Add-ADGroupMember Problems...

by Zero0ne at 2013-04-16 12:25:14

I guess this being my 1st post, I should probably first introduce myself. My name is Ken and I’ve been working in IT for just about 15 years now. Over the years I’ve dabbled in the dark arts known as scripting … but never beyond an intermediate level. Truth be told, I’ve never really had a need to dive deep into any one particular scripting language… only scratch the surface to get the job that I needed done and then move on. That brings me to my latest scripting adventures and the reason why I’m reaching out for some guidance.

The company I work for is in the final stages of making the move from Exchange to Google Apps. Unfortunately, one of the features we use pretty heavily (Dynamic Distribution Groups) is an Exchange Only feature. As it were, Google does provide a tool (GADS) for syncing distribution groups up with Google Apps, however when we un-install Exchange from our environment we’re going to need to find some solution to replace these. This is where my Power-Shell scripting adventures begin…

The concept of what I’m trying to accomplish is pretty simple…

[list][] Search and filter AD for users that match specific criteria (example: departmentNumber = 10)[/]
[] Search and get the membership of a specific group[/]
[] Compare these two objects and determine if users need to be added or removed[/]
[] Add/Remove users bases on the above results[/][/list]

This simulates the Dynamic Distribution Group experience in that the group membership is dynamically updated based off of specific set of a search criteria. Now you might think that the hard part would be determining the search filters but in truth that’s the easy part. They are already identified in the existing Dynamic Distribution groups. No… unfortunately the difficult part is the adding of users to the group.

I’ve spent so much time reviewing, editing, testing, etc. my existing script I decided to simplify to try to narrow down the problem and this is what has let me to post here. See, our AD forest consists of several child domains where users that could match the search criteria exists. I found that it was adding/removing users of the parent domain (same domain that the group exists in) fine. However it would throw back some interesting errors for any users it would find that existed in any child domains.

So after looking at the help and hitting a dead end, I created a few posts over on the Technet PowerShell Forums:

[list][] Simulating Dynamic Distribution Groups with PowerShell?[/]
[] Add-ADGroupMember : A referral was returned from the server???[/][/list]

I’m still waiting for a response in those threads but have decided to also ask here the question here. Below is a simple script that is trying to add a user from a child domain to a distribution group in a parent domain:

$Group1 = Get-ADGroup -Identity “Test-Group”
$User1 = Get-ADUser -Identity test.tw -Server rootdomain.com:3268

Add-ADGroupMember -Identity $Group1 -Members $User1

When I run this I get the following error:

Add-ADGroupMember : The specified group type is invalid
At line:5 char:1
+ Add-ADGroupMember -Identity $Group1 -Members $User1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (CN=Test-Group…DC=rootdomain,DC=com:ADGroup) [Add-ADGroupMember], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer]

Just so you can get a feeling for what I’m trying to do:

[list][] The Group “Test-Group” exists in rootdomain.com domain[/]
[] The User "test.tw exists in the childdomain.rootdomain.com domain[/]
[] Because the users could exist in ANY domain (root or child) I am directing the Get-ADUser to a GC.[/][/list]

I’ve checked the group type and it’s set to 8 which according to this means its “Specifies a group with universal scope.” I am truly stumped! Surely I’m not the first person to run into this issue. Any help or thoughts would really be appreciated!

Cheers,
Ken
by ArtB0514 at 2013-04-16 12:40:05
Look at Get-Help Add-ADGroupMember. (I can’t check from here). It’s probable that the parameter name is Member instead of Members (most PowerShell keywords are singular). Then, check what it wants for a value. That’s likely to be a Distinguished Name and not a whole user object.
by Zero0ne at 2013-04-16 12:47:00
Also for your reference… this is the current version of the larger script that I was referring to. I am only posting so that you can see how I am trying to simplify for testing purposes. Of course feedback/suggestions are always welcome.

