need assistance with a Quest ad cmdlets script

Can someone provide a way to modify this script [provided by SubSun] that will allow us to add users from another forest [trust is in place] to the domain local group in the source domain?

here is the script, works perfectly for in the same domain:
Import-CSV c:\temp\input.csv | %{
$usr=Get-QADUser $_."column A"
$grp=Get-QADGroup $_."column B"
Add-QADGroupMember -Identity $grp -Member $usr
}

Open in new window


in our situation, we have domain local groups in a new forest, and need to populate membership with accounts from the other forest.

thx - S.
siber1Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
SubsunConnect With a Mentor Commented:
I just tested

Add-QADGroupMember GroupB -Member Userdomain\userName

Open in new window

and
$user = Get-QADUser Userdomain\userName -Service Userdomain.com
Add-QADGroupMember GroupB -Member $user

Open in new window


Working for me.. I ran the commands from the domain which groups belong to..
0
 
Jamie McKillopIT ManagerCommented:
Hello,

What is in "column A"? Samaccountname, display name, etc?

-JJ
0
 
siber1Author Commented:
hi JJ, column A is sAMAccountName thx
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Jamie McKillopIT ManagerCommented:
In that case, you do not need to lookup the user (line 2). The value for Member can be in the form of domain\samaccountname. Replace line 2 with:

$usr = "domain\" + $_."column A"

"domain" should be the name of the domain in the other forest.

Your script should then work.

-JJ
0
 
siber1Author Commented:
hi JJ, when I try that here is the error that I receive:

Add-QADGroupMember : Cannot validate argument on parameter 'Identity'. The argument is null or empty. Provide an
argument that is not null or empty, and then try the command again.
At C:\temp\add-to-groups.ps1:4 char:30
+ Add-QADGroupMember -Identity $grp -Member $usr
+                              ~~~~
    + CategoryInfo          : InvalidData: (:) [Add-QADGroupMember], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Quest.ActiveRoles.ArsPowerShellSnapIn.Commands.AddGroup
   MemberCmdlet2
0
 
Jamie McKillopIT ManagerCommented:
After the line $usr = "domain\" + $_."column A" add the following line:

write-host $usr

That will output the value of the variable. Make sure it is correct.

-JJ
0
 
siber1Author Commented:
jj - output looks correct "domain"\sAMAccountName
0
 
Jamie McKillopIT ManagerCommented:
Does the output include the quotes?

-JJ
0
 
siber1Author Commented:
no, the output is domain\username     thx
0
 
Jamie McKillopIT ManagerCommented:
OK, in line 4, change $grp. to $grp.dn

-JJ
0
 
siber1Author Commented:
that gives me the following error:

The property 'dn' cannot be found on this object. Verify that the property exists and can be set.
At C:\temp\add-to-groups.ps1:4 char:1
+ $grp.dn=Get-QADGroup $_."column B"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : PropertyNotFound

Add-QADGroupMember : Cannot validate argument on parameter 'Identity'. The argument is null or empty. Provide an
argument that is not null or empty, and then try the command again.
At C:\temp\add-to-groups.ps1:5 char:30
+ Add-QADGroupMember -Identity $grp -Member $usr
+                              ~~~~
    + CategoryInfo          : InvalidData: (:) [Add-QADGroupMember], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Quest.ActiveRoles.ArsPowerShellSnapIn.Commands.AddGroup
   MemberCmdlet2
0
 
Jamie McKillopIT ManagerCommented:
OK, there is something wrong with the group lookup. What is the format of the group name in the CSV file?

-JJ
0
 
siber1Author Commented:
group name is just the sAMAcccountName for example: 360DEV   [which is also the CN]
0
 
Jamie McKillopIT ManagerCommented:
Are the groups located in domain you are running the script in?

-JJ
0
 
siber1Author Commented:
no JJ, that is the whole point of this question. the groups are in the other AD forest. - there is a one-way trust setup, and we are trying to populate users from the other forest into groups in the new domain.
we can do this manually, but there are 1000 users we need to add to groups in the new domain.
0
 
Jamie McKillopIT ManagerCommented:
OK, so you are running the script on a machine in forest "A" but you want to add users in forest "B" to groups in forest "B"?

-JJ
0
 
siber1Author Commented:
no

we are running the script in forest "B" and we want to add users in forest "A" to groups in forest "B"
0
 
Jamie McKillopIT ManagerCommented:
Ok, so the answer to my question "Are the groups located in domain you are running the script in?" is actually Yes.

Add the line write-host $grp

That should display the group and verify it is looking it up correctly.

-JJ
0
 
siber1Author Commented:
no... the answer is no

JJ, sorry I don't have time for this. can someone else assist here?
0
 
Jamie McKillopIT ManagerCommented:
You said above that you are running the script in forest "B" and the groups are in forest "B".  I asked you if you are running the script in the same forest as the groups and you said no. Which is it? If you want to add users to a group in a different forest, you need to have powershell connect to AD in that forest.

