locked
Add-ADGroupMember fails if a member is already in the group RRS feed

  • Question

  • I am having an issue with the Active Directory module for Powershell.  The issue is...I have a csv file that contains machine accounts in my active directory domain.  

    In the command below "a_wirelesspilot" is the name of the group I am trying to modify - and following that are the machine accounts I am trying to add.

    If one of the machine accounts in the domain is already a member of the group, it fails and doesn't add any additional machine accounts that follow it.  

    PS C:\Windows\system32> Add-ADGroupMember a_wirelesspilot 5TN9DT1L$,BGBWCT1L$,8Q

    4JDT1L$

    PS C:\Windows\system32> Add-ADGroupMember a_wirelesspilot 9CLKDT1L$,7S5CGT1L$,23

    BWCT1L$,D9R9GT1L$,D72QFT1L$,7FLMRS1L$,5TN9DT1L$,7KFXCT1L$,JQRTFT1L$,HHF7GT1L$

    Add-ADGroupMember : The specified account name is already a member of the group

    At line:1 char:18

    + Add-ADGroupMember <<<<  a_wirelesspilot 9CLKDT1L$,7S5CGT1L$,23BWCT1L$,D9R9GT1

    L$,D72QFT1L$,7FLMRS1L$,5TN9DT1L$,7KFXCT1L$,JQRTFT1L$,HHF7GT1L$

        + CategoryInfo          : NotSpecified: (a_wirelesspilot:ADGroup) [Add-ADG

       roupMember], ADException

        + FullyQualifiedErrorId : The specified account name is already a member o

       f the group,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember

    The problem is with the error handling.  I have tried to add:

    -ea silently continue

    and...

    -ea stop

    to the command and neither works. (same error)  Please advise.

    -Thor Kakar

    Wednesday, January 16, 2013 8:30 PM

Answers

  • OK, so this is what I did. Also, this assumes that your csv file has the first line called sAMAccountName for the heading, and each entry is the users sAMAccountName

    # Import the Active Directory module
    Import-Module ActiveDirectory
    
    # Name of group to work with
    $group = "SomeGroup"
    
    # Get all members of a specifed group and add them thier
    # sAMAccountName to an array
    $members = @()
    Get-ADGroupMember -Identity $group | Select-Object -ExpandProperty sAMAccountName | ForEach-Object{ $members += $_ }
    
    # Now that we have all members of the group, lets get all
    # the users from the csv file
    $users = Import-Csv "C:\somefile.csv"
    
    # Loop through the collection of users, and make sure they
    # do not exist before trying to add them
    ForEach($user in $users) {
      If ($members -notcontains $user.sAMAccountName) {
        Add-ADGroupMember $group $user.sAMAccountName
        # Also add the new member to the $members array
        $members += $user.sAMAccountName
      }
    }


    If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.


    • Edited by clayman2 Wednesday, January 16, 2013 10:09 PM
    • Marked as answer by Yan Li_ Tuesday, January 22, 2013 2:22 AM
    Wednesday, January 16, 2013 10:07 PM
  • You probably can use the -ErrorAction parameter to have the cmdlet ignore errors. I personally use code similar to below to add users identified by sAMAccountName to a specified group. Once you bind to the group object, you can use the IsMember and Add methods exposed by the IADsGroup interface.

    # Specify the group.
    $Group = [ADSI]"LDAP://cn=Test Group,ou=West,dc=MyDomain,dc=com"

    # Use DirectorySearcher.
    $Domain = New-Object System.DirectoryServices.DirectoryEntry
    $Searcher = New-Object System.DirectoryServices.DirectorySearcher
    $Searcher.SearchRoot = $Domain
    $Searcher.PageSize = 200
    $Searcher.SearchScope = "subtree"

    $Searcher.PropertiesToLoad.Add("distinguishedName") > $Null

    # Read user pre-Windows 2000 Names from file.
    $Users = Import-CSV c:\Scripts\Users.csv

    Foreach ($User in $Users)
    {
        $Name = $User.Name
        $Searcher.Filter = "(sAMAccountName=$Name)"
        $Results = $Searcher.FindAll()
        ForEach ($Result In $Results)
        {
            $DN = $Result.Properties.Item("distinguishedName")
            # Check if user a member of the group.
            If ($Group.IsMember("LDAP://$DN") -eq $False)
            {
                # Add the user to the group.
                $Group.Add("LDAP://$DN")
            }
        }
    }

    -----



    Richard Mueller - MVP Directory Services

    • Marked as answer by Yan Li_ Tuesday, January 22, 2013 2:22 AM
    Thursday, January 17, 2013 1:24 AM

All replies

  • You will need to first check to see if the object you are trying to add to the group already exists, if it doesn't add it, else do nothing

    Take a look at the Get-ADGroupMember cmdlet


    If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.

    Wednesday, January 16, 2013 8:45 PM
  • You will need to first check to see if the object you are trying to add to the group already exists, if it doesn't add it, else do nothing

    Take a look at the Get-ADGroupMember cmdlet


    If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.

    I looked at the cmdlet - I don't see anything specific to error handling that will work...example please?
    Wednesday, January 16, 2013 8:53 PM
  • More or less, what you will need to do is create a function that checks to see if the current user is a member of the group if so, it returns true, otherwsie return false. Then you can use conditional statements based upon the value returned from the function, to add the user to the group is the returned value is false.

    I actually have some functions which do this, but they are at home, not sure if it is the best way, but it works. I am leaving work in a little bit, once I get home, I can try and find them and then post them for you.


    If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.

