none
How to script adding a contact object to a group RRS feed

  • Question

  • Hello,

    I am trying to script adding contact objects in AD to security groups.

    Seems that the Add-ADGroupMember command only works with users, computers or groups.

    import-module ActiveDirectory
    $i = get-adobject -identity "CN=William.Smith-wjk02-CONTACT,OU=ITS Contacts,OU=mydomain.com"
    $i | ft
    Add-ADGroupMember "doh.shp.itsusers" $i

    In the above test, i use get-adobject to bind to a specific contact object in AD. I then export it to a full table in the next line, verifying that I actually bound to a valid contact object. When I try to add that contact in the last line, I get "object not found".

    If I change my get-adobject command to bind to a user object, all works fine.

    Is there another way to do this? Thanks.

    Tuesday, August 26, 2014 5:27 PM

Answers

  • Quick and dirty answer from the other thread:

    1. Bind to the group object using [ADSI] type accelerator

    2. Use the group object's Add method to add the contact object

    For example:


    $group = [ADSI] "LDAP://CN=My Group,OU=Groups,DC=fabrikam,DC=com"
    $group.Add("LDAP://CN=My Contact,OU=Contacts,DC=fabrikam,DC=com")
    


    -- Bill Stewart [Bill_Stewart]

    • Marked as answer by Andrew L1233 Wednesday, August 27, 2014 12:33 AM
    Tuesday, August 26, 2014 10:14 PM
    Moderator

All replies

  • You are correct. In fact the documentation says it explicitly:

    The Add-ADGroupMember cmdlet adds one or more users, groups, service accounts, or computers as new members of an Active Directory group.

    (Notice that contact objects are not mentioned.)

    You can search for "powershell add contact to group" and find out how to work around this.


    -- Bill Stewart [Bill_Stewart]

    • Proposed as answer by jrv Tuesday, August 26, 2014 6:59 PM
    • Unproposed as answer by Andrew L1233 Tuesday, August 26, 2014 7:57 PM
    Tuesday, August 26, 2014 5:35 PM
    Moderator
  • Contacts cannot be used for security.  Contacts can be added to distribution lists.


    ¯\_(ツ)_/¯

    Tuesday, August 26, 2014 6:59 PM
  • Bill, I did search but haven't found a solution. That's why I decided to post here.

    jrv, I am not trying to add them to a group for security - it's kind of a long story but it has to do with adding users so they sync to another domain and get added to an Office 365 sharepoint online group.

    I can add the users t a security group manually, but not with that powershell command.


    Tuesday, August 26, 2014 7:47 PM
  • You can add a user object but NOT a contact object.  When looking to add objects in ADUC the security group add wizard wil not even show you contacts.


    ¯\_(ツ)_/¯

    Tuesday, August 26, 2014 7:59 PM
  • Assuming your grou path is correct and the user is a user this will work.

    $user=Get-AdUser -identity 'CN=William.Smith-wjk02-CONTACT,OU=ITS Contacts,OU=mydomain.com'
    if($user){ 
         Add-ADGroupMember 'doh.shp.itsusers' $user
    }
    
    


    ¯\_(ツ)_/¯

    Tuesday, August 26, 2014 8:01 PM
  • Bill, I did search but haven't found a solution.

    Really? I just searched for "powershell add contact to group" and here is the first result (in fact, it's from this forum):

    http://social.technet.microsoft.com/Forums/scriptcenter/en-US/61f145b0-162f-4afc-90ef-7ca0fefdacf5/



    -- Bill Stewart [Bill_Stewart]

    Tuesday, August 26, 2014 8:16 PM
    Moderator
  • Right, but if you click on a contact, go to member of, you certainly can add that object to a security group.
    Tuesday, August 26, 2014 8:51 PM
  • Bill, I did see that. but it didn't look the same as what I was trying to do. I'm not familiar with many of the commands in the scripts there, i was hoping this was something that could be done natively in powershell.

    Tuesday, August 26, 2014 8:56 PM
  • As already stated, Add-ADGroupMember won't let you add a contact to a group. (Unfortunately, wishful thinking does not cause features to spring into existence.)

    However, you can add a contact to a group using the .NET objects. This is "native" PowerShell (and in fact, this was the only way, before others created AD cmdlets to simplify things a bit).


    -- Bill Stewart [Bill_Stewart]

    Tuesday, August 26, 2014 9:01 PM
    Moderator
  • As already stated, Add-ADGroupMember won't let you add a contact to a group. (Unfortunately, wishful thinking does not cause features to spring into existence.)

    However, you can add a contact to a group using the .NET objects. This is "native" PowerShell (and in fact, this was the only way, before others created AD cmdlets to simplify things a bit).


    -- Bill Stewart [Bill_Stewart]

    If you're running Exchange, Add-DistributionGroupMember will let you add a Contact to a mail-enabled security group.


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    Tuesday, August 26, 2014 9:05 PM
    Moderator
  • Quick and dirty answer from the other thread:

    1. Bind to the group object using [ADSI] type accelerator

    2. Use the group object's Add method to add the contact object

    For example:


    $group = [ADSI] "LDAP://CN=My Group,OU=Groups,DC=fabrikam,DC=com"
    $group.Add("LDAP://CN=My Contact,OU=Contacts,DC=fabrikam,DC=com")
    


    -- Bill Stewart [Bill_Stewart]

    • Marked as answer by Andrew L1233 Wednesday, August 27, 2014 12:33 AM
    Tuesday, August 26, 2014 10:14 PM
    Moderator
  • Thanks, guys.
    Wednesday, August 27, 2014 12:33 AM
  • Worked like a charm, Bill. Thanks for the clarification.
    Wednesday, August 27, 2014 12:47 PM