csv"
  $Members = Get-ADGroupMember $GroupName | Select-Object Name
  If (!(Test-Path $StateFile)) { $Members | Export-csv $StateFile -NoTypeInformation}

  $Changes = Compare-Object $Members $(Import-Csv $StateFile) -Property Name | Select-Object Name, @{n='State';e={ If ($_.SideIndicator -eq "=>") { "Removed" } Else { "Added" } }}

  If ($Changes) { Send-MailMessage -From $Email -To $Email -Subject "$GroupName membership change"  -BodyAsHtml -Body $($Changes | ConvertTo-Html | Out-String) -SmtpServer $SmtpServer }
thomasmulliganAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
SubsunConnect With a Mentor Commented:
If you want alert if it fails to find the group membership, then try..

import-module activedirectory
$Email = "it@doesntmatter.com"
$SmtpServer = "server.doesntmatter.com"

foreach ($GroupName in "Domain Admins", "Administrators", "schema admins", "Enterprise Admins") {
  $StateFile = "C:\Docs\Group Check Files\Members - $GroupName.csv"
  $Members = Get-ADGroupMember $GroupName | Select-Object Name
  If (!(Test-Path $StateFile)) { $Members | Export-csv $StateFile -NoTypeInformation}
  If ($Members){
  $Changes = Compare-Object $Members $(Import-Csv $StateFile) -Property Name | Select-Object Name, @{n='State';e={ If ($_.SideIndicator -eq "=>") { "Removed" } Else { "Added" } }}

 If ($Changes) { Send-MailMessage -From $Email -To $Email -Subject "$GroupName membership change"  -BodyAsHtml -Body $($Changes | ConvertTo-Html | Out-String) -SmtpServer $SmtpServer }
 }
 Else {Send-MailMessage -From $Email -To $Email -Subject "$GroupName membership read failed"  -Body "$GroupName membership read failed" -SmtpServer $SmtpServer}
}

Open in new window

0
 
Kent DyerIT Security Analyst SeniorCommented:
Right after:

foreach ($GroupName in "Domain Admins", "Administrators", "schema admins", "Enterprise Admins")
{

Open in new window


It does not appear there is a closing tag "}"

HTH,

Kent
0
 
SubsunCommented:
I hope the closing Curly Brace went missing while doing the copy paste.. :-)

In your script try printing the variables $Members and $(Import-Csv $StateFile) to screen and see if there is any difference..
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
thomasmulliganAuthor Commented:
the curly bracket is there I just missed it when copying to here.....if only the solution could be that easy.
0
 
thomasmulliganAuthor Commented:
I have just tried to run the script manually and it throws up the following errors:

Get-ADGroupMember : A referral was returned from the server
At line:3 char:31
+   $Members = Get-ADGroupMember <<<<  $GroupName | Select-Object Name
    + CategoryInfo          : NotSpecified: (Administrators:ADGroup) [Get-ADGroupMember], ADException
    + FullyQualifiedErrorId : A referral was returned from the server,Microsoft.ActiveDirectory.Management.Commands.Ge
   tADGroupMember

Get-ADGroupMember : A referral was returned from the server
At line:3 char:31
+   $Members = Get-ADGroupMember <<<<  $GroupName | Select-Object Name
    + CategoryInfo          : NotSpecified: (Enterprise Admins:ADGroup) [Get-ADGroupMember], ADException
    + FullyQualifiedErrorId : A referral was returned from the server,Microsoft.ActiveDirectory.Management.Commands.Ge
   tADGroupMember
0
 
SubsunCommented:
I am not seeing any issue with the script. If it's reporting some changes then it should be valid.. However if you feel there is a issue then, as I said you need to print the the variables on screen (or include them in mail) and check.. Try the following script which will print both variables on screen.

import-module activedirectory
$Email = "it@doesntmatter.com"
$SmtpServer = "server.doesntmatter.com"

foreach ($GroupName in "Domain Admins", "Administrators", "schema admins", "Enterprise Admins") {
  $StateFile = "C:\Docs\Group Check Files\Members - $GroupName.csv"
  $Members = Get-ADGroupMember $GroupName | Select-Object Name
  If (!(Test-Path $StateFile)) { $Members | Export-csv $StateFile -NoTypeInformation}

Write-Host "Value of Var StateFile"
$(Import-Csv $StateFile)
Write-Host "Value of Var Members"
$Members

