locked
PowerShell adding security group to another security group membership RRS feed

  • Question

  • Hello,

    Just wanted to ask where am I doing some mistakes as I just wanted to add given security group to different security group membership.
    Like below:

    [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') | Out-Null
    $LocalGroupName = [Microsoft.VisualBasic.Interaction]::InputBox("Enter Local group name", "Collection Name", "$env:CLIENTNAME")
    
    [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') | Out-Null
    $GlobalGroupName = [Microsoft.VisualBasic.Interaction]::InputBox("Enter Globabl group name that will be a member of local group", "Collection Name", "$env:CLIENTNAME")
    
    
    # Import the AD module
    Import-Module ActiveDirectory  
    
    New-ADGroup -GroupCategory:"Security" -GroupScope:"Global" -Name:"$LocalGroupName" -Path:"OU=SWD-L-Groups,OU=SoftwareDeployment,OU=Europe,DC=eu,DC=gds,DC=company,DC=com" -SamAccountName:"$LocalGroupName" -Server:"Siteserver.eu.gds.company.com"
    
    
    
    Set-ADGroup -Add:@{'Member'="CN=$GlobalGroupName,OU=SoftwareDeployment,OU=Europe,DC=eu,DC=gds,DC=company,DC=com"} -Identity:"CN=$LocalGroupName,OU=SoftwareDeployment,OU=Europe,DC=eu,DC=gds,DC=company,DC=com" -Server:"Siteserver.eu.gds.company.com"
    
    
    
    


    Basically I am creating a security group and when this security group is created I would like to add another security group to it which already exists.

    I am also using Visual Basic MessageBox to supply the names of the security groups.

    All in all, I am struggling with updating a group membership  with another security group.

     

    Thanks for any help or hints.

    Wednesday, November 2, 2016 2:57 PM

Answers

  • Sorry - I was paying too much attention to what was posted and not thinking:

    Here is the fixed version. (Thanks to Richard)

    $path = 'OU=SWD-L-Groups,OU=SoftwareDeployment,OU=Europe,DC=eu,DC=gds,DC=company,DC=com'
    $globalgroup = Get-AdGroup "CN=$GlobalGroupName,OU=SWD-G-Groups,OU=SoftwareDeployment,OU=Europe,DC=eu,DC=gds,DC=company,DC=com"
    $localgroup = New-ADGroup $LocalGroupName -GroupCategory Security -GroupScope Global -Path $path -PassThru
    $localgroup | Add-ADGroupMember -Member $globalgroup


    \_(ツ)_/

    • Marked as answer by zedrick_one Friday, November 4, 2016 2:16 PM
    Thursday, November 3, 2016 4:03 PM

All replies

  • The parameter names should not end in colons in the cmdlets. It should be -Name "cn=...", rather than -Name:"cn=...", for example.

    Edit: And in PowerShell, you can use the Read-Host cmdlet to ask for user input.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Wednesday, November 2, 2016 3:00 PM
  • Set-AdUser is missing this "}"at the end.

    What is your error message?


    \_(ツ)_/

    Wednesday, November 2, 2016 3:10 PM

  • I am getting:

    Set-ADGroup : Directory object not found
    At C:\Users\xlq12547\Desktop\Create AD Local Securuty Group.ps1:18 char:1
    + Set-ADGroup -Add:@{'Member'="CN=$GlobalGroupName,OU=SoftwareDeployment,OU=Europe ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (CN=EUXX04-L-SWD...anasonic,DC=com:ADGroup) [Set-ADGroup], ADIdentityNotFoundException
        + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.SetADGroup

    looks like a syntax error?
    BTW, the group that I am referring to in $GlobalGroupName already exist in the proper OU
    Wednesday, November 2, 2016 3:28 PM
  • Did you actually read the error message.  It is pretty explicit as to what your problem is.


    \_(ツ)_/

    Wednesday, November 2, 2016 3:35 PM
  • The other factor is that you might need a delay between creating the group object and adding it to another group. If using -Add:@{'Member'="cn=..."} is allowed, instead of -Add {Member="cn=..."}, then that is news to me.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Wednesday, November 2, 2016 3:40 PM
  • Delay not needed here.

    Use this method and all will be resolved:

    $path = 'OU=SWD-L-Groups,OU=SoftwareDeployment,OU=Europe,DC=eu,DC=gds,DC=company,DC=com'
    $localgroup = New-ADGroup $LocalGroupName -GroupCategory Security -GroupScope Global -Path $path -PassThru
    $globalgroup = Get-AdGroup "CN=$GlobalGroupName,OU=SoftwareDeployment,OU=Europe,DC=eu,DC=gds,DC=company,DC=com"
    $localgroup | Set-ADGroup -Member $globalgroup
    


    This will help you to see the error message in a way that may help understand.


    \_(ツ)_/




    • Edited by jrv Wednesday, November 2, 2016 3:57 PM
    Wednesday, November 2, 2016 3:46 PM
  • thanks for the hint.
    Looks like I missed the path of the group location which should be like:

    eu.gds.company.com/Europe/SoftwareDeployment/SWD-G-Groups

    and I was referring to the below:

    CN=$GlobalGroupName,OU=SoftwareDeployment,OU=Europe,DC=eu,DC=gds,DC=company,DC=com
    so I guess it should be like below?

    "CN=$GlobalGroupName,OU=SWD-G-Groups,OU=SoftwareDeployment,OU=Europe,DC=eu,DC=gds,DC=company,DC=com"



    Wednesday, November 2, 2016 4:07 PM
  • many thanks for the reply.

