Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, December 9, 2016 8:44 PM
I want to add a computer to the AD group "TestGroup", but I'm not able to get the job done. I want to be able to do this in the domain I'm currently active and in other domains with which I have a trust relationship. I also don't want to do this with the AD Cmdlets, because they are not available on my servers.
I have already made the code below, but it does not write the information back to the AD.
$Group = 'TestGroup'
$GC = "GC://DC=test1,DC=test,DC=local"
$Server = 'CN=Computer3,OU=Server,DC=test1,DC=test,DC=local'
$objDomain = New-Object System.DirectoryServices.DirectoryEntry($GC)
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.Filter = "(&(objectclass=group)(name=$Group))"
$objSearcher.PropertiesToLoad.Add("member")
$Result = $objSearcher.FindAll()
$Test = $Result.GetDirectoryEntry()
$Test.Properties.Item("member")
$Test.Properties["member"].Add($Server)
$Test.Properties.Item("member")
#$Test.CommitChanges()
#$Test.SetInfo()
The result I get is:
0
CN=Computer1,OU=Server,DC=test1,DC=test,DC=local
CN=Computer2,OU=Server,DC=test1,DC=test,DC=local
2
CN=Computer1,OU=Server,DC=test1,DC=test,DC=local
CN=Computer2,OU=Server,DC=test1,DC=test,DC=local
CN=Computer3,OU=Server,DC=test1,DC=test,DC=local
Exception calling "CommitChanges" with "0" argument(s): "The server is unwilling to process the request.
"
At line:18 char:1
+ $Test.CommitChanges()
+ ~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
So it seems to go alright until the last 2 lines. Both SetInfo() and CommitChanges() give me an error.
Does anyone know what I do wrong.
Kind regards,
Marco
All replies (8)
Friday, December 9, 2016 9:20 PM ✅Answered | 1 vote
Here is how we would do this:
$groupSamName = 'TestGroup'
$domain = "LDAP://DC=test1,DC=test,DC=local"
$computerPath = 'LDAP://cn=computer1,ou=computers,dc=test ....'
# find the group
$searcher = [adsisearcher]"(samaccountname=$groupSamName)"
$searcher.SearchRoot = [adsi]$domain
$result = $searcher.FindOne()
$group = $result.GetDirectoryEntry()
$group.Add($computerPath)
You cannot use a GC to edit object and you just need t use the searchRoot to specify a connection to a remote domain as long as there is a trust and you have admin privileges in both domains.
You should use group SamAccountName as Name is not unique.
CommitChanges is not required with "Add".
\(ツ)_/
Friday, December 9, 2016 9:33 PM
jrv, Thanks for your reply
I receive the errors below when I run your script
The property 'SearchRoot' cannot be found on this object. Verify that the property exists and can be set.
At line:9 char:1
+ $searcher.SearchRoot = [adsi]$domain
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : PropertyAssignmentException
Method invocation failed because [System.String] does not contain a method named 'FindOne'.
At line:10 char:1
+ $result = $searcher.FindOne()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : MethodNotFound
Exception calling "Add" with "1" argument(s): "The server is unwilling to process the request. (Exception from HRESULT: 0x80072035)"
At line:13 char:1
+ $group.Add($computerPath)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI
Regards,
Marco
Friday, December 9, 2016 9:36 PM
Type this:
[adsi]
and then this
$psversiontable
\(ツ)_/
Friday, December 9, 2016 9:44 PM
jrv,
here are the results
IsPublic IsSerial Name BaseType
True False DirectoryEntry System.ComponentModel.Component
Name Value
PSVersion 4.0
WSManStackVersion 3.0
SerializationVersion 1.1.0.1
CLRVersion 4.0.30319.34003
BuildVersion 6.3.9600.16394
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0}
PSRemotingProtocolVersion 2.2
marco
Friday, December 9, 2016 9:59 PM
Now copy and paste this:
$searcher = [adsisearcher]"(samaccountname=$groupSamName)"
$searcher.SearchRoot=[adsi]'LDAP://dc=kahlnet,dc=local'
substitute your group samaccountname (not name) and your domain.
\(ツ)_/
Friday, December 9, 2016 10:07 PM
The property 'SearchRoot' cannot be found on this object. Verify that the property exists and can be set.
At line:8 char:1
+ $searcher.SearchRoot=[adsi]'LDAP://DC=test1,DC=test,DC=local'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : PropertyAssignmentException
jrv. I get the the same error
Friday, December 9, 2016 10:12 PM
Looks like you have a corrupte Net installation.
type [adissearcher]
What does it return.
This will also test:
$searcher = [adsisearcher]''
$searcher.SearchRoot = [adsi]''
Copy and paste into PowerShell CLI. Do not try to retype as you may be typing it in wrong.
\(ツ)_/
Friday, December 9, 2016 10:29 PM
jrv,
i have restarted the powershell ISE GUI and now the script is working. In my current domain an in the trusted domain.
Thanks a lot,
Marco