Am trying to get a universal security group populated from a list of employeeIDs from a csv that contains both Parent and Child domain employeeIDs. It will populate the universal group if I do not specify a -server for the Get-ADUser (although it will only populate the parent domain members), so as you can see I tried using the Global Catalog server to catch both the Parent and Child domain members but I don’t think this works because I don’t think employeeID is an attribute in GC.
How can I get this code to populate the security group with both parent and child domain user accounts coming from a list of employeeID attributes? Any assistance would be greatly appreciated:
Add-ADGroupMember : Cannot validate argument on parameter 'Members'. The argument is null or empty. Provide an
argument that is not null or empty, and then try the command again.
At C:\Users\st.powershell\Documents\Scripts\ent-supervisors.ps1:17 char:54
+ ... sors -Members ($users | Select-Object -ExpandProperty SamAccountName)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Add-ADGroupMember], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.AddADGrou
pMember
It says that the variable $users is empty. Did you check if its empty or not ? It will be better to print some info. And you should be appending to the file when in iteration else everytime, it will get overwritten.
Thanks for the reply. $GC is returning “parentdomain:3268”. I made the csv only contain child domain user accounts for testing purposes, as at this point I would just be happy to get child domain members added to the parent domain universal security group. With this code, using a child domain controller for the Get-ADUser, it finds all the child domain user accounts fine:
If I put in -Server “childdomain” in the Add-ADGroupmember line, I then get:
Add-ADGroupmember : Cannot find an object with identity: 'Ent-Supervisors' under:
'childdomain'.
At C:\Users\st.powershell\Documents\Scripts\ent-supervisors-testing.ps1:21 char:1
+ Add-ADGroupmember -Identity Ent-Supervisors -Server "childdomain. ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Ent-Supervisors:ADGroup) [Add-ADGroupMember], ADIdentityNotFoundExcepti
on
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,M
icrosoft.ActiveDirectory.Management.Commands.AddADGroupMember
I have verified that the user account I am using is able to manually add/remove child domain user accounts from the parent domain security group, so it is definitely something with the script I don’t have right. Thanks.
you might save yourself some headaches if you just add each user as you find them in your foreach loop.
as well, i find it much easier to use try/catch for error handling rather than just if check on $user contents, that can cause issues elsewhere.
You still need to solve for getting the user objects from the child domains. The lazy way i’d take for expediency, is just putting all of the domains you need to check for users against, and run the same script/input file against each domain.
That worked! , it was able to add the child domain members with the loop. Thanks a bunch kvprasoon and david, it may not seem that way but I actually learned quite a bit from your input on this, thanks again.