Set AD group gidNumber for multiple groups

This topic contains 6 replies, has 2 voices, and was last updated by  Iain Cole 4 years, 3 months ago.

  • Author
    Posts
  • #10076

    Iain Cole
    Participant

    Hi All I was hoping you might be able to guide me with my query below.

    I have a requirement to create multiple Active directory Groups (and users but not in this script) where the gidNumber has to be modified (for Linux Groups).

    I can successfully obtain the GID from the AD Group SID, but I am then unable to pass this to the Set-ADGroup -replace parameter.

    Headers (for CSV file):

    Name,SamAccountName,Path,DisplayName,Description
    Test Group,Test Group,"OU=Groups,DC=HomeDomain,DC=Local",tstgrp,Test Group
    Test2 Group,Test2 Group,"OU=Groups,DC=HomeDomain,DC=Local",tstgrp2,Test Group

    $GID = foreach ($group in $groups){

    Get-adgroup $group.SamAccountName | select @{l="GID";e={[int]$_.SID.Value.Substring([int]$_.SID.Value.Lastindexof("-")+1)+1000}} | Select -ExpandProperty GID

    Get-adgroup $group.SamAccountName | Set-ADGroup -Replace @{gidNumber="GID"} -Verbose

    }

    I think it is to do with the @{gidNumber="GID"} scriptblock but cannot think how to take each GID and then put it into the gidNumber one at a time.

    This is the error I get :


    Set-ADGroup : The parameter is incorrect
    At line:8 char:37
    + Get-adgroup $group.SamAccountName | Set-ADGroup -Replace @{gidNumber="GID"} -Ver ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (CN=Test Group,DC=Homenet,DC=Local:ADGroup) [Set-ADGroup], ADInvalidOperationException
    + FullyQualifiedErrorId : ActiveDirectoryServer:87,Microsoft.ActiveDirectory.Management.Commands.SetADGroup

    Any assistance would be very much appreciated.

  • #10078

    Dave Wyatt
    Moderator

    Out of curiosity, how did you create the $groups variable? Is it from running Get-ADGroup, or from something like a database or CSV file? You don't need to keep making multiple calls to Get-ADGroup. Assuming that you ran something like $groups = Get-ADGroup -Filter * before the foreach loop, try this:

    foreach ($group in $groups) {
        $GID = [int]$group.SID.Value.Substring([int]$group.SID.Value.Lastindexof("-")+1)+1000
        $group | Set-ADGroup -Replace @{gidNumber=$GID} -Verbose
    }
    
  • #10079

    Iain Cole
    Participant

    Hi Dave,

    Thanks for you response apologies for missing this part in my original post.

    The $Groups variable is as per the following:


    $Groups = Import-Csv C:\Scripts\GroupsgidNumber.csv -UseCulture

    As per my original post I have specified the CSV header and content.

    I only want to set the gidNumber for specific Groups that I have newly created (another part of my script).

    Many Thanks.

  • #10081

    Dave Wyatt
    Moderator

    OK, the code should just need a small update to include a single call to Get-ADGroup, then. Try this:

    foreach ($csvEntry in $groups)
    {
        try
        {
            $group = Get-ADGroup -Identity $csvEntry.SamAccountName -ErrorAction Stop
    
            $GID = [int]$group.SID.Value.Substring([int]$group.SID.Value.Lastindexof("-")+1)+1000
        
            $group | Set-ADGroup -Replace @{gidNumber=$GID} -Verbose -ErrorAction Stop
        }
        catch
        {
            # handle error however you like
        }
    }
    
    
  • #10082

    Iain Cole
    Participant

    Thanks Dave you are amazing 😀
    Perfect!
    I think I will take a break now 😀

    Below creates the new groups that are required and then modifies the gidNumber.


