none
Exchange-Shell "New-RoleGroup -RecipientOrganizationalUnitScope" throws error "OU not found", despite target exists RRS feed

  • Question

  • Hi there,

    we're experiencing some weired error, trying to create multiple rolegroups via PowerShell/ExchangeShell...

    Everything's just fine - except for one parameter:
    precisely "New-RoleGroup -RecipientOrganizationalUnitScope" throws an error "OU not found" despite the target OU exists within AD.

    Running our script without limitation of the write scope (the parameter "RecipientOrganizationalUnitScope"), creates exactly the desired kind of rolegroups (Name, Description, Roles, Members, ManagedBy).

    Manually using fixed parameters instead of variables, leads to the exact same error.

    Whereas assigning the desired "RecipientOrganizationalUnitScope" via ECP works perfectly.

    Any solutions, ideas, hints or comments are very welcome!

    For the sake of completeness - the script we are using:
    (Group- and OU-names start whith a five digit number)

    $Admins_Groups = Get-ADGroup -Identity Local_Admin_Group |`
                         Get-ADGroupMember | Where{$_.objectClass -eq "group"}
    
    Add-PSSnapin Microsoft.Exchange.Management.Powershell.SnapIn
    
    
    foreach ($Admins_Group in $Admins_Groups)
             {
              $Msx_Admins = $Admins_Group.Name.Substring(0,5) + "_msx_Admins"
              
              if(Get-ADGroup -Filter {Name -eq $Msx_Admins})
                {
                 Write-Host $Msx_Admins already exists -ForegroundColor Green
                 }
              else
                {
                 Write-Host creating new rolegroup $Msx_Admins -ForegroundColor Yellow
                 
                 $Msx_Admins_WriteScope = "Domain.local/OU/" + $Admins_Group.Name.Substring(0,5)
                 
                 New-RoleGroup -Name $Msx_Admins `
                               -Description "Die Mitglieder dieser Verwaltungsrollengruppe..." `
                               -RecipientOrganizationalUnitScope $Msx_Admins_WriteScope `
                               -Roles "Distribution Groups", "Mail Recipient Creation", "Mail Recipients" `
                               -Members $Admins_Group.name `
                               -ManagedBy "Organization Management"
                 }
              }

    Kind regards

    TechnikSC885

    Tuesday, July 16, 2019 12:12 PM

All replies

  • Hi TechnikSC885,

    From this article, we can know: 

    We should use a OU name for this parameter.

    In your script:

    $Admins_Group.Name.Substring(0,5) →This is your group name which contained in Local_Admin_Group
    
    The result of "$Msx_Admins_WriteScope" will be "Domain.local/OU/groupName", such as "Domain.local/OU/group1"

    It isn't a valid OU name, please try remove  "$Admins_Group.Name.Substring(0,5)" from it, then make sure there exist a OU which called "OU" in your domain:

    $Msx_Admins_WriteScope = "Domain.local/OU/"

    Regards,

    Kyle Xu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Wednesday, July 17, 2019 2:03 AM
    Moderator
  • Hi Kyle Xu,

    thank you very much for your elaborate answer.

    Unfortunatelly I'm not sure I'm getting you right.

    The value of $Msx_Admins_WriteScope at runtime is exactly wright, as far as I can tell.

    What's more, as mentioned above, typing the given string into the ECP, works just fine.

    Annonymizing the script, I did an awful job regarding readability.

    Our AD-structure is like this:

    domain.local
                "All branch offices"
                                  <Zip-Code>
    

    Each branch office, has it's own OU named by it's Zip-Code, for example "12345" and a local Admin group namend "12345_Admins".

    The script then creates a rolegroup "12345_msx_Admins" with "12345_Admins" as members.

    The desired write scope in this example would be "domain.local/All branch offices/12345"


    (It's actually not the zip-code, but annother unique five digit number and the whole string doesn't contain any whitespaces)

    Kind regards

    TechnikSC885

    Wednesday, July 17, 2019 9:33 AM
  • Any further ideas?

    Thanks in advance....

    Kind Regards

    TechnikSC885

    Wednesday, July 17, 2019 3:14 PM
  • "Add-PSSnapin Microsoft.Exchange.Management.Powershell.SnapIn"

    That is not supported. You need to use remote Powershell to connect and open a session.

    Wednesday, July 17, 2019 4:56 PM
    Moderator
  • Hi Andy David,

    thank you very much for your comment on supported methods.

    I wasn't aware I was using an unsupportet way to call Exchange cmdlets.

    I've tried enclosing the script by

    $UserCredential = Get-Credential

    $Session = New-PSSession -ConfigurationName Microsoft.Exchange ` -ConnectionUri http://<server>.domain.local/PowerShell/ ` -Authentication Kerberos ` -Credential $UserCredential

    Import-PSSession $Session -DisableNameChecking <above shown script> Remove-PSSession $Session

    instead of "Add-PSSnapin Microsoft.Exchange.Management.Powershell.SnapIn".

