Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

need assistance with a Quest ad cmdlets script

Posted on 2014-02-18
38
Medium Priority
?
663 Views
Last Modified: 2014-03-03
Can someone provide a way to modify this script [provided by SubSun] that will allow us to add users from another forest [trust is in place] to the domain local group in the source domain?

here is the script, works perfectly for in the same domain:
Import-CSV c:\temp\input.csv | %{
$usr=Get-QADUser $_."column A"
$grp=Get-QADGroup $_."column B"
Add-QADGroupMember -Identity $grp -Member $usr
}

Open in new window


in our situation, we have domain local groups in a new forest, and need to populate membership with accounts from the other forest.

thx - S.
0
Comment
Question by:siber1
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 19
  • 13
  • 6
38 Comments
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39870080
Hello,

What is in "column A"? Samaccountname, display name, etc?

-JJ
0
 

Author Comment

by:siber1
ID: 39870121
hi JJ, column A is sAMAccountName thx
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39870135
In that case, you do not need to lookup the user (line 2). The value for Member can be in the form of domain\samaccountname. Replace line 2 with:

$usr = "domain\" + $_."column A"

"domain" should be the name of the domain in the other forest.

Your script should then work.

-JJ
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:siber1
ID: 39870160
hi JJ, when I try that here is the error that I receive:

Add-QADGroupMember : Cannot validate argument on parameter 'Identity'. The argument is null or empty. Provide an
argument that is not null or empty, and then try the command again.
At C:\temp\add-to-groups.ps1:4 char:30
+ Add-QADGroupMember -Identity $grp -Member $usr
+                              ~~~~
    + CategoryInfo          : InvalidData: (:) [Add-QADGroupMember], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Quest.ActiveRoles.ArsPowerShellSnapIn.Commands.AddGroup
   MemberCmdlet2
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39870169
After the line $usr = "domain\" + $_."column A" add the following line:

write-host $usr

That will output the value of the variable. Make sure it is correct.

-JJ
0
 

Author Comment

by:siber1
ID: 39870195
jj - output looks correct "domain"\sAMAccountName
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39870205
Does the output include the quotes?

-JJ
0
 

Author Comment

by:siber1
ID: 39870207
no, the output is domain\username     thx
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39870214
OK, in line 4, change $grp. to $grp.dn

-JJ
0
 

Author Comment

by:siber1
ID: 39870219
that gives me the following error:

The property 'dn' cannot be found on this object. Verify that the property exists and can be set.
At C:\temp\add-to-groups.ps1:4 char:1
+ $grp.dn=Get-QADGroup $_."column B"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : PropertyNotFound

Add-QADGroupMember : Cannot validate argument on parameter 'Identity'. The argument is null or empty. Provide an
argument that is not null or empty, and then try the command again.
At C:\temp\add-to-groups.ps1:5 char:30
+ Add-QADGroupMember -Identity $grp -Member $usr
+                              ~~~~
    + CategoryInfo          : InvalidData: (:) [Add-QADGroupMember], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Quest.ActiveRoles.ArsPowerShellSnapIn.Commands.AddGroup
   MemberCmdlet2
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39870229
OK, there is something wrong with the group lookup. What is the format of the group name in the CSV file?

-JJ
0
 

Author Comment

by:siber1
ID: 39870236
group name is just the sAMAcccountName for example: 360DEV   [which is also the CN]
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39870249
Are the groups located in domain you are running the script in?

-JJ
0
 

Author Comment

by:siber1
ID: 39870357
no JJ, that is the whole point of this question. the groups are in the other AD forest. - there is a one-way trust setup, and we are trying to populate users from the other forest into groups in the new domain.
we can do this manually, but there are 1000 users we need to add to groups in the new domain.
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39870461
OK, so you are running the script on a machine in forest "A" but you want to add users in forest "B" to groups in forest "B"?

-JJ
0
 

Author Comment

by:siber1
ID: 39870470
no

we are running the script in forest "B" and we want to add users in forest "A" to groups in forest "B"
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39870513
Ok, so the answer to my question "Are the groups located in domain you are running the script in?" is actually Yes.

Add the line write-host $grp

That should display the group and verify it is looking it up correctly.

-JJ
0
 

Author Comment

by:siber1
ID: 39870519
no... the answer is no

JJ, sorry I don't have time for this. can someone else assist here?
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39870543
You said above that you are running the script in forest "B" and the groups are in forest "B".  I asked you if you are running the script in the same forest as the groups and you said no. Which is it? If you want to add users to a group in a different forest, you need to have powershell connect to AD in that forest.

Please clarify.

-JJ
0
 

Author Comment

by:siber1
ID: 39871056
we are running the script in forest "B" and we want to add users in forest "A" to groups in forest "B"
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39871167
Great. The value for Identity needs to be in the format of DN, SID, GUID, or Domain\Name. If your CSV file contains the name of the group, Change line 3 to:

$grp="Domain\" +  $_."column B"

-JJ
0
 

Author Comment

by:siber1
ID: 39871244
we are running the script in forest "B" and we want to add users in forest "A" to groups in forest "B"

groups are in forest B.
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39871255
Right, so "Domain" in the line $grp="Domain\" +  $_."column B" would be the domain in forest B.

