locked
Powershell command Distribution group user permissions RRS feed

  • Question

  • Hello, I am trying to create a script that can be used to create distribution groups however i am having a few problems. I am unable figure out a command to do the things I want.

     I want to add a user to the security tab that has "Full Control" access. The command I was trying to use is something like this

    Get-DistributionGroup $DLName | Add-ADpermission -extendedrights GenericAll -user $user

    The other problem I am having is assigning the description field some text, originally I was trying to use something like this but i would usually get errors with setinfo and put

    $ARNUM.text = some text input earlier in the program
    
    $New = Get-Distributiongroup $DLName
    
    $ADuser = [ADSI](”LDAP://corp.pep.tst/Messaging Resources/Groups/" + $New.DistinguishedName)
    
    $ADuser.Put("description", $ARNUM.Text)
    
    $ADuser.SetInfo()
    
    SetAttribute

    I have exhausted google searches for these answers. The only condition I  have is that i cannot use QAD commandlets.

    Monday, April 18, 2011 7:39 PM

Answers

  • On Wed, 20 Apr 2011 17:42:08 +0000, devinasj wrote:
     
    >
    >
    >Well the original problem was that i would get an execution error regarding Put, Setinfo, and SetAttribute $New = Get-DistributionGroup $DLName
    >$ADuser = [ADSI]("LDAP://corp.pep.tst/messaging/groups/$($New.DistinguishedName)")
    >$ADuser.Put("description", $ARNUM.Text)
    >$ADuser.SetInfo()
    >SetAttribute
    >
    >
    >
    >
    > Exception retrieving member "Put": "Unknown error (0x80005000)"
    >At D:\Powershell\Create_DL\Create_DL.ps1:993 char:15
    >+ $ADuser.Put( <<<< "description", $ARNUM.Text)
    >Exception retrieving member "SetInfo": "Unknown error (0x80005000)"
    >At D:\Powershell\Create_DL\Create_DL.ps1:994 char:19
    >+ $ADuser.SetInfo( <<<< )
    >The term 'SetAttribute' is not recognized as a cmdlet, function, operable program, or script file.
    >Verify the term and try again.
    >At D:\Powershell\Create_DL\Create_DL.ps1:995 char:16
    >+ SetAttribute <<<<
     
    Have you verified that $ADUser actually contains what you expect? I'm
    guessing it doesn't.
     
    Since the DN contains the complete location of the object you should
    need only this:
     
    $ADUser = [ADSI]("LDAP://" + $New.DistinguishedName)
     
    Instead of using the ADSI method of setting properties you can use
    this:
     
    $ADSuser.psbase.properties.description = $ARNUM.Text
    $ADUser.psbase.commitchanges()
     
    >I think im going to opt to put the description in a custom attribute for the problem above or wait until i can use QAD cmdlets
    >
    >Although the Last problem I am having is using this code at the end of a create DL script. If I run the create DL script with this included at the end I get the below error. However if I run the create DL script and then once it is finished I run the following code in the shell window it assigns permissions just fine.
     
    Ahhh . . . you have more than one DC in the AD site? And the script is
    creating the DL? You probably create the DL on one DC and try to
    update it on another. Use the "-domaincontroller corp.pep.tst"
    parameter on the cmdlet that creates the DL and use the $ADuser =
    [ADSI]("LDAP://corp.pep.tst/messaging/groups/$($New.DistinguishedName)")'
    to update it.
     
     
    >I think it has something to do with Get-DistributionGroup vs. Set-Distribution group as well as the creation timing. However this is one of the very last commands to run in the script (the last commands being logging commands). foreach ($user in $Owners){
    > $tmpDL = Get-DistributionGroup $DLName
    > if($error.count -eq 0) {
    > $tmpDL | Add-ADPermission -AccessRights GenericAll -user $user
    > }
    >}
    >Add-ADPermission : corp.pep.tst/Messaging/Groups/DL - BIS test2 was not found. Please make sure you have typed it correctly.
    >At D:\Powershell\Create_DL\Create_DL.ps1:1090 char:31
    >+ $tmpDL | Add-ADPermission <<<< -AccessRights GenericAll -user $user
     
    Use the "-domaincontroller" parameter on the get-distributiongroup AND
    on the add-adpermission cmdlets.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Thursday, April 21, 2011 2:30 AM
  • Using -domain controller has worked for updating the AD permissions, thank you so much! 

    However it seems assigning a value to the description is still giving an error.