# Import the ActiveDirectory PowerShell CMDLET
Import-Module ActiveDirectory

# Google Dynamic Distribution Group variable. This is the name of the group that will be updated.
$ddgname = Get-ADGroup -Identity “Google-DDG-Test”

# Search Active Directory for a list of users that should be included in the distribution group and saves it as the $users variable
$users = Get-ADUser -Filter {extensionAttribute8 -eq 51} -Server rootdomain.com:3268
# List the current members of the distribution group and saves it as the $group variable
$group = Get-ADGroupMember $ddgname


# Creates a new $addusers variable containing a list of users that need to be added to the distribution group
$addusers = Compare-Object $users $group -Property DistinguishedName | where {$.SideIndicator -eq “<=”}
# Creates a new $remusers variable contining a list of users that need to be removed from the distribution group
$remusers = Compare-Object $users $group -Property DistinguishedName | where {$
.SideIndicator -eq “=>”}


# Processes the users in $addusers and adds them to the distribution group
$addusers | ForEach-Object {Add-ADGroupMember -Identity $ddgname -members $.DistinguishedName}
# Processes the users in the $remusers and removes them from the distribution group
$remusers | ForEach-Object {Remove-ADGroupMember -Identity $ddgname -members $
.DistinguishedName -Confirm]

I have to admit that the error message that this responds back with is different than my simplified version but I thought I’d start with just seeing if it could be done. The error message that this responds back with is:

Add-ADGroupMember : A referral was returned from the server
At line:21 char:29
+ $addusers | ForEach-Object {Add-ADGroupMember -Identity $ddgname -members $_.Dis …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (CN=Google-DDG-T…DC=rootdomain,DC=com:ADGroup) [Add-ADGroupMember], ADReferralException
+ FullyQualifiedErrorId : ActiveDirectoryServer]

I don’t know if this helps or just confuses things more. :-/
by Zero0ne at 2013-04-16 12:49:13
[quote=“ArtB0514”]Look at Get-Help Add-ADGroupMember. (I can’t check from here). It’s probable that the parameter name is Member instead of Members (most PowerShell keywords are singular). Then, check what it wants for a value. That’s likely to be a Distinguished Name and not a whole user object.[/quote]

Here is the result:

SYNTAX
Add-ADGroupMember [-Identity] <ADGroup> [-Members] <ADPrincipal[]> [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Partition <String>]
[-PassThru [<SwitchParameter>]] [-Server <String>] [-Confirm [<SwitchParameter>]] [-WhatIf [<SwitchParameter>]] [<CommonParameters>]

-Members <ADPrincipal[]>
Specifies a set of user, group, and computer objects in a comma-separated list to add to a group. To identify each object, use one of the
following property values. Note: The identifier in parentheses is the LDAP display name.

Distinguished Name

Example: CN=SaraDavis,CN=Europe,CN=Users,DC=corp,DC=contoso,DC=com

GUID (objectGUID)

Example: 599c3d2e-f72d-4d20-8a88-030d99495f20

Security Identifier (objectSid)

Example: S-1-5-21-3165297888-301567370-576410423-1103

SAM Account Name (sAMAccountName)

Example: saradavis

You can also provide objects to this parameter directly.

The following examples show how to specify this parameter.

This example specifies a user and group to add by specifying the distinguished name and the SAM Account Name properties.

-Members “CN=SaraDavis,CN=employees,CN=Users,DC=contoso,DC=com”, “saradavisreports”

This example specifies a user and a group object that are defined in the current Windows PowerShell session as input for the parameter.

-Members $userObject, $groupObject

The objects specified for this parameter are processed as Microsoft.ActiveDirectory.Management.ADPrincipal objects. Derived types, such as
the following are also received by this parameter.

Microsoft.ActiveDirectory.Management.ADUser

Microsoft.ActiveDirectory.Management.ADComputer

Microsoft.ActiveDirectory.Management.ADServiceAccount

Microsoft.ActiveDirectory.Management.ADGroup

You cannot pass objects through the pipeline to this parameter.


