Solved

New-ADUser Error "The server is unwilling to process the request" OtherAttributes

Posted on 2014-07-22
9
7,504 Views
Last Modified: 2014-07-27
Working on rebuilding my user creation scripts and I am having problems with the New-ADUser commandlet. Here is my code:

# Create User
$null = New-ADUser -Name $username `
	-UserPrincipalName $upn `
	-DisplayName $DisplayName `
	-GivenName $First `
	-Initials $MI `
	-Surname $Last `
	-Company $Company `
	-Department $Dept `
	-Title $Title `
	-EmployeeID $EmpID `
	-EmployeeNumber $JobCode `
	-Office $Office `
	-OfficePhone $OfficePhone `
	-MobilePhone $Mobile `
	-OtherAttributes @{'departmentNumber'=$DeptCode; 'PhysicianNumber'=$PhysID; 'extensionAttribute2'="1"; 'comment'="INTERACTIVE ACCOUNT"; 'pager'=$Pager; 'ipPhone'=$Ascom} `
	-EmailAddress "EmailUnknown@iSupport.invalid" # Dummy address replaced later if Exchange mailbox needed

Open in new window


When this runs I get:
New-ADUser : The server is unwilling to process the request
At I:\scripts\poc\chsadmgmt\CHSADMgmt.ps1:3383 char:21
+         $null = New-ADUser <<<<  -Name $username `
    + CategoryInfo          : NotSpecified: (CN=gqtest,CN=Users,DC=comhs,DC=org:String) [New-ADUser], ADException
    + FullyQualifiedErrorId : The server is unwilling to process the request,Microsoft.ActiveDirectory.Management.Comm
   ands.NewADUser

Open in new window


The problem lies somewhere with the -OtherAttributes tag. If I only try to set a single attribute with -OtherAttributes, the script runs fine, but as soon as I add multiples it bombs with the above error.

Can anybody tell me why this is occurring and how to get around it?
0
Comment
Question by:Cacophony777
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
9 Comments
 
LVL 40

Expert Comment

by:Subsun
ID: 40212117
I am suspicious about the PhysicianNumber attribute (I never heard of it as a standard AD attribute), can you remove it and try to create user?
0
 
LVL 1

Author Comment

by:Cacophony777
ID: 40212236
Still does not work. We are a hospital system, PhysicianNumber is a custom attribute we have added to our schema. As a further test I just ran the script again with the following code:
$null = New-ADUser -Name $username `
	-UserPrincipalName $upn `
	-DisplayName $DisplayName `
	-GivenName $First `
	-Initials $MI `
	-Surname $Last `
	-Company $Company `
	-Department $Dept `
	-Title $Title `
	-EmployeeID $EmpID `
	-EmployeeNumber $JobCode `
	-Office $Office `
	-OfficePhone $OfficePhone `
	-MobilePhone $Mobile `
	-OtherAttributes @{'PhysicianNumber'=$PhysID} `
	-EmailAddress "EmailUnknown@iSupport.invalid" # Dummy address replaced later if Exchange mailbox needed

Open in new window

This ran code ran fine without issue. As you can see the only difference is that there is only a single item for OtherAttributes.
0
 
LVL 5

Assisted Solution

by:Kevin Stanush
Kevin Stanush earned 250 total points
ID: 40212274
Put in your other values for 'OtherAttributes' one by one until the error happens.  This error is usually the result of asking the directory to update something and it violates a constraint, such as trying to put a character into a numeric field, setting a DN field to a non-existent value, trying to set a too-easy password, things like that.

Check the syntax for updating 'otherattributes' too with more than one value so that the command isn't getting mis-intepreted and thereby getting parsed out wrong.
0
Backup Solution for AWS

Read about how CloudBerry Backup fully integrates your backups with Amazon S3 and Amazon Glacier to provide military-grade encryption and dramatically cut storage costs on any platform.

 
LVL 40

Assisted Solution

by:Subsun
Subsun earned 250 total points
ID: 40213149
If the PhysicianNumber attribute is available in schema the the command you posted should work.. Can you try adding the -Server parameter to specify a DC name to New-ADUser command? Also make sure that you have correct values in input file to replace the variables or test the command using actual values for example..
# Create User
$null = New-ADUser -Server serverDC01 -Name "username1" `
	-DisplayName "Display Name" `
	-GivenName "First" `
	-Initials "MI" `
	-Surname "Last" `
	-Company "Company" `
	-Department "Dept" `
	-Title "Title" `
	-EmployeeID "121121" `
	-EmployeeNumber "21" `
	-Office "Office" `
	-OfficePhone "12112121212" `
	-MobilePhone "011" `
	-OtherAttributes @{'departmentNumber'="112121"; 'PhysicianNumber'="1212121"; 'extensionAttribute2'="1"; 'comment'="INTERACTIVE ACCOUNT"; 'pager'="1212"; 'ipPhone'="121212"} `
	-EmailAddress "EmailUnknown@iSupport.invalid" # Dummy address replaced later if Exchange mailbox needed

Open in new window

0
 
LVL 5

Expert Comment

by:Kevin Stanush
ID: 40213391
Also, verify that one of your values is not too long for the attribute, as that can also trigger this error.  Like Subsun said, test with actual known values to see if the command syntax is all well, then substitute your values.
0
 
LVL 1

Accepted Solution

by:
Cacophony777 earned 0 total points
ID: 40217427
So, I've figured it out. The problem is that unlike the rest of the parameters of the New-ADUser cmdlet, the OtherAttributes parameter does not like empty variables, so I fixed my script with some simple if statements:
$null = New-ADUser -Name $username `
	-UserPrincipalName $upn `
	-DisplayName $DisplayName `
	-GivenName $First `
	-Initials $MI `
	-Surname $Last `
	-Company $Company `
	-Department $Dept `
	-Title $Title `
	-EmployeeID $EmpID `
	-EmployeeNumber $JobCode `
	-Office $Office `
	-OfficePhone $OfficePhone `
	-MobilePhone $Mobile `
	-OtherAttributes @{'extensionAttribute2'="1"; 'comment'="INTERACTIVE ACCOUNT"} `
	-EmailAddress "EmailUnknown@iSupport.invalid" # Dummy address replaced later if Exchange mailbox needed

If ($DeptCode -ne "") {
	Set-ADUser -Identity $username -Add @{'departmentNumber'=$DeptCode}
}
If ($PhysID -ne "") {
	Set-ADUser -Identity $username -Add @{'PhysicianNumber'=$PhysID}
}
If ($Pager -ne "") {
	Set-ADUser -Identity $username -Add @{'pager'=$Pager}
}
If ($Ascom -ne "") {
	Set-ADUser -Identity $username -Add @{'ipPhone'=$Ascom}
}

Open in new window

Thanks everyone for all your pointers - some of them definitely did help point me in the right direction to figure out the issue! Sometimes just bouncing the problem off some others helps get the wheels churning in the right direction :-)
0
 
LVL 1

Author Comment

by:Cacophony777
ID: 40217463
I've requested that this question be closed as follows:

Accepted answer: 0 points for Cacophony777's comment #a40217427

for the following reason:

Figured it out on my own...
0
 
LVL 40

Expert Comment

by:Subsun
ID: 40217464
In my comment #a40213149 I did recommend you to check the input file and make sure that you have correct values to replace the variables or test the command using actual values.. So, I think it deserve assist points for pointing to the right direction..:-)
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question