Oscar Powers
asked on
Add AD User to a Security Group
Hello:
I have a script to create an AD user and add to its respective security groups, this script works 80% of the time without issues, but sometimes I have the problem that It can not add the user to his group because it can not find the recent create user. If I add a delay it fixes the problem. I want to fix it without adding the delay, any suggestions
function New-OPAdDomainStudent
{
<#
.Synopsis
Short description
.DESCRIPTION
Long description
.EXAMPLE
Example of how to use this cmdlet
.EXAMPLE
Another example of how to use this cmdlet
#>
[CmdletBinding()]
[Alias()]
[OutputType([int])]
Param
(
$SamAccountName,
$Surname,
$FirstName,
$MiddleName,
$HomeFolderPath = "\\myd-fileserver.mydomain .com\stude nts$",
$HomeDrive = "H:",
$ID,
$OU = "DOMAIN Students"
)
Process
{
$EmailSuffix = "@students.mydomain.com"
$Email = $SamAccountName + $EmailSuffix
$HomeFolder = Join-Path -Path $HomeFolderPath -ChildPath $SamAccountName
$OuDn = (Get-ADOrganizationalUnit -Filter {Name -eq $OU}).DistinguishedName
if ($OuDn -eq $null) {
log -message "Unable to find OU $OU, exiting" -level Error
Stop-MPScript
}
$Password = "Welcome"
$EncryptedPassword = ConvertTo-SecureString $Password -AsPlainText -Force
log -message "Creating account $SamAccountName" -level Info
try {
if ($MiddleName -eq "") {
New-ADUser -SamAccountName $SamAccountName `
-Name "$FirstName $Surname" `
-DisplayName "$FirstName $Surname" `
-UserPrincipalName $Email `
-EmailAddress $Email `
-AccountPassword $EncryptedPassword `
-HomeDirectory $HomeFolder `
-HomeDrive $HomeDrive `
-GivenName $FirstName `
-Surname "$Surname" `
-Description $ID `
-Path $OuDn `
-Enabled $true
}
else {
New-ADUser -SamAccountName $SamAccountName `
-Name "$FirstName $MiddleName $Surname" `
-DisplayName "$FirstName $MiddleName $Surname" `
-UserPrincipalName $Email `
-EmailAddress $Email `
-AccountPassword $EncryptedPassword `
-HomeDirectory $HomeFolder `
-HomeDrive $HomeDrive `
-GivenName $FirstName `
-Surname "$Surname"`
-Initials $MiddleName.Substring(0,1) `
-Description $ID `
-Path $OuDn `
-Enabled $true
}
}
catch
{
log -message "Could not create AD account" -level Error
Stop-MPScript
}
log -message "AD account $Email have been created succesfully" -level Info
log -message "Adding user $SamAccountName to AD groups" -level Info
$MemberOf = @("Students")
$User = Get-ADUser $SamAccountName
foreach ($Group in $MemberOf) {
try {
Add-ADGroupMember $Group -Members $User
}
catch {
log -message "Unable to add $SamAccountName to the $Group group" -level Error
}
}
########
#Create Home Folder and permission
CreateHomeFolder -HomeFolder $HomeFolder `
-SamAccountName $SamAccountName
}
}
I have a script to create an AD user and add to its respective security groups, this script works 80% of the time without issues, but sometimes I have the problem that It can not add the user to his group because it can not find the recent create user. If I add a delay it fixes the problem. I want to fix it without adding the delay, any suggestions
function New-OPAdDomainStudent
{
<#
.Synopsis
Short description
.DESCRIPTION
Long description
.EXAMPLE
Example of how to use this cmdlet
.EXAMPLE
Another example of how to use this cmdlet
#>
[CmdletBinding()]
[Alias()]
[OutputType([int])]
Param
(
$SamAccountName,
$Surname,
$FirstName,
$MiddleName,
$HomeFolderPath = "\\myd-fileserver.mydomain
$HomeDrive = "H:",
$ID,
$OU = "DOMAIN Students"
)
Process
{
$EmailSuffix = "@students.mydomain.com"
$Email = $SamAccountName + $EmailSuffix
$HomeFolder = Join-Path -Path $HomeFolderPath -ChildPath $SamAccountName
$OuDn = (Get-ADOrganizationalUnit -Filter {Name -eq $OU}).DistinguishedName
if ($OuDn -eq $null) {
log -message "Unable to find OU $OU, exiting" -level Error
Stop-MPScript
}
$Password = "Welcome"
$EncryptedPassword = ConvertTo-SecureString $Password -AsPlainText -Force
log -message "Creating account $SamAccountName" -level Info
try {
if ($MiddleName -eq "") {
New-ADUser -SamAccountName $SamAccountName `
-Name "$FirstName $Surname" `
-DisplayName "$FirstName $Surname" `
-UserPrincipalName $Email `
-EmailAddress $Email `
-AccountPassword $EncryptedPassword `
-HomeDirectory $HomeFolder `
-HomeDrive $HomeDrive `
-GivenName $FirstName `
-Surname "$Surname" `
-Description $ID `
-Path $OuDn `
-Enabled $true
}
else {
New-ADUser -SamAccountName $SamAccountName `
-Name "$FirstName $MiddleName $Surname" `
-DisplayName "$FirstName $MiddleName $Surname" `
-UserPrincipalName $Email `
-EmailAddress $Email `
-AccountPassword $EncryptedPassword `
-HomeDirectory $HomeFolder `
-HomeDrive $HomeDrive `
-GivenName $FirstName `
-Surname "$Surname"`
-Initials $MiddleName.Substring(0,1)
-Description $ID `
-Path $OuDn `
-Enabled $true
}
}
catch
{
log -message "Could not create AD account" -level Error
Stop-MPScript
}
log -message "AD account $Email have been created succesfully" -level Info
log -message "Adding user $SamAccountName to AD groups" -level Info
$MemberOf = @("Students")
$User = Get-ADUser $SamAccountName
foreach ($Group in $MemberOf) {
try {
Add-ADGroupMember $Group -Members $User
}
catch {
log -message "Unable to add $SamAccountName to the $Group group" -level Error
}
}
########
#Create Home Folder and permission
CreateHomeFolder -HomeFolder $HomeFolder `
-SamAccountName $SamAccountName
}
}
EXPERT CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
That's already integrated with the other enhancements I posted in https://www.experts-exchange.com/questions/29160516/Add-AD-User-to-a-Security-Group.html?anchorAnswerId=42956843#a42956843
ASKER
Adding the server to the script fixes the problem, thanks to Sean and oBdA for your help.
oBdA thanks for improving my script show me the option to use splatting, definitely I will use here and future scripts.
oBdA thanks for improving my script show me the option to use splatting, definitely I will use here and future scripts.
ASKER
I did not specify what server to use to create the account. How I can do that? Did you have a sample or a reference?