    I did fallowed what was advised as below:

    [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') | Out-Null
    $LocalGroupName = [Microsoft.VisualBasic.Interaction]::InputBox("Enter Local group name", "Collection Name", "$env:CLIENTNAME")
    
    [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') | Out-Null
    $GlobalGroupName = [Microsoft.VisualBasic.Interaction]::InputBox("Enter Globabl group name that will be a member of local group", "Collection Name", "$env:CLIENTNAME")
    
    
    
    $path = 'OU=SWD-L-Groups,OU=SoftwareDeployment,OU=Europe,DC=eu,DC=gds,DC=company,DC=com'
    $localgroup = New-ADGroup -SamAccountName $LocalGroupName -GroupCategory Security -GroupScope Global -Path $path
    $globalgroup = Get-AdGroup "$GlobalGroupName,OU=SWD-G-Groups,OU=SoftwareDeployment,OU=Europe,DC=eu,DC=gds,DC=company,DC=com"
    $localgroup | Set-ADGroup -Member $globalgroup


    But I am getting the following errors:

    cmdlet New-ADGroup at command pipeline position 1
    Supply values for the following parameters:
    Name: EUXX04-G-SWD_TESTING
    Get-AdGroup : Cannot find an object with identity:
    'EUXX04-G-SWD_TESTING,OU=SWD-G-Groups,OU=SoftwareDeployment,OU=Europe,DC=eu,DC=gds,DC=company,DC=com' under:
    'DC=eu,DC=gds,DC=company,DC=com'.
    At C:\Users\Xlx12645\Desktop\PS\Create AD Local Securuty Group v2.ps1:13 char:16
    + $globalgroup = Get-AdGroup "$GlobalGroupName,OU=SWD-G-Groups,OU=SoftwareDeployme ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ObjectNotFound: (EUXX04-G-SWD_TE...mpany,DC=com:ADGroup) [Get-ADGroup], ADIdentityNot
       FoundException
        + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,M
       icrosoft.ActiveDirectory.Management.Commands.GetADGroup
    
    Set-ADGroup : A parameter cannot be found that matches parameter name 'Member'.
    At C:\Users\plp73779\Desktop\PS\Create AD Local Securuty Group v2.ps1:14 char:27
    + $localgroup | Set-ADGroup -Member $globalgroup
    +                           ~~~~~~~
        + CategoryInfo          : InvalidArgument: (:) [Set-ADGroup], ParameterBindingException
        + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.ActiveDirectory.Management.Commands.SetADGroup

    the group below group

    EUXX04-G-SWD_TESTING

    already exist in the below OU.

    EUXX04-G-SWD_TESTING,OU=SWD-G-Groups,OU=SoftwareDeployment,OU=Europe,DC=eu,DC=gds,DC=company,DC=com'



    I will have to think over it a bit more.






    • Edited by zedrick_one Wednesday, November 2, 2016 4:30 PM
    Wednesday, November 2, 2016 4:29 PM
  • Use this:

    $path = 'OU=SWD-L-Groups,OU=SoftwareDeployment,OU=Europe,DC=eu,DC=gds,DC=company,DC=com'
    $globalgroup = Get-AdGroup "CN=$GlobalGroupName,OU=SWD-G-Groups,OU=SoftwareDeployment,OU=Europe,DC=eu,DC=gds,DC=company,DC=com"
    $localgroup = New-ADGroup $LocalGroupName -GroupCategory Security -GroupScope Global -Path $path -PassThru $localgroup | Add-ADGroupMember -Member $globalgroup
    I was missing the "CN="


    \_(ツ)_/



    • Proposed as answer by Hello_2018 Thursday, November 3, 2016 8:09 AM
    • Edited by jrv Thursday, November 3, 2016 4:02 PM
    Wednesday, November 2, 2016 4:36 PM
  • May thanks for your reply.

    I went line by line in AD PowerShell module and I stumble about that below:

    PS C:\Users\XnX12579> $locacgroup | Set-ADGroup -Member $globablgroup
    Set-ADGroup : A parameter cannot be found that matches parameter name 'Member'.
    At line:1 char:27
    + $locacgroup | Set-ADGroup -Member $globablgroup
    +                           ~~~~~~~
        + CategoryInfo          : InvalidArgument: (:) [Set-ADGroup], ParameterBindingException
        + FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.ActiveDirectory.Management.Commands.SetADGroup
    I did check via the show-command Set-ADGroup and couldn't find the "Member" parameter.
    Should I use cmdlet Add-AdGroupMember instead?

    Thursday, November 3, 2016 11:21 AM
  • Yes, use the Add-ADGroupMember cmdlet.

    Edit: But the parameter is -Members.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Thursday, November 3, 2016 1:16 PM
  • Sorry - I was paying too much attention to what was posted and not thinking:

    Here is the fixed version. (Thanks to Richard)

    $path = 'OU=SWD-L-Groups,OU=SoftwareDeployment,OU=Europe,DC=eu,DC=gds,DC=company,DC=com'
    $globalgroup = Get-AdGroup "CN=$GlobalGroupName,OU=SWD-G-Groups,OU=SoftwareDeployment,OU=Europe,DC=eu,DC=gds,DC=company,DC=com"
    $localgroup = New-ADGroup $LocalGroupName -GroupCategory Security -GroupScope Global -Path $path -PassThru
    $localgroup | Add-ADGroupMember -Member $globalgroup


    \_(ツ)_/

    • Marked as answer by zedrick_one Friday, November 4, 2016 2:16 PM
    Thursday, November 3, 2016 4:03 PM
  • that was it. thanks both for your help.
    Friday, November 4, 2016 2:15 PM