Solved

need assistance with a Quest ad cmdlets script

Posted on 2014-02-18
38
604 Views
Last Modified: 2014-03-03
Can someone provide a way to modify this script [provided by SubSun] that will allow us to add users from another forest [trust is in place] to the domain local group in the source domain?

here is the script, works perfectly for in the same domain:
Import-CSV c:\temp\input.csv | %{
$usr=Get-QADUser $_."column A"
$grp=Get-QADGroup $_."column B"
Add-QADGroupMember -Identity $grp -Member $usr
}

Open in new window


in our situation, we have domain local groups in a new forest, and need to populate membership with accounts from the other forest.

thx - S.
0
Comment
Question by:siber1
  • 19
  • 13
  • 6
38 Comments
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39870080
Hello,

What is in "column A"? Samaccountname, display name, etc?

-JJ
0
 

Author Comment

by:siber1
ID: 39870121
hi JJ, column A is sAMAccountName thx
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39870135
In that case, you do not need to lookup the user (line 2). The value for Member can be in the form of domain\samaccountname. Replace line 2 with:

$usr = "domain\" + $_."column A"

"domain" should be the name of the domain in the other forest.

Your script should then work.

-JJ
0
 

Author Comment

by:siber1
ID: 39870160
hi JJ, when I try that here is the error that I receive:

Add-QADGroupMember : Cannot validate argument on parameter 'Identity'. The argument is null or empty. Provide an
argument that is not null or empty, and then try the command again.
At C:\temp\add-to-groups.ps1:4 char:30
+ Add-QADGroupMember -Identity $grp -Member $usr
+                              ~~~~
    + CategoryInfo          : InvalidData: (:) [Add-QADGroupMember], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Quest.ActiveRoles.ArsPowerShellSnapIn.Commands.AddGroup
   MemberCmdlet2
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39870169
After the line $usr = "domain\" + $_."column A" add the following line:

write-host $usr

That will output the value of the variable. Make sure it is correct.

-JJ
0
 

Author Comment

by:siber1
ID: 39870195
jj - output looks correct "domain"\sAMAccountName
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39870205
Does the output include the quotes?

-JJ
0
 

Author Comment

by:siber1
ID: 39870207
no, the output is domain\username     thx
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39870214
OK, in line 4, change $grp. to $grp.dn

-JJ
0
 

Author Comment

by:siber1
ID: 39870219
that gives me the following error:

The property 'dn' cannot be found on this object. Verify that the property exists and can be set.
At C:\temp\add-to-groups.ps1:4 char:1
+ $grp.dn=Get-QADGroup $_."column B"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : PropertyNotFound

Add-QADGroupMember : Cannot validate argument on parameter 'Identity'. The argument is null or empty. Provide an
argument that is not null or empty, and then try the command again.
At C:\temp\add-to-groups.ps1:5 char:30
+ Add-QADGroupMember -Identity $grp -Member $usr
+                              ~~~~
    + CategoryInfo          : InvalidData: (:) [Add-QADGroupMember], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Quest.ActiveRoles.ArsPowerShellSnapIn.Commands.AddGroup
   MemberCmdlet2
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39870229
OK, there is something wrong with the group lookup. What is the format of the group name in the CSV file?

-JJ
0
 

Author Comment

by:siber1
ID: 39870236
group name is just the sAMAcccountName for example: 360DEV   [which is also the CN]
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39870249
Are the groups located in domain you are running the script in?

-JJ
0
 

Author Comment

by:siber1
ID: 39870357
no JJ, that is the whole point of this question. the groups are in the other AD forest. - there is a one-way trust setup, and we are trying to populate users from the other forest into groups in the new domain.
we can do this manually, but there are 1000 users we need to add to groups in the new domain.
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39870461
OK, so you are running the script on a machine in forest "A" but you want to add users in forest "B" to groups in forest "B"?

-JJ
0
 

Author Comment

by:siber1
ID: 39870470
no

we are running the script in forest "B" and we want to add users in forest "A" to groups in forest "B"
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39870513
Ok, so the answer to my question "Are the groups located in domain you are running the script in?" is actually Yes.

Add the line write-host $grp

That should display the group and verify it is looking it up correctly.

-JJ
0
 

Author Comment

by:siber1
ID: 39870519
no... the answer is no

JJ, sorry I don't have time for this. can someone else assist here?
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39870543
You said above that you are running the script in forest "B" and the groups are in forest "B".  I asked you if you are running the script in the same forest as the groups and you said no. Which is it? If you want to add users to a group in a different forest, you need to have powershell connect to AD in that forest.

Please clarify.

-JJ
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:siber1
ID: 39871056
we are running the script in forest "B" and we want to add users in forest "A" to groups in forest "B"
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39871167
Great. The value for Identity needs to be in the format of DN, SID, GUID, or Domain\Name. If your CSV file contains the name of the group, Change line 3 to:

$grp="Domain\" +  $_."column B"

-JJ
0
 

Author Comment

by:siber1
ID: 39871244
we are running the script in forest "B" and we want to add users in forest "A" to groups in forest "B"

groups are in forest B.
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39871255
Right, so "Domain" in the line $grp="Domain\" +  $_."column B" would be the domain in forest B.

