Author Posts

January 20, 2016 at 8:22 am

I am sure this is a Newbie question...
I need to add a user to a group across several AD Domains.
I have a script that prompts to enter user & group names.
that invokes a script that is run on a DC in each domain.

My first script looks like this

Set-StrictMode -Version Latest

$CertChk = (New-PSSessionOption -SkipCNCheck -SkipCACheck -SkipRevocationCheck)
$Script = "$env:USERPROFILE\Scripts\Add_To_Group_Menu.ps1"
$User = Read-Host 'Please enter the logon name of the user to add'
$DestGroup = Read-Host 'Please enter the name of the group to add the user to'

Invoke-Command -Filepath "$Script" -ComputerName $DC -Credential $Creds -UseSSL -SessionOption $CertChk -EA 0

The problem is that if I try to dot source the variables when it is run on the remote DC it is not running the script.
If I run it locally, it works.
My second script looks like this.

Set-StrictMode -Version Latest
Import-Module ActiveDirectory

$Script = "$env:USERPROFILE\Scripts\Add_To_Group.ps1"
{. .\$Script}

$UserName = ((Get-ADUser $User).Name)
$GroupDn = ((Get-ADGroup $DestGroup).DistinguishedName)
$GroupName = ((Get-ADGroup $DestGroup).Name)


If ((Get-ADUser $User -Properties memberof).memberof -like "$GroupDn") 
    {
    Write-Host "$UserName is already a member of $GroupName!"-ForegroundColor Yellow
    }
    Else {
    Write-Host "Adding $UserName to $GroupName!" -ForegroundColor Green
    Get-ADGroup $DestGroup | Add-ADGroupMember -Members $User 
}

I am sure this is related to how I am trying to pass the variables.
I appreciate any help.

January 20, 2016 at 9:10 am

Variables that exist in your local session do not exist on the remote computer. Your second script needs to accept the $User and $DestGroup variables as parameters, instead of just requiring those variables to exist somewhere. Your first script has the same problem as well; it's using a $DC variable which is not defined as a parameter or anywhere else in the script.

When you get to the point where you're putting code into functions and scripts for reuse, you should get into the habit of having all of those function's inputs coming via parameters. For your second script, that might consist of a parameter block like this at the beginning of the file:

[CmdletBinding()]
param (
    [Parameter(Mandatory = $true)]
    [string] $User,

    [Parameter(Mandatory = $true)]
    [string] $DestGroup
)

January 20, 2016 at 9:39 am

Thanks for the info!
Sorry I pared down the first script for readability
So, the first script looks like the this:

Set-StrictMode -Version Latest

$CertChk = (New-PSSessionOption -SkipCNCheck -SkipCACheck -SkipRevocationCheck)
$Script = "$env:USERPROFILE\Scripts\Add_To_Group_Menu.ps1"
$User = Read-Host 'Please enter the logon name of the user to add'
$DestGroup = Read-Host 'Please enter the name of the group to add the user to'

Function Domain1 {
$DC = 'server.domain.com'
$Creds = IMPORT-CLIXML "$env:USERPROFILE\creds.xml"
Invoke-Command -Filepath "$Script" -ComputerName $DC -Credential $Creds -UseSSL -SessionOption $CertChk -EA 0
}

There is a function for each domain.
I am looping through all of the functions.
Would I change the Invoke-Cmd to look like this?

Invoke-Command -Filepath "$Script" -ComputerName $CorpDC -Credential $CorpCreds -UseSSL -SessionOption $CertChk -EA 0 -ArgumentList $User,$DestGroup

My Seconds script now looks like this:

[CmdletBinding()]
param (
    [Parameter(Mandatory = $true)]
    [string] $User,

    [Parameter(Mandatory = $true)]
    [string] $DestGroup
)

Set-StrictMode -Version Latest
Import-Module ActiveDirectory

#$Script = "$env:USERPROFILE\Scripts\Add_To_Group.ps1"
#{. .\$Script}

$UserName = ((Get-ADUser $User).Name)
$GroupDn = ((Get-ADGroup $DestGroup).DistinguishedName)
$GroupName = ((Get-ADGroup $DestGroup).Name)


If ((Get-ADUser $User -Properties memberof).memberof -like "$GroupDn") 
    {
    Write-Host "$UserName is already a member of $GroupName!"-ForegroundColor Yellow
    }
    Else {
    Write-Host "Adding $UserName to $GroupName!" -ForegroundColor Green
    Get-ADGroup $DestGroup | Add-ADGroupMember -Members $User 
} 

I am still seeing the same results.

January 20, 2016 at 9:42 am

What errors are you getting? If you've added the param block to the second script and you've added -ArgumentList to your Invoke-Command call, then you should be all set.

January 20, 2016 at 10:12 am

Thanks again Dave,
I am not getting any errors, it just appears to not be running, but I think my logic may be what wrong. if the script is being run on a remote server then, maybe it only the return information that I am expecting that is not happening. Perhaps I need to change this to run as a job and return the job info?

January 20, 2016 at 6:40 pm

Could it be the execution policy ? what is the execution policy set to on your remote computers?

January 22, 2016 at 7:00 am

I just wanted to update this post. Dave, your answer was correct. It turns out one of the network admins did not know what port 5986 was being used for and closed it on some of the firewalls. that's why I was getting weird results.
Thanks again for your help!