Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

need assistance with a Quest ad cmdlets script

Posted on 2014-02-18
38
Medium Priority
?
688 Views
Last Modified: 2014-03-03
Can someone provide a way to modify this script [provided by SubSun] that will allow us to add users from another forest [trust is in place] to the domain local group in the source domain?

here is the script, works perfectly for in the same domain:
Import-CSV c:\temp\input.csv | %{
$usr=Get-QADUser $_."column A"
$grp=Get-QADGroup $_."column B"
Add-QADGroupMember -Identity $grp -Member $usr
}

Open in new window


in our situation, we have domain local groups in a new forest, and need to populate membership with accounts from the other forest.

thx - S.
0
Comment
Question by:siber1
  • 19
  • 13
  • 6
38 Comments
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39870080
Hello,

What is in "column A"? Samaccountname, display name, etc?

-JJ
0
 

Author Comment

by:siber1
ID: 39870121
hi JJ, column A is sAMAccountName thx
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39870135
In that case, you do not need to lookup the user (line 2). The value for Member can be in the form of domain\samaccountname. Replace line 2 with:

$usr = "domain\" + $_."column A"

"domain" should be the name of the domain in the other forest.

Your script should then work.

-JJ
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 

Author Comment

by:siber1
ID: 39870160
hi JJ, when I try that here is the error that I receive:

Add-QADGroupMember : Cannot validate argument on parameter 'Identity'. The argument is null or empty. Provide an
argument that is not null or empty, and then try the command again.
At C:\temp\add-to-groups.ps1:4 char:30
+ Add-QADGroupMember -Identity $grp -Member $usr
+                              ~~~~
    + CategoryInfo          : InvalidData: (:) [Add-QADGroupMember], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Quest.ActiveRoles.ArsPowerShellSnapIn.Commands.AddGroup
   MemberCmdlet2
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39870169
After the line $usr = "domain\" + $_."column A" add the following line:

write-host $usr

That will output the value of the variable. Make sure it is correct.

-JJ
0
 

Author Comment

by:siber1
ID: 39870195
jj - output looks correct "domain"\sAMAccountName
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39870205
Does the output include the quotes?

-JJ
0
 

Author Comment

by:siber1
ID: 39870207
no, the output is domain\username     thx
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39870214
OK, in line 4, change $grp. to $grp.dn

-JJ
0
 

Author Comment

by:siber1
ID: 39870219
that gives me the following error:

The property 'dn' cannot be found on this object. Verify that the property exists and can be set.
At C:\temp\add-to-groups.ps1:4 char:1
+ $grp.dn=Get-QADGroup $_."column B"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : PropertyNotFound

Add-QADGroupMember : Cannot validate argument on parameter 'Identity'. The argument is null or empty. Provide an
argument that is not null or empty, and then try the command again.
At C:\temp\add-to-groups.ps1:5 char:30
+ Add-QADGroupMember -Identity $grp -Member $usr
+                              ~~~~
    + CategoryInfo          : InvalidData: (:) [Add-QADGroupMember], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Quest.ActiveRoles.ArsPowerShellSnapIn.Commands.AddGroup
   MemberCmdlet2
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39870229
OK, there is something wrong with the group lookup. What is the format of the group name in the CSV file?

-JJ
0
 

Author Comment

by:siber1
ID: 39870236
group name is just the sAMAcccountName for example: 360DEV   [which is also the CN]
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39870249
Are the groups located in domain you are running the script in?

-JJ
0
 

Author Comment

by:siber1
ID: 39870357
no JJ, that is the whole point of this question. the groups are in the other AD forest. - there is a one-way trust setup, and we are trying to populate users from the other forest into groups in the new domain.
we can do this manually, but there are 1000 users we need to add to groups in the new domain.
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39870461
OK, so you are running the script on a machine in forest "A" but you want to add users in forest "B" to groups in forest "B"?

-JJ
0
 

Author Comment

by:siber1
ID: 39870470
no

we are running the script in forest "B" and we want to add users in forest "A" to groups in forest "B"
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39870513
Ok, so the answer to my question "Are the groups located in domain you are running the script in?" is actually Yes.

Add the line write-host $grp

That should display the group and verify it is looking it up correctly.

-JJ
0
 

Author Comment

by:siber1
ID: 39870519
no... the answer is no

JJ, sorry I don't have time for this. can someone else assist here?
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39870543
You said above that you are running the script in forest "B" and the groups are in forest "B".  I asked you if you are running the script in the same forest as the groups and you said no. Which is it? If you want to add users to a group in a different forest, you need to have powershell connect to AD in that forest.

Please clarify.

-JJ
0
 

Author Comment

by:siber1
ID: 39871056
we are running the script in forest "B" and we want to add users in forest "A" to groups in forest "B"
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39871167
Great. The value for Identity needs to be in the format of DN, SID, GUID, or Domain\Name. If your CSV file contains the name of the group, Change line 3 to:

$grp="Domain\" +  $_."column B"

-JJ
0
 

Author Comment

by:siber1
ID: 39871244
we are running the script in forest "B" and we want to add users in forest "A" to groups in forest "B"

groups are in forest B.
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39871255
Right, so "Domain" in the line $grp="Domain\" +  $_."column B" would be the domain in forest B.