    When using the code: 

    $New = Get-DistributionGroup -domaincontroller corp.pep.tst $DLName
    $ADUser = [ADSI]("LDAP://" + $New.DistinguishedName)
    $ADuser.psbase.Properties.Description = $ARNUM.Text
    $ADuser.psbase.commitchanges()

    I get the error: 

    New PropertyValueCollection cannot be set into a DirectoryEntry PropertyCollect
    ion.
    At D:\Powershell\Create_DL.ps1:1016 char:30
    +    $ADuser.psbase.Properties.D <<<< escription = $ARNUM.Text

    I have tried making $ARNUM into a standard string just to see if it would make a difference, but no change there. I researched the error a little and some people were saying that the line

    $ADuser.psbase.Properties.Description = $ARNUM.Text

    should have a .value at the end like this

    $ADuser.psbase.Properties.Description.Value = $ARNUM.Text

    But that just gave me a error about "Value"

    I really appreciate the help on this. Let me know what you think.

     

    Thank you,

    Monday, April 25, 2011 5:41 PM

All replies

  • On Mon, 18 Apr 2011 19:39:53 +0000, devinasj wrote:
     
    >
    >
    >Hello, I am trying to create a script that can be used to create distribution groups however i am having a few problems. I am unable figure out a command to do the things I want.
    >
    > I want to add a user to the security tab that has "Full Control" access. The command I was trying to use is something like this
    >
    >Get-DistributionGroup $DLName | Add-ADpermission -extendedrights GenericAll -user $user
    >
    >
    >
    >The other problem I am having is assigning the description field some text, originally I was trying to use something like this but i would usually get errors with setinfo and put
    >
    >$ARNUM.text = some text input earlier in the program
    >
    >$New = Get-Distributiongroup $DLName
    >
    >$ADuser = [ADSI](?LDAP://corp.pep.tst/Messaging Resources/Groups/" + $New.DistinguishedName)
     
    Try this instead:
    $ADuser = [ADSI]("LDAP://corp.pep.tst/$($New.DistinguishedName))"
     
    or just this, if you have only one domainin the forest:
    $ADuser = [ADSI]("LDAP://$($New.DistinguishedName))"
     
    Another thing to keep in mind is that a Distribution Group doesn't
    have a "Description" property, but a group does. I don't think it
    matters in this case, though, because the DN is going to lead you to
    the same AD object.
     
    >$ADuser.Put("description", $ARNUM.Text)
    >$ADuser.SetInfo()
    >
    >I have exhausted google searches for these answers. The only condition I have is that i cannot use QAD commandlets.
     
    It would be helpful if you also stated what your problem was and on
    which line of code the error happend.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Tuesday, April 19, 2011 1:51 AM
  • Well the original problem was that i would get an execution error regarding Put, Setinfo, and SetAttribute

    $New = Get-DistributionGroup $DLName
    $ADuser = [ADSI]("LDAP://corp.pep.tst/messaging/groups/$($New.DistinguishedName)")
    $ADuser.Put("description", $ARNUM.Text)
    $ADuser.SetInfo()
    SetAttribute
    

     

    Exception retrieving member "Put": "Unknown error (0x80005000)"
    At D:\Powershell\Create_DL\Create_DL.ps1:993 char:15
    +    $ADuser.Put( <<<< "description", $ARNUM.Text)
    Exception retrieving member "SetInfo": "Unknown error (0x80005000)"
    At D:\Powershell\Create_DL\Create_DL.ps1:994 char:19
    +    $ADuser.SetInfo( <<<< )
    The term 'SetAttribute' is not recognized as a cmdlet, function, operable program, or script file.
    Verify the term and try again.
    At D:\Powershell\Create_DL\Create_DL.ps1:995 char:16
    +    SetAttribute <<<<

     

    I think im going to opt to put the description in a custom attribute for the problem above or wait until i can use QAD cmdlets

    Although the Last problem I am having is using this code at the end of a create DL script. If I run the create DL script with this included at the end I get the below error. However if I run the create DL script and then once it is finished I run the following code in the shell window it assigns permissions just fine.

    I think it has something to do with Get-DistributionGroup vs. Set-Distribution group as well as the creation timing. However this is one of the very last commands to run in the script (the last commands being logging commands).

    foreach ($user in $Owners){
      $tmpDL = Get-DistributionGroup $DLName
    	if($error.count -eq 0) {
    		$tmpDL | Add-ADPermission -AccessRights GenericAll -user $user
    	}
    }
    
    Add-ADPermission : corp.pep.tst/Messaging/Groups/DL - BIS test2 was not found. Please make sure you have typed it correctly.
    At D:\Powershell\Create_DL\Create_DL.ps1:1090 char:31
    +      $tmpDL | Add-ADPermission <<<< -AccessRights GenericAll -user $user



    Wednesday, April 20, 2011 5:42 PM
  • On Wed, 20 Apr 2011 17:42:08 +0000, devinasj wrote:
     