"Domain" in the line  $usr = "domain\" + $_."column A" would be the domain in forest A

-JJ
0
 

Author Comment

by:siber1
ID: 39871277
here is the error when I run that

Add-QADGroupMember : Cannot resolve directory object for the given identity: 'mydomain\vl_eng'.
At C:\temp\add-to-groups.ps1:4 char:1
+ Add-QADGroupMember -Identity $grp -Member $usr
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Add-QADGroupMember], ObjectNotFoundException
    + FullyQualifiedErrorId : Quest.ActiveRoles.ArsPowerShellSnapIn.DirectoryAccess.ObjectNotFoundException,Quest.Acti
   veRoles.ArsPowerShellSnapIn.Commands.AddGroupMemberCmdlet2
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39871303
Do you get anything returned if you run Get-QADGroup -Identity vl_eng

For some reason, it is unable to find this group in your directory.

-JJ
0
 
LVL 40

Expert Comment

by:Subsun
ID: 39871304
Can you try with DN of group? try it for single user and see what you get..

Add-QADGroupMember -Identity 'CN=groupA,OU=TestOU,DC=Domain,DC=Com' -Member 'DomainA\UserA'

Open in new window

0
 

Author Comment

by:siber1
ID: 39871328
hi Subsun,

here is the error that I receive when running that:

Add-QADGroupMember : Cannot resolve directory object for the given identity: 'mydomain\jsmith'.
At line:1 char:1
+ Add-QADGroupMember -Identity 'CN=vl_eng,OU=Internal,OU=Groups,DC=mydomain,DC= ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Add-QADGroupMember], ObjectNotFoundException
    + FullyQualifiedErrorId : Quest.ActiveRoles.ArsPowerShellSnapIn.DirectoryAccess.ObjectNotFoundException,Quest.Acti
   veRoles.ArsPowerShellSnapIn.Commands.AddGroupMemberCmdlet2
0
 
LVL 40

Expert Comment

by:Subsun
ID: 39871436
Try..
Add-QADGroupMember -Identity 'CN=groupA,OU=TestOU,DC=Domain,DC=Com' -Member 'DomainA\UserA' -Connection DomainA

Open in new window

if above fails try..
Add-QADGroupMember -Identity 'CN=groupA,OU=TestOU,DC=Domain,DC=Com' -Member 'DomainA\UserA' -Connection DomainA -UseGlobalCatalog

Open in new window

0
 

Author Comment

by:siber1
ID: 39871466
hi Subsun,

I tried both of those and receive this error:

Add-QADGroupMember : Cannot bind parameter 'Connection'. Cannot convert the "mydomain.com" value of type "System.String"
to type "Quest.ActiveRoles.ArsPowerShellSnapIn.Data.ArsConnection".
At line:1 char:139
+ ... w' -connection nuance.com -UseGlobalCatalog

    + CategoryInfo          : InvalidArgument: (:) [Add-QADGroupMember], ParameterBindingException
+                    ~~~~~~~~~~    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Quest.ActiveRoles.ArsPowerShellSnapIn.Commands.AddGroupMe
   mberCmdlet2
0
 
LVL 40

Expert Comment

by:Subsun
ID: 39871475
Use parameter -Service instead of -Connection..
0
 

Author Comment

by:siber1
ID: 39871482
i think we're getting close, here is the error now:
Add-QADGroupMember : Logon failure: unknown user name or bad password.
At line:1 char:1

how can I feed in credentials?

thx
0
 
LVL 40

Expert Comment

by:Subsun
ID: 39871510
Use parameter -Credential (Get-Credential)

Other option is to try..
$user = Get-QADUser Userdomain\userName -Service Userdomain.com
Add-QADGroupMember Groupdomain\groupName -Member $user

Open in new window

0
 

Author Comment

by:siber1
ID: 39871607
Subsun, maybe this isn't possible cross forests?

here is the error:
Add-QADGroupMember : 0000202B: RefErr: DSID-03100742, data 0, 1 access points
    ref 1: 'ForestDnsZones.mydomain.com'
At line:1 char:1
0
 
LVL 40

Expert Comment

by:Subsun
ID: 39872355
Did you try the code which I post in last comment? I will test this in my environment, when I get a chance. ..
0
 

Author Comment

by:siber1
ID: 39872368
thanks Subsun, much appreciated.
0
 
LVL 40

Accepted Solution

by:
Subsun earned 2000 total points
ID: 39896495
I just tested

Add-QADGroupMember GroupB -Member Userdomain\userName

Open in new window

and
$user = Get-QADUser Userdomain\userName -Service Userdomain.com
Add-QADGroupMember GroupB -Member $user

Open in new window


Working for me.. I ran the commands from the domain which groups belong to..
0
 

Author Comment

by:siber1
ID: 39896684
thanks Subsun, I will test this over the weekend.
0
 

Author Closing Comment

by:siber1
ID: 39902199
thanks Subsun! that works!
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question