    $Groups = Import-Csv C:\Scripts\CSVFILE.csv -UseCulture

    foreach ($Group in $Groups) {

    New-ADGroup -Name $Group.Name -Description $Group.Description -GroupCategory "Security" -GroupScope "Universal" -DisplayName $Group.displayNamePrintable -Path $Group.Path -SamAccountName $Group.SamAccountName -Verbose

    }

    foreach ($csvEntry in $groups)
    {
    try
    {
    $group = Get-ADGroup -Identity $csvEntry.SamAccountName -ErrorAction Stop

    $GID = [int]$group.SID.Value.Substring([int]$group.SID.Value.Lastindexof("-")+1)+1000

    $group | Set-ADGroup -Replace @{gidNumber=$GID} -Verbose -ErrorAction Stop
    }
    catch
    {
    # handle error however you like
    }
    }

    Once again many thanks.
    Iain

  • #10083

    Dave Wyatt
    Moderator

    You might be able to consolidate that code even further, eliminating the call to Get-ADGroup. I'm not at home, so I can't test this code yet, but you can try it:

    $Groups = Import-Csv C:\Scripts\CSVFILE.csv -UseCulture
    foreach ($csvEntry in $groups)
    {
        try
        {
            $group = New-ADGroup -PassThru -Name $csvEntry.Name -Description $csvEntry.Description -GroupCategory "Security" -GroupScope "Universal" -DisplayName $csvEntry.displayNamePrintable -Path $csvEntry.Path -SamAccountName $csvEntry.SamAccountName -Verbose -ErrorAction Stop
    
            $GID = [int]$group.SID.Value.Substring([int]$group.SID.Value.Lastindexof("-")+1)+1000
    
            $group | Set-ADGroup -Replace @{gidNumber=$GID} -Verbose -ErrorAction Stop
        }
        catch
        {
            # handle error however you like
        }
    }
    

    Edit: Forgot the -PassThru parameter to New-ADGroup

  • #10108

    Iain Cole
    Participant

    I couldn't get the following to work, it appears that nothing was being passed to $GID or $Group | Get-Adgroup

    $Groups = Import-Csv C:\Scripts\CSVFILE.csv -UseCulture
    foreach ($csvEntry in $groups)
    {
        try
        {
            $group = New-ADGroup -PassThru -Name $csvEntry.Name -Description $csvEntry.Description -GroupCategory "Security" -GroupScope "Universal" -DisplayName $csvEntry.displayNamePrintable -Path $csvEntry.Path -SamAccountName $csvEntry.SamAccountName -Verbose -ErrorAction Stop
    
            $GID = [int]$group.SID.Value.Substring([int]$group.SID.Value.Lastindexof("-")+1)+1000
    
            $group | Set-ADGroup -Replace @{gidNumber=$GID} -Verbose -ErrorAction Stop
        }
        catch
        {
            # handle error however you like
    }
    

    Whereas modifying it to the below worked perfectly (it works with and with out specifying a variable in front of New-ADGroup i.e. $NewGroup = New-ADGroup ).

    $Groups = Import-Csv C:\PSInput\MQUser\MQGroups.csv -UseCulture
    
    foreach ($CSVEntry in $Groups ) 
    {
        try
        {
            New-ADGroup -Name $CSVEntry.Name -Description $CSVEntry.Description -GroupCategory Security -GroupScope Universal -DisplayName $CSVEntry.DisplayNamePrintable -Path $CSVEntry.Path -SamAccountName $CSVEntry.SamAccountName -Verbose -ErrorAction Stop
    
            $Group = Get-ADGroup -Identity $CSVEntry.SamAccountName -ErrorAction Stop
    
            $GID = [int]$Group.SID.Value.Substring([int]$Group.SID.Value.Lastindexof("-")+1)+1000
    
            $Group | Set-ADGroup -Replace @{gidNumber=$GID} -Verbose -ErrorAction Stop
        }
        catch
        {
            # Handle error however you like
        }
    }
    
    
    
    		
    	

You must be logged in to reply to this topic.