    >
    >
    >Well the original problem was that i would get an execution error regarding Put, Setinfo, and SetAttribute $New = Get-DistributionGroup $DLName
    >$ADuser = [ADSI]("LDAP://corp.pep.tst/messaging/groups/$($New.DistinguishedName)")
    >$ADuser.Put("description", $ARNUM.Text)
    >$ADuser.SetInfo()
    >SetAttribute
    >
    >
    >
    >
    > Exception retrieving member "Put": "Unknown error (0x80005000)"
    >At D:\Powershell\Create_DL\Create_DL.ps1:993 char:15
    >+ $ADuser.Put( <<<< "description", $ARNUM.Text)
    >Exception retrieving member "SetInfo": "Unknown error (0x80005000)"
    >At D:\Powershell\Create_DL\Create_DL.ps1:994 char:19
    >+ $ADuser.SetInfo( <<<< )
    >The term 'SetAttribute' is not recognized as a cmdlet, function, operable program, or script file.
    >Verify the term and try again.
    >At D:\Powershell\Create_DL\Create_DL.ps1:995 char:16
    >+ SetAttribute <<<<
     
    Have you verified that $ADUser actually contains what you expect? I'm
    guessing it doesn't.
     
    Since the DN contains the complete location of the object you should
    need only this:
     
    $ADUser = [ADSI]("LDAP://" + $New.DistinguishedName)
     
    Instead of using the ADSI method of setting properties you can use
    this:
     
    $ADSuser.psbase.properties.description = $ARNUM.Text
    $ADUser.psbase.commitchanges()
     
    >I think im going to opt to put the description in a custom attribute for the problem above or wait until i can use QAD cmdlets
    >
    >Although the Last problem I am having is using this code at the end of a create DL script. If I run the create DL script with this included at the end I get the below error. However if I run the create DL script and then once it is finished I run the following code in the shell window it assigns permissions just fine.
     
    Ahhh . . . you have more than one DC in the AD site? And the script is
    creating the DL? You probably create the DL on one DC and try to
    update it on another. Use the "-domaincontroller corp.pep.tst"
    parameter on the cmdlet that creates the DL and use the $ADuser =
    [ADSI]("LDAP://corp.pep.tst/messaging/groups/$($New.DistinguishedName)")'
    to update it.
     
     
    >I think it has something to do with Get-DistributionGroup vs. Set-Distribution group as well as the creation timing. However this is one of the very last commands to run in the script (the last commands being logging commands). foreach ($user in $Owners){
    > $tmpDL = Get-DistributionGroup $DLName
    > if($error.count -eq 0) {
    > $tmpDL | Add-ADPermission -AccessRights GenericAll -user $user
    > }
    >}
    >Add-ADPermission : corp.pep.tst/Messaging/Groups/DL - BIS test2 was not found. Please make sure you have typed it correctly.
    >At D:\Powershell\Create_DL\Create_DL.ps1:1090 char:31
    >+ $tmpDL | Add-ADPermission <<<< -AccessRights GenericAll -user $user
     
    Use the "-domaincontroller" parameter on the get-distributiongroup AND
    on the add-adpermission cmdlets.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Thursday, April 21, 2011 2:30 AM
  • Using -domain controller has worked for updating the AD permissions, thank you so much! 

    However it seems assigning a value to the description is still giving an error.

    When using the code: 

    $New = Get-DistributionGroup -domaincontroller corp.pep.tst $DLName
    $ADUser = [ADSI]("LDAP://" + $New.DistinguishedName)
    $ADuser.psbase.Properties.Description = $ARNUM.Text
    $ADuser.psbase.commitchanges()

    I get the error: 

    New PropertyValueCollection cannot be set into a DirectoryEntry PropertyCollect
    ion.
    At D:\Powershell\Create_DL.ps1:1016 char:30
    +    $ADuser.psbase.Properties.D <<<< escription = $ARNUM.Text

    I have tried making $ARNUM into a standard string just to see if it would make a difference, but no change there. I researched the error a little and some people were saying that the line

    $ADuser.psbase.Properties.Description = $ARNUM.Text

    should have a .value at the end like this

    $ADuser.psbase.Properties.Description.Value = $ARNUM.Text

    But that just gave me a error about "Value"

    I really appreciate the help on this. Let me know what you think.

     

    Thank you,

    Monday, April 25, 2011 5:41 PM
  • I found a way to make it work using the method that you gave me.

     

    $New = Get-DistributionGroup -domaincontroller $Cfg.DC $DLName
    $ADUser = [ADSI]("LDAP://"+ $Cfg.DC +"/" + $New.DistinguishedName)
    $ADuser.Put("description", $ARNUM.Text)
    $ADuser.SetInfo()
    

    Thank you very much Rich

    Monday, April 25, 2011 9:42 PM