AD Groups: Creation and Updating

This topic contains 2 replies, has 2 voices, and was last updated by  Doug Thompson 4 years ago.

  • Author
    Posts
  • #11908

    Doug Thompson
    Participant

    I am new to powershell and have been working on a script that will create, mail-enable, and populate several Universal Distribution groups based on various fields of the user's AD object (roughly 11,000 users and 2 dozen groups). Being a world-wide company means that a user might need to be in one group today, but in a different (mutually-exclusive) group tomorrow (for example, you can't work in two coutries at the same time).

    In a nutshell, I need to check to see if the group exists, if it doesn't I need to create it and add the current user to it. If it does exist, I want to empty the group and then add users to it (this ensures I don't end up with people in mutually exclusive groups).

    There is a VB script in place right now that takes a minimum of 4.5 hours to run *every night* and I am attempting to redo the script in powershell (both because it will be faster, and as a learning tool for me). Below is an excerpt:

       $objCountryGroup = get-ADGroup -filter {samaccountname -eq $strCountryGroupName} -properties extensionAttribute1
       if ($objCountryGroup -eq $null) {
          $objCountryGroup = new-ADGroup -name $strCountryGroupName -samaccountname $strCountryGroupName -groupcategory Distribution -groupscope Universal -displayname $strCountryGroupName -description ("Auto Created - " + (get-date)) -path ("ou=xxxxx,ou=xxxxx,dc=xxxxx,dc=xxxxx") -otherattributes @{'extensionAttribute1'="No"} -passthru
          enable-distributiongroup $strCountryGroupName
       }
       add-ADGroupMember -identity $objCountryGroup -member $objUser
    

    The enable-distributiongroup statement fails every time the code runs with the error "the object does not exist". The add-ADGroupMember statement also fails the first few iterations and then suddenly starts to work.

    I thought the -passthru parameter on the new-ADGroup statement would have resolved this, but it didn't (I *assumed* that since it passes the created group back as an object that the group must therefore have been created – how wrong an assumption that is!).

    I have the code funtioning properly now as follows:

       $objCountryGroup = get-ADGroup -filter {samaccountname -eq $strCountryGroupName} -properties extensionAttribute1
       if ($objCountryGroup -eq $null) {
          $objCountryGroup = new-ADGroup -name $strCountryGroupName -samaccountname $strCountryGroupName -groupcategory Distribution -groupscope Universal -displayname $strCountryGroupName -description ("Auto Created - " + (get-date)) -path ("ou=xxxxx,ou=xxxxx,dc=xxxxx,dc=xxxxx") -otherattributes @{'extensionAttribute1'="No"} -passthru
          while ((get-ADGroup -filter {samaccountname -eq $strCountryGroupName} -properties extensionAttribute1) -eq $null) {
             start-sleep -s 1
          }
          enable-distributiongroup $strCountryGroupName
       }
       add-ADGroupMember -identity $objCountryGroup -member $objUser
    

    The difference is the while loop – which is supposed to sleep until the AD group exists.

    Note that the while loop doesn't actually execute (I tested this with a write-host statement inside it). Also note that removing the -properties parameter from the while's get-ADGroup condition causes errors.

    Am I misunderstanding something with AD group creation in Powershell? Does -passthru actually do what it is supposed to do? Is there, perhaps, a better way to create AD Groups and populate them? Would I be smarter to build an array of arrays of users first and then build my groups?

  • #11909

    Don Jones
    Keymaster

    Hi 🙂

    As a note, the whole "$objVariable" "$strVariable" naming convention for variables isn't used much anymore; in PowerShell, everything's an object already. There's no "simple string" like there was in VBS.

    Anyway.

    What you may be running into is simple processing delay on the domain controller. Typically, if you run New-ADGroup and it doesn't return an error (assuming you're not suppressing them), then it worked, and -passthru should make it emit that new group object to the pipeline. Have you ever done any checking to see what $objCountryGroup actually contains after New-ADGroup completes? That seems to be where you're stuck, right? You're not getting a group object back?

  • #11942

    Doug Thompson
    Participant

    yeah...the "objVariable" stuff is left offer from losing marks way back when in a VB6 course...and wow, how I hated having to name variables like that 🙂

    Anyways...yes...the problem seems to be a delay. $objCountryGroup is null unless I have the while loop in place...and as mentioned, the while loop doesn't actually execute – which I have found to be extremely weird.

You must be logged in to reply to this topic.