[quote] You cannot pass objects through the pipeline to this parameter.[/quote]

What does that last portion mean??? I need to specify the parameter specifically?
by ArtB0514 at 2013-04-16 13:16:48
That statement says that you cannot pass the Members object to the command through the pipeline. But it’s not important because that’s not what you were trying to do. Also, it says that you CAN pass a complete user object.

But, then again (slap me up the side of my head), I went back and read the error message again. It says: [quote]The specified group type is invalid[/quote] So, that’s a completely different issue. Sorry that I got you off track a bit.

By any chance do you have any GCs that are Windows 2003? There’s an old notice at http://support.microsoft.com/kb/923354 about not being able to add members to universal groups under certain conditions.

Also, try getting the group without using GC: Get-ADGroup -Filter “GroupScope -eq ‘Universal’”}
by Zero0ne at 2013-04-16 13:28:17
The plot thickens…

PS C:\Scripts> $Group1.GetType()

IsPublic IsSerial Name BaseType
-------- -------- ---- --------
True False ADGroup Microsoft.ActiveDirectory.Management.ADPrincipal


I’m curious… what’s the significance?.. Off to Google I go :wink:
by Zero0ne at 2013-04-16 13:31:39
According to Google…

[quote]The objects specified for this parameter are processed as Microsoft.ActiveDirectory.Management.ADPrincipal objects. Derived types, such as the following are also received by this parameter.
Microsoft.ActiveDirectory.Management.ADUser
Microsoft.ActiveDirectory.Management.ADComputer
Microsoft.ActiveDirectory.Management.ADServiceAccount
Microsoft.ActiveDirectory.Management.ADGroup[/quote]
Source

Because it’s the name is ADGroup and it’s a derived type… if I understand what I’m reading all is good on that front… I think?
by ArtB0514 at 2013-04-16 13:34:10
Right.
by Zero0ne at 2013-04-18 08:40:37
OK… so a bit of an update and a lesson for anyone out there that might be stuck in a similar situation. Something you posted and a response over on the TechNet PowerShell forums started me down a path that has lead me to the possible issue and a potential solution:

[quote=“ArtB0514”]By any chance do you have any GCs that are Windows 2003? There’s an old notice at http://support.microsoft.com/kb/923354 about not being able to add members to universal groups under certain conditions.[/quote]

Basically, all of my DC’s in my lab are 2003 GC’s and all but 2 in my production environment are 2003 GC’s. After reading the above KB article it seems that I might just be suffering from this issue. The 2 that are not are recently promoted DC’s for a new office we just opened up. They are Windows Server 2008 R2 DC’s which are also GC’s. Armed with this info I decided to try to send my queries to that DC.

Import-Module ActiveDirectory

$AdminCredentials = Get-Credential “rootdomain&lt;enterprise_admin>”

$Group1 = Get-ADGroup -Identity “Google-DDG-Test”
$User1 = Get-ADUser -Identity test.tw -Server rootdomain.int:3268

Add-ADGroupMember -Identity $Group1 -Members $User1 -Credential $AdminCredentials -Server w2k8dc.rootdomain.int


Well I got to tell you I almost fell out of my chair when it didn’t spit back an error! I’ve incorporated this into my larger script and low and behold it works! The only drawback is that the W2K8 DC’s are located in Munich Germany and I’m in Ottawa Canada. The link between our offices are not super fast but now that I know that the above command DOES work in our environment I’m going to now proceed with 2 action items:

[list][] Install the listed hotfix on one of my 2003 DC’s to see if this IS the issue.[/]
[] Promote a 2008 DC locally to use for the script and to (eventually) replace the existing 2003 DC.[/][/list]

At least with this info I can proceed with the development of my script. I can’t thank you enough for your time and help! I will post an update here if I can validate that the Hotfix that you pointed me to resolves my issue.

Thanks again for helping me through this…

Cheers,
Ken
by Zero0ne at 2013-04-18 08:59:17
I’m going to click the [Accept This Answer] button to have this thread marked as solved. But again a huge thanks for your help. I will keep you posted of any updates.