Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

New-ADUser Error "The server is unwilling to process the request" OtherAttributes

Posted on 2014-07-22
9
Medium Priority
?
8,707 Views
Last Modified: 2014-07-27
Working on rebuilding my user creation scripts and I am having problems with the New-ADUser commandlet. Here is my code:

# Create User
$null = New-ADUser -Name $username `
	-UserPrincipalName $upn `
	-DisplayName $DisplayName `
	-GivenName $First `
	-Initials $MI `
	-Surname $Last `
	-Company $Company `
	-Department $Dept `
	-Title $Title `
	-EmployeeID $EmpID `
	-EmployeeNumber $JobCode `
	-Office $Office `
	-OfficePhone $OfficePhone `
	-MobilePhone $Mobile `
	-OtherAttributes @{'departmentNumber'=$DeptCode; 'PhysicianNumber'=$PhysID; 'extensionAttribute2'="1"; 'comment'="INTERACTIVE ACCOUNT"; 'pager'=$Pager; 'ipPhone'=$Ascom} `
	-EmailAddress "EmailUnknown@iSupport.invalid" # Dummy address replaced later if Exchange mailbox needed

Open in new window


When this runs I get:
New-ADUser : The server is unwilling to process the request
At I:\scripts\poc\chsadmgmt\CHSADMgmt.ps1:3383 char:21
+         $null = New-ADUser <<<<  -Name $username `
    + CategoryInfo          : NotSpecified: (CN=gqtest,CN=Users,DC=comhs,DC=org:String) [New-ADUser], ADException
    + FullyQualifiedErrorId : The server is unwilling to process the request,Microsoft.ActiveDirectory.Management.Comm
   ands.NewADUser

Open in new window


The problem lies somewhere with the -OtherAttributes tag. If I only try to set a single attribute with -OtherAttributes, the script runs fine, but as soon as I add multiples it bombs with the above error.

Can anybody tell me why this is occurring and how to get around it?
0
Comment
Question by:Cacophony777
  • 3
  • 3
  • 2
8 Comments
 
LVL 40

Expert Comment

by:Subsun
ID: 40212117
I am suspicious about the PhysicianNumber attribute (I never heard of it as a standard AD attribute), can you remove it and try to create user?
0
 
LVL 1

Author Comment

by:Cacophony777
ID: 40212236
Still does not work. We are a hospital system, PhysicianNumber is a custom attribute we have added to our schema. As a further test I just ran the script again with the following code:
$null = New-ADUser -Name $username `
	-UserPrincipalName $upn `
	-DisplayName $DisplayName `
	-GivenName $First `
	-Initials $MI `
	-Surname $Last `
	-Company $Company `
	-Department $Dept `
	-Title $Title `
	-EmployeeID $EmpID `
	-EmployeeNumber $JobCode `
	-Office $Office `
	-OfficePhone $OfficePhone `
	-MobilePhone $Mobile `
	-OtherAttributes @{'PhysicianNumber'=$PhysID} `
	-EmailAddress "EmailUnknown@iSupport.invalid" # Dummy address replaced later if Exchange mailbox needed

Open in new window

This ran code ran fine without issue. As you can see the only difference is that there is only a single item for OtherAttributes.
0
 
LVL 7

Assisted Solution

by:Kevin Stanush
Kevin Stanush earned 750 total points
ID: 40212274
Put in your other values for 'OtherAttributes' one by one until the error happens.  This error is usually the result of asking the directory to update something and it violates a constraint, such as trying to put a character into a numeric field, setting a DN field to a non-existent value, trying to set a too-easy password, things like that.

Check the syntax for updating 'otherattributes' too with more than one value so that the command isn't getting mis-intepreted and thereby getting parsed out wrong.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 40

Assisted Solution

by:Subsun
Subsun earned 750 total points
ID: 40213149
If the PhysicianNumber attribute is available in schema the the command you posted should work.. Can you try adding the -Server parameter to specify a DC name to New-ADUser command? Also make sure that you have correct values in input file to replace the variables or test the command using actual values for example..
# Create User
$null = New-ADUser -Server serverDC01 -Name "username1" `
	-DisplayName "Display Name" `
	-GivenName "First" `
	-Initials "MI" `
	-Surname "Last" `
	-Company "Company" `
	-Department "Dept" `
	-Title "Title" `
	-EmployeeID "121121" `
	-EmployeeNumber "21" `
	-Office "Office" `
	-OfficePhone "12112121212" `
	-MobilePhone "011" `
	-OtherAttributes @{'departmentNumber'="112121"; 'PhysicianNumber'="1212121"; 'extensionAttribute2'="1"; 'comment'="INTERACTIVE ACCOUNT"; 'pager'="1212"; 'ipPhone'="121212"} `
	-EmailAddress "EmailUnknown@iSupport.invalid" # Dummy address replaced later if Exchange mailbox needed

Open in new window

0
 
LVL 7

Expert Comment

by:Kevin Stanush
ID: 40213391
Also, verify that one of your values is not too long for the attribute, as that can also trigger this error.  Like Subsun said, test with actual known values to see if the command syntax is all well, then substitute your values.
0
 
LVL 1

Accepted Solution

by:
Cacophony777 earned 0 total points
ID: 40217427
So, I've figured it out. The problem is that unlike the rest of the parameters of the New-ADUser cmdlet, the OtherAttributes parameter does not like empty variables, so I fixed my script with some simple if statements:
$null = New-ADUser -Name $username `
	-UserPrincipalName $upn `
	-DisplayName $DisplayName `
	-GivenName $First `
	-Initials $MI `
	-Surname $Last `
	-Company $Company `
	-Department $Dept `
	-Title $Title `
	-EmployeeID $EmpID `
	-EmployeeNumber $JobCode `
	-Office $Office `
	-OfficePhone $OfficePhone `
	-MobilePhone $Mobile `
	-OtherAttributes @{'extensionAttribute2'="1"; 'comment'="INTERACTIVE ACCOUNT"} `
	-EmailAddress "EmailUnknown@iSupport.invalid" # Dummy address replaced later if Exchange mailbox needed

If ($DeptCode -ne "") {
	Set-ADUser -Identity $username -Add @{'departmentNumber'=$DeptCode}
}
If ($PhysID -ne "") {
	Set-ADUser -Identity $username -Add @{'PhysicianNumber'=$PhysID}
}
If ($Pager -ne "") {
	Set-ADUser -Identity $username -Add @{'pager'=$Pager}
}
If ($Ascom -ne "") {
	Set-ADUser -Identity $username -Add @{'ipPhone'=$Ascom}
}

Open in new window

Thanks everyone for all your pointers - some of them definitely did help point me in the right direction to figure out the issue! Sometimes just bouncing the problem off some others helps get the wheels churning in the right direction :-)
0
 
LVL 1

Author Comment

by:Cacophony777
ID: 40217463
I've requested that this question be closed as follows:

Accepted answer: 0 points for Cacophony777's comment #a40217427

for the following reason:

Figured it out on my own...
0
 
LVL 40

Expert Comment

by:Subsun
ID: 40217464
In my comment #a40213149 I did recommend you to check the input file and make sure that you have correct values to replace the variables or test the command using actual values.. So, I think it deserve assist points for pointing to the right direction..:-)
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Scripts are great for performing batch jobs against users, however sometimes the GUI is all you need.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question