Creating AD Groups based on search results from AD OU

This topic contains 5 replies, has 4 voices, and was last updated by Profile photo of Nathan W Nathan W 1 year, 12 months ago.

  • Author
    Posts
  • #21029
    Profile photo of Nathan W
    Nathan W
    Participant

    I am trying to write a script that I can run on a scheduled task to scan the computer accounts under a OU then use the computer account names that are found to create AD security groups in another OU that I will then use to apply administrative rights to each individual server.
    I am having a little trouble getting the ForEach loop to work the way I want it.
    Any help would be great.

    Here is what I have so far.
    $ServerAccounts = (Get-ADComputer -filter * -Properties name -SearchBase "OU=Servers,DC=Child,DC=Domain,DC=com" | FT Name)
    ForEach ($i in $ServerAccounts) {New-ADGroup -Name "$i – LADM" -GroupScope Global -GroupCategory Security -Path 'OU=Server Local Admin Computers,OU=Groups,DC=Child,DC=Domain,DC=com'}

    Thanks

  • #21031
    Profile photo of Will Anderson
    Will Anderson
    Keymaster

    Hey there Nathan,

    Can you post an example of the return you're getting?

  • #21033
    Profile photo of Nathan W
    Nathan W
    Participant

    Sure

    New-ADGroup : A value for the attribute was not in the acceptable range of values
    At line:2 char:34
    + ForEach ($i in $ServerAccounts) {New-ADGroup -Name "$i – LADM" -GroupScope Globa ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (CN=Microsoft.Po...=colpipe,DC=com:String) [New-ADGroup], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:8322,Microsoft.ActiveDirectory.Management.Commands.NewADGroup

  • #21034
    Profile photo of Stephen Owen
    Stephen Owen
    Participant

    Here's your problem

    $ServerAccounts = (Get-ADComputer -filter * -Properties name -SearchBase "OU=Servers,DC=Child,DC=Domain,DC=com" | (b)FT Name(/b)
    ForEach ($i in $ServerAccounts) {New-ADGroup -Name "$i – LADM" -GroupScope Global -GroupCategory Security -Path 'OU=Server Local Admin Computers,OU=Groups,DC=Child,DC=Domain,DC=com'}

    Because you're piping into Format-Table, you don't actually have PowerShell objects anymore. $ServerAccounts in your example actually stores raw output data.

    So try the command again, like this:

    (pre)$ServerAccounts = (Get-ADComputer -filter * -Properties name -SearchBase "OU=Servers,DC=Child,DC=Domain,DC=com"
    ForEach ($i in $ServerAccounts) {New-ADGroup -Name "$($i.Name) – LADM" -GroupScope Global -GroupCategory Security -Path 'OU=Server Local Admin Computers,OU=Groups,DC=Child,DC=Domain,DC=com'}(/pre)

  • #21035
    Profile photo of tommymaynard
    tommymaynard
    Member

    I don't know the exact problem, but I suspect that some of the information below will likely be useful. In relation to number one below, you should probably read the eBook, [u]The Big Book of PowerShell Gotchas[/u], or at least the first chapter (click Resources > Free eBooks above).

    1. Remove your Format-* cmdlet (FT). Replace it with Select-Object.
    2. Name is a default property; it is returned without the need for the -Properties parameter.
    3. Expand the Name property. This will return only the Name and not the table-like heading. You can do this by piping to Select-Object -ExpandProperty in any version of PowerShell, or using dotted-notation in PowerShell 3.0 and greater.

    $ServerAccounts = Get-ADComputer -Filter * -SearchBase 'OU=Servers,DC=Child,DC=Domain,DC=com' | Select-Object -ExpandProperty Name
    -or-
    $ServerAccounts = (Get-ADComputer -Filter * -SearchBase 'OU=Servers,DC=Child,DC=Domain,DC=com').Name

    Good luck!

    EDIT: I just saw that you posted your error. Number 3 above will get this fixed. You're essentially handing the New-ADGroup's -Name parameter this:

    Name
    ——–
    ComputerName

    If you use Select-Object -ExpandProperty Name, or use dotted-notation, you'll be giving just ComputerName as the value to the parameter.

  • #21036
    Profile photo of Nathan W
    Nathan W
    Participant

    I don't know the exact problem, but I suspect that some of the information below will likely be useful. In relation to number one below, you should probably read the eBook, The Big Book of PowerShell Gotchas, or at least the first chapter (click Resources > Free eBooks above).

    1. Remove your Format-* cmdlet (FT). Replace it with Select-Object.
    2. Name is a default property; it is returned without the need for the -Properties parameter.
    3. Expand the Name property. This will return only the Name and not the table-like heading. You can do this by piping to Select-Object -ExpandProperty in any version of PowerShell, or using dotted-notation in PowerShell 3.0 and greater.

    $ServerAccounts = Get-ADComputer -Filter * -SearchBase 'OU=Servers,DC=Child,DC=Domain,DC=com' | Select-Object -ExpandProperty Name
    -or-
    $ServerAccounts = (Get-ADComputer -Filter * -SearchBase 'OU=Servers,DC=Child,DC=Domain,DC=com').Name

    Good luck!

    EDIT: I just saw that you posted your error. Number 3 above will get this fixed. You're essentially handing the New-ADGroup's -Name parameter this:

    Name
    ——–
    ComputerName

    If you use Select-Object -ExpandProperty Name, or use dotted-notation, you'll being giving just ComputerName as the value to the parameter.

    That did the job. Thanks a bunch

You must be logged in to reply to this topic.