I am new to powershell and have been working on a script that will create, mail-enable, and populate several Universal Distribution groups based on various fields of the user’s AD object (roughly 11,000 users and 2 dozen groups). Being a world-wide company means that a user might need to be in one group today, but in a different (mutually-exclusive) group tomorrow (for example, you can’t work in two coutries at the same time).
In a nutshell, I need to check to see if the group exists, if it doesn’t I need to create it and add the current user to it. If it does exist, I want to empty the group and then add users to it (this ensures I don’t end up with people in mutually exclusive groups).
There is a VB script in place right now that takes a minimum of 4.5 hours to run every night and I am attempting to redo the script in powershell (both because it will be faster, and as a learning tool for me). Below is an excerpt:
$objCountryGroup = get-ADGroup -filter {samaccountname -eq $strCountryGroupName} -properties extensionAttribute1 if ($objCountryGroup -eq $null) { $objCountryGroup = new-ADGroup -name $strCountryGroupName -samaccountname $strCountryGroupName -groupcategory Distribution -groupscope Universal -displayname $strCountryGroupName -description ("Auto Created - " + (get-date)) -path ("ou=xxxxx,ou=xxxxx,dc=xxxxx,dc=xxxxx") -otherattributes @{'extensionAttribute1'="No"} -passthru enable-distributiongroup $strCountryGroupName } add-ADGroupMember -identity $objCountryGroup -member $objUser
The enable-distributiongroup statement fails every time the code runs with the error “the object does not exist”. The add-ADGroupMember statement also fails the first few iterations and then suddenly starts to work.
I thought the -passthru parameter on the new-ADGroup statement would have resolved this, but it didn’t (I assumed that since it passes the created group back as an object that the group must therefore have been created - how wrong an assumption that is!).
I have the code funtioning properly now as follows:
$objCountryGroup = get-ADGroup -filter {samaccountname -eq $strCountryGroupName} -properties extensionAttribute1 if ($objCountryGroup -eq $null) { $objCountryGroup = new-ADGroup -name $strCountryGroupName -samaccountname $strCountryGroupName -groupcategory Distribution -groupscope Universal -displayname $strCountryGroupName -description ("Auto Created - " + (get-date)) -path ("ou=xxxxx,ou=xxxxx,dc=xxxxx,dc=xxxxx") -otherattributes @{'extensionAttribute1'="No"} -passthru while ((get-ADGroup -filter {samaccountname -eq $strCountryGroupName} -properties extensionAttribute1) -eq $null) { start-sleep -s 1 } enable-distributiongroup $strCountryGroupName } add-ADGroupMember -identity $objCountryGroup -member $objUser
The difference is the while loop - which is supposed to sleep until the AD group exists.
Note that the while loop doesn’t actually execute (I tested this with a write-host statement inside it). Also note that removing the -properties parameter from the while’s get-ADGroup condition causes errors.
Am I misunderstanding something with AD group creation in Powershell? Does -passthru actually do what it is supposed to do? Is there, perhaps, a better way to create AD Groups and populate them? Would I be smarter to build an array of arrays of users first and then build my groups?