Can't Get Get-AdPrincipalGroupMembership -Identity cmdlet to work

Welcome Forums General PowerShell Q&A Can't Get Get-AdPrincipalGroupMembership -Identity cmdlet to work

This topic contains 6 replies, has 3 voices, and was last updated by

 
Participant
3 weeks, 4 days ago.

  • Author
    Posts
  • #114178

    Participant
    Points: 23
    Rank: Member

    Import-Module ActiveDirectory
    $users= Import-Csv -Path "C:\Output\DisableADUsers91718C.csv"
    $DisabledDate = Get-Date
    $LeaveDate = Get-Date -Format "dddd dd MMMM yyyy"
    $DisabledBy = Get-ADUser "$env:username" -properties Mail
    $DisabledByEmail = $DisabledBy.Mail
    $LegalHoldUser = Get-ADuser -Filter * -SearchBase 'ou=LegalHold,dc=xxx,dc=com' -Properties * | Select-object -Expand SamAccountName
    $ADgroups = Get-ADPrincipalGroupMembership -Identity $Users | where { ($_.Name -ne 'Domain Users') -and ($_.Name -ne 'DisabledUsers') }
    $TargetOU = "ou=Disabled Users,dc=xxx,dc=com"

    foreach ($user in $users)
    {
    $SamAccountName = $User.SamAccountName

    Set-ADUser $User.SamAccountName -Description "Disabled by $($DisabledBy.name) on $DisabledDate per Ticket INC0065513"
    If ($LegalHoldUser -contains $SamAccountName)
    {
    Remove-ADPrincipalGroupMembership -Identity $User.SamAccountName -MemberOf $ADgroups -Confirm:$false

    Add-ADGroupMember -Identity "DisabledUsers" -Members $User.SamAccountName

    Disable-ADAccount -Identity $($User.SamAccountname)
    }
    else
    {
    Remove-ADPrincipalGroupMembership -Identity $User.SamAccountName -MemberOf $ADgroups -Confirm:$false

    Add-ADGroupMember -Identity "DisabledUsers" -Members $User.SamAccountName

    Get-AdUser $SamAccountName | Move-ADObject -targetpath $TargetOU

    Disable-ADAccount -Identity $($User.SamAccountname)
    }
    }

    
    
    		
    	
  • #114180

    Participant
    Points: 518
    Helping Hand
    Rank: Major Contributor

    @Frederick, you have posted only the code, please describe your issue with the error you get.

    Requesting you to format the code, please refer below links.

    • #114213

      Participant
      Points: 23
      Rank: Member

      Hi Kvprasoon,

      I'm sorry about that. The issue I'm having is: When just copying it and pasting it in Windows Powershell, I get this error: Cannot convert ' ' to the type 'Microsoft.ActiveDirectory.Management.ADPrincipal' required by parameter 'Identity'. Specified method is not supported.
      + CategoryInfo : InvalidArgument: (:) [Get-ADPrincipalGroupMembership], ParameterBindingException
      + FullyQualifiedErrorId : CannotConvertArgument,Microsoft.ActiveDirectory.Management.Commands.GetADPrincipalGroupMembership
      + PSComputerName : GGPDC01

      The script itself is suppose to read from a csv file, compare it to a Legal Hold OU and if the users match, then disable the account, remove all groups except domain user, add the disabled users group. If the users in the csv file don't match the users in the Legal hold OU, then do all the above, but also move them to the diabled Users OU. I have 3 SamAccount
      names on my csv file currently, but once I get the script to work, it'll be 1500 SamAccountNames.

  • #114219

    Participant
    Points: 112
    Rank: Participant

    Looks like your issue is at this line.

    $ADgroups = Get-ADPrincipalGroupMembership -Identity $Users | where { ($_.Name -ne 'Domain Users') -and ($_.Name -ne 'DisabledUsers') }
    

    You've imported your CSV to $Users, which is now a collection of objects. However, the Identity parameter doesn't work on collections. You'll need to pass them to the cmdlet one at a time.

    Take a look at the docs for the cmdlet and the Identity parameter.

    • #114237

      Participant
      Points: 23
      Rank: Member

      Hi Mark,

      So in looking at the docs, should it be -Identity $Users.SamAccountName?

  • #114243

    Participant
    Points: 23
    Rank: Member

    Since SAmAccountName is the header on my csv column, I changed the line to
    $ADgroups = Get-ADPrincipalGroupMembership -Identity $Users.SamAccountName | where { ($_.Name -ne 'Domain Users') -and ($_.Name -ne 'DisabledUsers') }

    and now I get this error:

    Cannot convert 'Aaron.Smith Adam.Abston Adam.Wright' to the type 'Microsoft.ActiveDirectory.Management.ADPrincipal' required by parameter 'Identity'. Specified method is not supported.
    + CategoryInfo : InvalidArgument: (:) [Get-ADPrincipalGroupMembership], ParameterBindingException
    + FullyQualifiedErrorId : CannotConvertArgument,Microsoft.ActiveDirectory.Management.Commands.GetADPrincipalGroupMembership
    + PSComputerName : GGPDC01

  • #114499

    Participant
    Points: 112
    Rank: Participant

    You're still trying to pass a collection to the cmdlet.

    Since you're already looping over the list of users, I would take that line and move it into the loop.

    Then, change

    $ADgroups = Get-ADPrincipalGroupMembership -Identity $Users

    to

    $ADgroups = Get-ADPrincipalGroupMembership -Identity $User

You must be logged in to reply to this topic.