"Domain" in the line  $usr = "domain\" + $_."column A" would be the domain in forest A

-JJ
0
 

Author Comment

by:siber1
ID: 39871277
here is the error when I run that

Add-QADGroupMember : Cannot resolve directory object for the given identity: 'mydomain\vl_eng'.
At C:\temp\add-to-groups.ps1:4 char:1
+ Add-QADGroupMember -Identity $grp -Member $usr
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Add-QADGroupMember], ObjectNotFoundException
    + FullyQualifiedErrorId : Quest.ActiveRoles.ArsPowerShellSnapIn.DirectoryAccess.ObjectNotFoundException,Quest.Acti
   veRoles.ArsPowerShellSnapIn.Commands.AddGroupMemberCmdlet2
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39871303
Do you get anything returned if you run Get-QADGroup -Identity vl_eng

For some reason, it is unable to find this group in your directory.

-JJ
0
 
LVL 40

Expert Comment

by:Subsun
ID: 39871304
Can you try with DN of group? try it for single user and see what you get..

Add-QADGroupMember -Identity 'CN=groupA,OU=TestOU,DC=Domain,DC=Com' -Member 'DomainA\UserA'

Open in new window

0
 

Author Comment

by:siber1
ID: 39871328
hi Subsun,

here is the error that I receive when running that:

Add-QADGroupMember : Cannot resolve directory object for the given identity: 'mydomain\jsmith'.
At line:1 char:1
+ Add-QADGroupMember -Identity 'CN=vl_eng,OU=Internal,OU=Groups,DC=mydomain,DC= ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Add-QADGroupMember], ObjectNotFoundException
    + FullyQualifiedErrorId : Quest.ActiveRoles.ArsPowerShellSnapIn.DirectoryAccess.ObjectNotFoundException,Quest.Acti
   veRoles.ArsPowerShellSnapIn.Commands.AddGroupMemberCmdlet2
0
 
LVL 40

Expert Comment

by:Subsun
ID: 39871436
Try..
Add-QADGroupMember -Identity 'CN=groupA,OU=TestOU,DC=Domain,DC=Com' -Member 'DomainA\UserA' -Connection DomainA

Open in new window

if above fails try..
Add-QADGroupMember -Identity 'CN=groupA,OU=TestOU,DC=Domain,DC=Com' -Member 'DomainA\UserA' -Connection DomainA -UseGlobalCatalog

Open in new window

0
 

Author Comment

by:siber1
ID: 39871466
hi Subsun,

I tried both of those and receive this error:

Add-QADGroupMember : Cannot bind parameter 'Connection'. Cannot convert the "mydomain.com" value of type "System.String"
to type "Quest.ActiveRoles.ArsPowerShellSnapIn.Data.ArsConnection".
At line:1 char:139
+ ... w' -connection nuance.com -UseGlobalCatalog

    + CategoryInfo          : InvalidArgument: (:) [Add-QADGroupMember], ParameterBindingException
+                    ~~~~~~~~~~    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Quest.ActiveRoles.ArsPowerShellSnapIn.Commands.AddGroupMe
   mberCmdlet2
0
 
LVL 40

Expert Comment

by:Subsun
ID: 39871475
Use parameter -Service instead of -Connection..
0
 

Author Comment

by:siber1
ID: 39871482
i think we're getting close, here is the error now:
Add-QADGroupMember : Logon failure: unknown user name or bad password.
At line:1 char:1

how can I feed in credentials?

thx
0
 
LVL 40

Expert Comment

by:Subsun
ID: 39871510
Use parameter -Credential (Get-Credential)

Other option is to try..
$user = Get-QADUser Userdomain\userName -Service Userdomain.com
Add-QADGroupMember Groupdomain\groupName -Member $user

Open in new window

0
 

Author Comment

by:siber1
ID: 39871607
Subsun, maybe this isn't possible cross forests?

here is the error:
Add-QADGroupMember : 0000202B: RefErr: DSID-03100742, data 0, 1 access points
    ref 1: 'ForestDnsZones.mydomain.com'
At line:1 char:1
0
 
LVL 40

Expert Comment

by:Subsun
ID: 39872355
Did you try the code which I post in last comment? I will test this in my environment, when I get a chance. ..
0
 

Author Comment

by:siber1
ID: 39872368
thanks Subsun, much appreciated.
0
 
LVL 40

Accepted Solution

by:
Subsun earned 2000 total points
ID: 39896495
I just tested

Add-QADGroupMember GroupB -Member Userdomain\userName

Open in new window

and
$user = Get-QADUser Userdomain\userName -Service Userdomain.com
Add-QADGroupMember GroupB -Member $user

Open in new window


Working for me.. I ran the commands from the domain which groups belong to..
0
 

Author Comment

by:siber1
ID: 39896684
thanks Subsun, I will test this over the weekend.
0
 

Author Closing Comment

by:siber1
ID: 39902199
thanks Subsun! that works!
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
Eseutil Hard Recovery is part of exchange tool and ensures Exchange mailbox data recovery when mailbox gets corrupt due to some problem on Exchange server.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question