	$Changes = Compare-Object $Members $(Import-Csv $StateFile) -Property Name | Select-Object Name, @{n='State';e={ If ($_.SideIndicator -eq "=>") { "Removed" } Else { "Added" } }}

  If ($Changes) { Send-MailMessage -From $Email -To $Email -Subject "$GroupName membership change"  -BodyAsHtml -Body $($Changes | ConvertTo-Html | Out-String) -SmtpServer $SmtpServer }
}

Open in new window



And regarding the error, what if you run the following two lines in powershell?
import-module activedirectory
Get-ADGroupMember "Enterprise Admins" | Select-Object Name

Open in new window

0
 
thomasmulliganAuthor Commented:
I tried running Get-ADGroupMember for each group individually.
Domain Admins and Schema Admins run no problem and return the output as expected.

Enterprise Admins and Administrators both throw up the error:

Get-ADGroupMember : A referral was returned from the server
At line:1 char:18
+ Get-ADGroupMember <<<<  'enterprise admins'
    + CategoryInfo          : NotSpecified: (enterprise admins:ADGroup) [Get-ADGroupMember], ADException
    + FullyQualifiedErrorId : A referral was returned from the server,Microsoft.ActiveDirectory.Management.Commands.Ge
   tADGroupMember
0
 
SubsunCommented:
It seems Get-ADGroupMember not able to read group members. By default, any user authenticated to the domain can view any group members, perhaps someone has modified permissions on the group object. Can you check the enterprise admins and Administrators group and see if you have necessary permission to view the group member?

Also are you able to view group member using ADUC?
0
 
thomasmulliganAuthor Commented:
i have just checked this and I can confirm that Authenticated Users have Read permissions to all of the groups.
Im also logged on to a DC and using the ADUC I can view the members of these groups but when I run the get-adgroupmember (while still on the same session) it gives the error.

Thanks for your quick responses on this.
0
 
SubsunCommented:
That's strange.. I cannot think of an issue which would create this error other than a permission issue or a name mismatch of the group. Both seems invalid here.. :-(

Is this the same groups which you get change alert mail notification?
0
 
thomasmulliganAuthor Commented:
Yes, I get an Alert for Enterprise admins and Administrators.
The only reason it gives the alert is because it cant get the members.
0
 
SubsunCommented:
yes.. that's the reason..
Do you have Quest Active directory cmdlets installed on any computer in domain?
0
 
thomasmulliganAuthor Commented:
No, I dont have the Quest AD cmdlets installed. Should I try it with those?
0
 
SubsunCommented:
Run following commands and see if you get any result
Get-ADGroup -Filter {Name -Like "enterprise Admins"}
Get-ADGroup -Filter {Name -Like "Administrators"}

You can also try with Quest AD cmdlets..
http://www.quest.com/powershell/activeroles-server.aspx
0
 
thomasmulliganAuthor Commented:
Yes, Get-ADGroup finds both of these groups.
I just tried running the script again and it runs no problem.

Does anyone have any idea why this just stops working and wont get the membership of these groups, then starts working again when I haven't changed anything?
0
 
thomasmulliganAuthor Commented:
Can anyone tell me how to add in a condition that if it fails to find the group membership it wont send the normal alert, it will do something else.
0
 
SubsunCommented:
I cannot think of any reason for why it's not working...
Can anyone tell me how to add in a condition that if it fails to find the group membership it wont send the normal alert, it will do something else.
You can check the value of $Members before sending alert.. Try this..If $Members is null then script wont send any alert..
import-module activedirectory
$Email = "it@doesntmatter.com"
$SmtpServer = "server.doesntmatter.com"

foreach ($GroupName in "Domain Admins", "Administrators", "schema admins", "Enterprise Admins") {
  $StateFile = "C:\Docs\Group Check Files\Members - $GroupName.csv"
  $Members = Get-ADGroupMember $GroupName | Select-Object Name
If (!(Test-Path $StateFile)) { $Members | Export-csv $StateFile -NoTypeInformation}
If ($Members){
$Changes = Compare-Object $Members $(Import-Csv $StateFile) -Property Name | Select-Object Name, @{n='State';e={ If ($_.SideIndicator -eq "=>") { "Removed" } Else { "Added" } }}

 If ($Changes) { Send-MailMessage -From $Email -To $Email -Subject "$GroupName membership change"  -BodyAsHtml -Body $($Changes | ConvertTo-Html | Out-String) -SmtpServer $SmtpServer }
 }
}

Open in new window

0
 
thomasmulliganAuthor Commented:
Thanks very much for your help with this.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.