AD Groups: Creation and Updating

I am new to powershell and have been working on a script that will create, mail-enable, and populate several Universal Distribution groups based on various fields of the user’s AD object (roughly 11,000 users and 2 dozen groups). Being a world-wide company means that a user might need to be in one group today, but in a different (mutually-exclusive) group tomorrow (for example, you can’t work in two coutries at the same time).

In a nutshell, I need to check to see if the group exists, if it doesn’t I need to create it and add the current user to it. If it does exist, I want to empty the group and then add users to it (this ensures I don’t end up with people in mutually exclusive groups).

There is a VB script in place right now that takes a minimum of 4.5 hours to run every night and I am attempting to redo the script in powershell (both because it will be faster, and as a learning tool for me). Below is an excerpt:

   $objCountryGroup = get-ADGroup -filter {samaccountname -eq $strCountryGroupName} -properties extensionAttribute1
   if ($objCountryGroup -eq $null) {
      $objCountryGroup = new-ADGroup -name $strCountryGroupName -samaccountname $strCountryGroupName -groupcategory Distribution -groupscope Universal -displayname $strCountryGroupName -description ("Auto Created - " + (get-date)) -path ("ou=xxxxx,ou=xxxxx,dc=xxxxx,dc=xxxxx") -otherattributes @{'extensionAttribute1'="No"} -passthru
      enable-distributiongroup $strCountryGroupName
   }
   add-ADGroupMember -identity $objCountryGroup -member $objUser

The enable-distributiongroup statement fails every time the code runs with the error “the object does not exist”. The add-ADGroupMember statement also fails the first few iterations and then suddenly starts to work.

I thought the -passthru parameter on the new-ADGroup statement would have resolved this, but it didn’t (I assumed that since it passes the created group back as an object that the group must therefore have been created - how wrong an assumption that is!).

I have the code funtioning properly now as follows:

   $objCountryGroup = get-ADGroup -filter {samaccountname -eq $strCountryGroupName} -properties extensionAttribute1
   if ($objCountryGroup -eq $null) {
      $objCountryGroup = new-ADGroup -name $strCountryGroupName -samaccountname $strCountryGroupName -groupcategory Distribution -groupscope Universal -displayname $strCountryGroupName -description ("Auto Created - " + (get-date)) -path ("ou=xxxxx,ou=xxxxx,dc=xxxxx,dc=xxxxx") -otherattributes @{'extensionAttribute1'="No"} -passthru
      while ((get-ADGroup -filter {samaccountname -eq $strCountryGroupName} -properties extensionAttribute1) -eq $null) {
         start-sleep -s 1
      }
      enable-distributiongroup $strCountryGroupName
   }
   add-ADGroupMember -identity $objCountryGroup -member $objUser

The difference is the while loop - which is supposed to sleep until the AD group exists.

Note that the while loop doesn’t actually execute (I tested this with a write-host statement inside it). Also note that removing the -properties parameter from the while’s get-ADGroup condition causes errors.

Am I misunderstanding something with AD group creation in Powershell? Does -passthru actually do what it is supposed to do? Is there, perhaps, a better way to create AD Groups and populate them? Would I be smarter to build an array of arrays of users first and then build my groups?

Hi :slight_smile:

As a note, the whole “$objVariable” “$strVariable” naming convention for variables isn’t used much anymore; in PowerShell, everything’s an object already. There’s no “simple string” like there was in VBS.

Anyway.

What you may be running into is simple processing delay on the domain controller. Typically, if you run New-ADGroup and it doesn’t return an error (assuming you’re not suppressing them), then it worked, and -passthru should make it emit that new group object to the pipeline. Have you ever done any checking to see what $objCountryGroup actually contains after New-ADGroup completes? That seems to be where you’re stuck, right? You’re not getting a group object back?

yeah…the “objVariable” stuff is left offer from losing marks way back when in a VB6 course…and wow, how I hated having to name variables like that :slight_smile:

Anyways…yes…the problem seems to be a delay. $objCountryGroup is null unless I have the while loop in place…and as mentioned, the while loop doesn’t actually execute - which I have found to be extremely weird.