"Domain" in the line  $usr = "domain\" + $_."column A" would be the domain in forest A

-JJ
0
 

Author Comment

by:siber1
ID: 39871277
here is the error when I run that

Add-QADGroupMember : Cannot resolve directory object for the given identity: 'mydomain\vl_eng'.
At C:\temp\add-to-groups.ps1:4 char:1
+ Add-QADGroupMember -Identity $grp -Member $usr
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Add-QADGroupMember], ObjectNotFoundException
    + FullyQualifiedErrorId : Quest.ActiveRoles.ArsPowerShellSnapIn.DirectoryAccess.ObjectNotFoundException,Quest.Acti
   veRoles.ArsPowerShellSnapIn.Commands.AddGroupMemberCmdlet2
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39871303
Do you get anything returned if you run Get-QADGroup -Identity vl_eng

For some reason, it is unable to find this group in your directory.

-JJ
0
 
LVL 40

Expert Comment

by:Subsun
ID: 39871304
Can you try with DN of group? try it for single user and see what you get..

Add-QADGroupMember -Identity 'CN=groupA,OU=TestOU,DC=Domain,DC=Com' -Member 'DomainA\UserA'

Open in new window

0
 

Author Comment

by:siber1
ID: 39871328
hi Subsun,

here is the error that I receive when running that:

Add-QADGroupMember : Cannot resolve directory object for the given identity: 'mydomain\jsmith'.
At line:1 char:1
+ Add-QADGroupMember -Identity 'CN=vl_eng,OU=Internal,OU=Groups,DC=mydomain,DC= ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Add-QADGroupMember], ObjectNotFoundException
    + FullyQualifiedErrorId : Quest.ActiveRoles.ArsPowerShellSnapIn.DirectoryAccess.ObjectNotFoundException,Quest.Acti
   veRoles.ArsPowerShellSnapIn.Commands.AddGroupMemberCmdlet2
0
 
LVL 40

Expert Comment

by:Subsun
ID: 39871436
Try..
Add-QADGroupMember -Identity 'CN=groupA,OU=TestOU,DC=Domain,DC=Com' -Member 'DomainA\UserA' -Connection DomainA

Open in new window

if above fails try..
Add-QADGroupMember -Identity 'CN=groupA,OU=TestOU,DC=Domain,DC=Com' -Member 'DomainA\UserA' -Connection DomainA -UseGlobalCatalog

Open in new window

0
 

Author Comment

by:siber1
ID: 39871466
hi Subsun,

I tried both of those and receive this error:

Add-QADGroupMember : Cannot bind parameter 'Connection'. Cannot convert the "mydomain.com" value of type "System.String"
to type "Quest.ActiveRoles.ArsPowerShellSnapIn.Data.ArsConnection".
At line:1 char:139
+ ... w' -connection nuance.com -UseGlobalCatalog

    + CategoryInfo          : InvalidArgument: (:) [Add-QADGroupMember], ParameterBindingException
+                    ~~~~~~~~~~    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Quest.ActiveRoles.ArsPowerShellSnapIn.Commands.AddGroupMe
   mberCmdlet2
0
 
LVL 40

Expert Comment

by:Subsun
ID: 39871475
Use parameter -Service instead of -Connection..
0
 

Author Comment

by:siber1
ID: 39871482
i think we're getting close, here is the error now:
Add-QADGroupMember : Logon failure: unknown user name or bad password.
At line:1 char:1

how can I feed in credentials?

thx
0
 
LVL 40

Expert Comment

by:Subsun
ID: 39871510
Use parameter -Credential (Get-Credential)

Other option is to try..
$user = Get-QADUser Userdomain\userName -Service Userdomain.com
Add-QADGroupMember Groupdomain\groupName -Member $user

Open in new window

0
 

Author Comment

by:siber1
ID: 39871607
Subsun, maybe this isn't possible cross forests?

here is the error:
Add-QADGroupMember : 0000202B: RefErr: DSID-03100742, data 0, 1 access points
    ref 1: 'ForestDnsZones.mydomain.com'
At line:1 char:1
0
 
LVL 40

Expert Comment

by:Subsun
ID: 39872355
Did you try the code which I post in last comment? I will test this in my environment, when I get a chance. ..
0
 

Author Comment

by:siber1
ID: 39872368
thanks Subsun, much appreciated.
0
 
LVL 40

Accepted Solution

by:
Subsun earned 500 total points
ID: 39896495
I just tested

Add-QADGroupMember GroupB -Member Userdomain\userName

Open in new window

and
$user = Get-QADUser Userdomain\userName -Service Userdomain.com
Add-QADGroupMember GroupB -Member $user

Open in new window


Working for me.. I ran the commands from the domain which groups belong to..
0
 

Author Comment

by:siber1
ID: 39896684
thanks Subsun, I will test this over the weekend.
0
 

Author Closing Comment

by:siber1
ID: 39902199
thanks Subsun! that works!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
This video discusses moving either the default database or any database to a new volume.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now