Please clarify.

-JJ
0
 
siber1Author Commented:
we are running the script in forest "B" and we want to add users in forest "A" to groups in forest "B"
0
 
Jamie McKillopIT ManagerCommented:
Great. The value for Identity needs to be in the format of DN, SID, GUID, or Domain\Name. If your CSV file contains the name of the group, Change line 3 to:

$grp="Domain\" +  $_."column B"

-JJ
0
 
siber1Author Commented:
we are running the script in forest "B" and we want to add users in forest "A" to groups in forest "B"

groups are in forest B.
0
 
Jamie McKillopIT ManagerCommented:
Right, so "Domain" in the line $grp="Domain\" +  $_."column B" would be the domain in forest B.

"Domain" in the line  $usr = "domain\" + $_."column A" would be the domain in forest A

-JJ
0
 
siber1Author Commented:
here is the error when I run that

Add-QADGroupMember : Cannot resolve directory object for the given identity: 'mydomain\vl_eng'.
At C:\temp\add-to-groups.ps1:4 char:1
+ Add-QADGroupMember -Identity $grp -Member $usr
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Add-QADGroupMember], ObjectNotFoundException
    + FullyQualifiedErrorId : Quest.ActiveRoles.ArsPowerShellSnapIn.DirectoryAccess.ObjectNotFoundException,Quest.Acti
   veRoles.ArsPowerShellSnapIn.Commands.AddGroupMemberCmdlet2
0
 
Jamie McKillopIT ManagerCommented:
Do you get anything returned if you run Get-QADGroup -Identity vl_eng

For some reason, it is unable to find this group in your directory.

-JJ
0
 
SubsunCommented:
Can you try with DN of group? try it for single user and see what you get..

Add-QADGroupMember -Identity 'CN=groupA,OU=TestOU,DC=Domain,DC=Com' -Member 'DomainA\UserA'

Open in new window

0
 
siber1Author Commented:
hi Subsun,

here is the error that I receive when running that:

Add-QADGroupMember : Cannot resolve directory object for the given identity: 'mydomain\jsmith'.
At line:1 char:1
+ Add-QADGroupMember -Identity 'CN=vl_eng,OU=Internal,OU=Groups,DC=mydomain,DC= ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Add-QADGroupMember], ObjectNotFoundException
    + FullyQualifiedErrorId : Quest.ActiveRoles.ArsPowerShellSnapIn.DirectoryAccess.ObjectNotFoundException,Quest.Acti
   veRoles.ArsPowerShellSnapIn.Commands.AddGroupMemberCmdlet2
0
 
SubsunCommented:
Try..
Add-QADGroupMember -Identity 'CN=groupA,OU=TestOU,DC=Domain,DC=Com' -Member 'DomainA\UserA' -Connection DomainA

Open in new window

if above fails try..
Add-QADGroupMember -Identity 'CN=groupA,OU=TestOU,DC=Domain,DC=Com' -Member 'DomainA\UserA' -Connection DomainA -UseGlobalCatalog

Open in new window

0
 
siber1Author Commented:
hi Subsun,

I tried both of those and receive this error:

Add-QADGroupMember : Cannot bind parameter 'Connection'. Cannot convert the "mydomain.com" value of type "System.String"
to type "Quest.ActiveRoles.ArsPowerShellSnapIn.Data.ArsConnection".
At line:1 char:139
+ ... w' -connection nuance.com -UseGlobalCatalog

    + CategoryInfo          : InvalidArgument: (:) [Add-QADGroupMember], ParameterBindingException
+                    ~~~~~~~~~~    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Quest.ActiveRoles.ArsPowerShellSnapIn.Commands.AddGroupMe
   mberCmdlet2
0
 
SubsunCommented:
Use parameter -Service instead of -Connection..
0
 
siber1Author Commented:
i think we're getting close, here is the error now:
Add-QADGroupMember : Logon failure: unknown user name or bad password.
At line:1 char:1

how can I feed in credentials?

thx
0
 
SubsunCommented:
Use parameter -Credential (Get-Credential)

Other option is to try..
$user = Get-QADUser Userdomain\userName -Service Userdomain.com
Add-QADGroupMember Groupdomain\groupName -Member $user

Open in new window

0
 
siber1Author Commented:
Subsun, maybe this isn't possible cross forests?

here is the error:
Add-QADGroupMember : 0000202B: RefErr: DSID-03100742, data 0, 1 access points
    ref 1: 'ForestDnsZones.mydomain.com'
At line:1 char:1
0
 
SubsunCommented:
Did you try the code which I post in last comment? I will test this in my environment, when I get a chance. ..
0
 
siber1Author Commented:
thanks Subsun, much appreciated.
0
 
siber1Author Commented:
thanks Subsun, I will test this over the weekend.
0
 
siber1Author Commented:
thanks Subsun! that works!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.