    Wednesday, January 16, 2013 9:19 PM
  • OK, so this is what I did. Also, this assumes that your csv file has the first line called sAMAccountName for the heading, and each entry is the users sAMAccountName

    # Import the Active Directory module
    Import-Module ActiveDirectory
    
    # Name of group to work with
    $group = "SomeGroup"
    
    # Get all members of a specifed group and add them thier
    # sAMAccountName to an array
    $members = @()
    Get-ADGroupMember -Identity $group | Select-Object -ExpandProperty sAMAccountName | ForEach-Object{ $members += $_ }
    
    # Now that we have all members of the group, lets get all
    # the users from the csv file
    $users = Import-Csv "C:\somefile.csv"
    
    # Loop through the collection of users, and make sure they
    # do not exist before trying to add them
    ForEach($user in $users) {
      If ($members -notcontains $user.sAMAccountName) {
        Add-ADGroupMember $group $user.sAMAccountName
        # Also add the new member to the $members array
        $members += $user.sAMAccountName
      }
    }


    If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.


    • Edited by clayman2 Wednesday, January 16, 2013 10:09 PM
    • Marked as answer by Yan Li_ Tuesday, January 22, 2013 2:22 AM
    Wednesday, January 16, 2013 10:07 PM
  • You probably can use the -ErrorAction parameter to have the cmdlet ignore errors. I personally use code similar to below to add users identified by sAMAccountName to a specified group. Once you bind to the group object, you can use the IsMember and Add methods exposed by the IADsGroup interface.

    # Specify the group.
    $Group = [ADSI]"LDAP://cn=Test Group,ou=West,dc=MyDomain,dc=com"

    # Use DirectorySearcher.
    $Domain = New-Object System.DirectoryServices.DirectoryEntry
    $Searcher = New-Object System.DirectoryServices.DirectorySearcher
    $Searcher.SearchRoot = $Domain
    $Searcher.PageSize = 200
    $Searcher.SearchScope = "subtree"

    $Searcher.PropertiesToLoad.Add("distinguishedName") > $Null

    # Read user pre-Windows 2000 Names from file.
    $Users = Import-CSV c:\Scripts\Users.csv

    Foreach ($User in $Users)
    {
        $Name = $User.Name
        $Searcher.Filter = "(sAMAccountName=$Name)"
        $Results = $Searcher.FindAll()
        ForEach ($Result In $Results)
        {
            $DN = $Result.Properties.Item("distinguishedName")
            # Check if user a member of the group.
            If ($Group.IsMember("LDAP://$DN") -eq $False)
            {
                # Add the user to the group.
                $Group.Add("LDAP://$DN")
            }
        }
    }

    -----



    Richard Mueller - MVP Directory Services

    • Marked as answer by Yan Li_ Tuesday, January 22, 2013 2:22 AM
    Thursday, January 17, 2013 1:24 AM
  • You probably can use the -ErrorAction parameter to have the cmdlet ignore errors. I personally use code similar to below to add users identified by sAMAccountName to a specified group. Once you bind to the group object, you can use the IsMember and Add methods exposed by the IADsGroup interface.

    # Specify the group.
    $Group = [ADSI]"LDAP://cn=Test Group,ou=West,dc=MyDomain,dc=com"

    # Use DirectorySearcher.
    $Domain = New-Object System.DirectoryServices.DirectoryEntry
    $Searcher = New-Object System.DirectoryServices.DirectorySearcher
    $Searcher.SearchRoot = $Domain
    $Searcher.PageSize = 200
    $Searcher.SearchScope = "subtree"

    $Searcher.PropertiesToLoad.Add("distinguishedName") > $Null

    # Read user pre-Windows 2000 Names from file.
    $Users = Import-CSV c:\Scripts\Users.csv

    Foreach ($User in $Users)
    {
        $Name = $User.Name
        $Searcher.Filter = "(sAMAccountName=$Name)"
        $Results = $Searcher.FindAll()
        ForEach ($Result In $Results)
        {
            $DN = $Result.Properties.Item("distinguishedName")
            # Check if user a member of the group.
            If ($Group.IsMember("LDAP://$DN") -eq $False)
            {
                # Add the user to the group.
                $Group.Add("LDAP://$DN")
            }
        }
    }

    -----



    Richard Mueller - MVP Directory Services

    You can just run the following command before import-csv;

    PS C:\> $ErrorActionPreference = "SilentlyContinue"
    PS C:\> import-csv test.Csv ...

    Wednesday, October 30, 2013 8:42 AM
  • OK, so this is what I did. Also, this assumes that your csv file has the first line called sAMAccountName for the heading, and each entry is the users sAMAccountName

    # Import the Active Directory module
    Import-Module ActiveDirectory
    
    # Name of group to work with
    $group = "SomeGroup"
    
    # Get all members of a specifed group and add them thier
    # sAMAccountName to an array
    $members = @()
    Get-ADGroupMember -Identity $group | Select-Object -ExpandProperty sAMAccountName | ForEach-Object{ $members += $_ }
    
    # Now that we have all members of the group, lets get all
    # the users from the csv file
    $users = Import-Csv "C:\somefile.csv"
    
    # Loop through the collection of users, and make sure they
    # do not exist before trying to add them
    ForEach($user in $users) {
      If ($members -notcontains $user.sAMAccountName) {
        Add-ADGroupMember $group $user.sAMAccountName
        # Also add the new member to the $members array
        $members += $user.sAMAccountName
      }
    }


    If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful.


    Thank you.  This worked perfectly!
    Monday, May 11, 2015 7:22 PM