    I'm running the script directly on the Exchange server.
    Unfortunately the outcome is exactly the same for all tested scenarios:

    1. directly in the Exchange-Shell
      (without "Add-PSSnapin Microsoft.Exchange.Management.Powershell.SnapIn" for sure)
    2. in a regular PowerShell using "Add-PSSnapin Microsoft.Exchange.Management.Powershell.SnapIn"
    3. in a regular PowerShell using PS-Remoting

    At least I do know by now the error doesn't occour due to an unsupported method.

    Sadly this gets me not the slightest bit closer to solving the initial problem.

    Any further ideas, comments or even wild guesses?

    Kind Regards

    TechnikSC885


    Wednesday, July 17, 2019 7:14 PM
  • What this detail error message when you run this script in EMS?

    Could you provide screenshots about those command below to us?

    $Admins_Groups = Get-ADGroup -Identity Local_Admin_Group | Get-ADGroupMember | Where{$_.objectClass -eq "group"}

    $Admins_Groups

    Then:

    $Msx_Admins_WriteScope = $Admins_Groups.Name.Substring(0,5)

    $Msx_Admins_WriteScope

    Remember remove private information before posting them there.

    Regards,

    Kyle Xu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Monday, July 22, 2019 8:22 AM
    Moderator
  • In the meanwhile, I have been completing the task - halfway using the script to create the role groups needed and halfway manually editing their write scope within ECP.

    Since the task is repeated every now and then, I am still interested in solving the initial problem and going all the way by script.

    Therefore, would you kindly take into consideration the variables work exactly as expected.

    It is only the parameter "RecipientOrganizationalUnitScope" constantly leading to an error, whereas the exact same value manually typed into ECP works out perfectly.

    For the sake of completeness:
    run from EMS

    $ZipCode_Admins_Groups = Get-ADGroup -Identity DOMAIN_Local_Admin_Group |`
                         Get-ADGroupMember | Where{$_.objectClass -eq "group"}
    
    foreach ($ZipCode_Admins_Group in $ZipCode_Admins_Groups)
             {
              $ZipCode_msx_Admins = $ZipCode_Admins_Group.Name.Substring(0,5) + "_msx_Admins"
              
              if(Get-ADGroup -Filter {Name -eq $ZipCode_msx_Admins})
                {
                 Write-Host $ZipCode_msx_Admins already exists -ForegroundColor Green
                 }
              else
                {
                 Write-Host creating new rolegroup $ZipCode_msx_Admins -ForegroundColor Yellow
                 
                 $ZipCode_msx_Admins_WriteScope = "DOMAIN.local/All branch offices/" + $ZipCode_Admins_Group.Name.Substring(0,5)
                
                 New-RoleGroup -Name $ZipCode_msx_Admins `
                               -Description "some comment" `
                              <#-RecipientOrganizationalUnitScope $ZipCode_msx_Admins_WriteScope#> `
                               -Roles "Distribution Groups", "Mail Recipient Creation", "Mail Recipients" `
                               -Members $ZipCode_Admins_Group.Name `
                               -ManagedBy "Organization Management"
                 }
              }

    works just fine.

    As requested:

    The second one absolutely makes no sense, since the substring taken from the group name, is just the last organizational unit (a five digit number)!

    Therefore in my script it is:

    $ZipCode_msx_Admins_WriteScope = "DOMAIN.local/All branch offices/" + $ZipCode_Admins_Group.Name.Substring(0,5)

    The error in detail:

    Still willing to clutch at any straw swiming by...

    Kind regards

    TechnikSC885


    Wednesday, July 24, 2019 1:55 PM
  • As I said in the first post, we can only use "OU" name for "-RecipientOrganizationalUnitScope", you cannot use a group for it:

    Regards,

    Kyle Xu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Monday, July 29, 2019 8:30 AM
    Moderator
  • Hi Kyle Xu,

    I am grateful you spend your time on this subject. Would you mind going one-step further reading all my replies really carefully? Thanks in advance!

     

    As mentioned before, I leverage the group name to get the modular part of the desired write scope.

    The five-digit number in the group’s name is exactly the name of my target OU.

    The value of $Msx_Admins_WriteScope at runtime is exactly wright, as far as I can tell.


    What's more, as mentioned above, typing the given string into the ECP, works just fine.

    Our AD-structure is like this:

    domain.local
                "All branch offices"
                                  <Zip-Code>

    Each branch office, has it's own OU named by it's Zip-Code, for example "12345" and a local Admin group namend "12345_Admins".

    The desired write scope in this example would be "domain.local/All branch offices/12345"

    The string handed over to "New-RoleGroup -RecipientsOrganizationalUnitScope" exactly matches the targeted OU - not any group name.

    Kind Regards

    TechnikSC885


    Monday, July 29, 2019 9:31 AM
  • Hi TechnikSC885,

    In this scenario, I would suggest you try to remove circulation from your script, then try to run it only with a specific object. (Looks like manually do what the script should do)

    This action will help you narrow this error, after that you can add circulation for multiple object.

    Regards,

    Kyle Xu


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Thursday, August 1, 2019 10:28 AM
    Moderator