Set AD group gidNumber for multiple groups

Hi All I was hoping you might be able to guide me with my query below.

I have a requirement to create multiple Active directory Groups (and users but not in this script) where the gidNumber has to be modified (for Linux Groups).

I can successfully obtain the GID from the AD Group SID, but I am then unable to pass this to the Set-ADGroup -replace parameter.

Headers (for CSV file):

Name,SamAccountName,Path,DisplayName,Description
Test Group,Test Group,“OU=Groups,DC=HomeDomain,DC=Local”,tstgrp,Test Group
Test2 Group,Test2 Group,“OU=Groups,DC=HomeDomain,DC=Local”,tstgrp2,Test Group

$GID = foreach ($group in $groups){

Get-adgroup $group.SamAccountName | select @{l=“GID”;e={[int]$.SID.Value.Substring([int]$.SID.Value.Lastindexof(“-”)+1)+1000}} | Select -ExpandProperty GID

Get-adgroup $group.SamAccountName | Set-ADGroup -Replace @{gidNumber=“GID”} -Verbose

}

I think it is to do with the @{gidNumber=“GID”} scriptblock but cannot think how to take each GID and then put it into the gidNumber one at a time.

This is the error I get :

Set-ADGroup : The parameter is incorrect At line:8 char:37 + Get-adgroup $group.SamAccountName | Set-ADGroup -Replace @{gidNumber="GID"} -Ver ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (CN=Test Group,DC=Homenet,DC=Local:ADGroup) [Set-ADGroup], ADInvalidOperationException + FullyQualifiedErrorId : ActiveDirectoryServer:87,Microsoft.ActiveDirectory.Management.Commands.SetADGroup Any assistance would be very much appreciated.

Out of curiosity, how did you create the $groups variable? Is it from running Get-ADGroup, or from something like a database or CSV file? You don’t need to keep making multiple calls to Get-ADGroup. Assuming that you ran something like $groups = Get-ADGroup -Filter * before the foreach loop, try this:

foreach ($group in $groups) {
    $GID = [int]$group.SID.Value.Substring([int]$group.SID.Value.Lastindexof("-")+1)+1000
    $group | Set-ADGroup -Replace @{gidNumber=$GID} -Verbose
}

Hi Dave,

Thanks for you response apologies for missing this part in my original post.

The $Groups variable is as per the following:

$Groups = Import-Csv C:\Scripts\GroupsgidNumber.csv -UseCulture

As per my original post I have specified the CSV header and content.

I only want to set the gidNumber for specific Groups that I have newly created (another part of my script).

Many Thanks.

OK, the code should just need a small update to include a single call to Get-ADGroup, then. Try this:

foreach ($csvEntry in $groups)
{
    try
    {
        $group = Get-ADGroup -Identity $csvEntry.SamAccountName -ErrorAction Stop

        $GID = [int]$group.SID.Value.Substring([int]$group.SID.Value.Lastindexof("-")+1)+1000
    
        $group | Set-ADGroup -Replace @{gidNumber=$GID} -Verbose -ErrorAction Stop
    }
    catch
    {
        # handle error however you like
    }
}

Thanks Dave you are amazing :smiley:
Perfect!
I think I will take a break now :smiley:

Below creates the new groups that are required and then modifies the gidNumber.

$Groups = Import-Csv C:\Scripts\CSVFILE.csv -UseCulture

foreach ($Group in $Groups) {

New-ADGroup -Name $Group.Name -Description $Group.Description -GroupCategory “Security” -GroupScope “Universal” -DisplayName $Group.displayNamePrintable -Path $Group.Path -SamAccountName $Group.SamAccountName -Verbose

}

foreach ($csvEntry in $groups)
{
try
{
$group = Get-ADGroup -Identity $csvEntry.SamAccountName -ErrorAction Stop

    $GID = [int]$group.SID.Value.Substring([int]$group.SID.Value.Lastindexof("-")+1)+1000

    $group | Set-ADGroup -Replace @{gidNumber=$GID} -Verbose -ErrorAction Stop
}
catch
{
    # handle error however you like
}

}

Once again many thanks.
Iain

You might be able to consolidate that code even further, eliminating the call to Get-ADGroup. I’m not at home, so I can’t test this code yet, but you can try it:

$Groups = Import-Csv C:\Scripts\CSVFILE.csv -UseCulture
foreach ($csvEntry in $groups)
{
    try
    {
        $group = New-ADGroup -PassThru -Name $csvEntry.Name -Description $csvEntry.Description -GroupCategory "Security" -GroupScope "Universal" -DisplayName $csvEntry.displayNamePrintable -Path $csvEntry.Path -SamAccountName $csvEntry.SamAccountName -Verbose -ErrorAction Stop

        $GID = [int]$group.SID.Value.Substring([int]$group.SID.Value.Lastindexof("-")+1)+1000

        $group | Set-ADGroup -Replace @{gidNumber=$GID} -Verbose -ErrorAction Stop
    }
    catch
    {
        # handle error however you like
    }
}

Edit: Forgot the -PassThru parameter to New-ADGroup

I couldn’t get the following to work, it appears that nothing was being passed to $GID or $Group | Get-Adgroup

$Groups = Import-Csv C:\Scripts\CSVFILE.csv -UseCulture
foreach ($csvEntry in $groups)
{
    try
    {
        $group = New-ADGroup -PassThru -Name $csvEntry.Name -Description $csvEntry.Description -GroupCategory "Security" -GroupScope "Universal" -DisplayName $csvEntry.displayNamePrintable -Path $csvEntry.Path -SamAccountName $csvEntry.SamAccountName -Verbose -ErrorAction Stop

        $GID = [int]$group.SID.Value.Substring([int]$group.SID.Value.Lastindexof("-")+1)+1000

        $group | Set-ADGroup -Replace @{gidNumber=$GID} -Verbose -ErrorAction Stop
    }
    catch
    {
        # handle error however you like
}

Whereas modifying it to the below worked perfectly (it works with and with out specifying a variable in front of New-ADGroup i.e. $NewGroup = New-ADGroup ).

$Groups = Import-Csv C:\PSInput\MQUser\MQGroups.csv -UseCulture

foreach ($CSVEntry in $Groups ) 
{
    try
    {
        New-ADGroup -Name $CSVEntry.Name -Description $CSVEntry.Description -GroupCategory Security -GroupScope Universal -DisplayName $CSVEntry.DisplayNamePrintable -Path $CSVEntry.Path -SamAccountName $CSVEntry.SamAccountName -Verbose -ErrorAction Stop

        $Group = Get-ADGroup -Identity $CSVEntry.SamAccountName -ErrorAction Stop

        $GID = [int]$Group.SID.Value.Substring([int]$Group.SID.Value.Lastindexof("-")+1)+1000

        $Group | Set-ADGroup -Replace @{gidNumber=$GID} -Verbose -ErrorAction Stop
    }
    catch
    {
        # Handle error however you like
    }
}