Author Posts

September 12, 2013 at 6:36 am

Hi All I was hoping you might be able to guide me with my query below.

I have a requirement to create multiple Active directory Groups (and users but not in this script) where the gidNumber has to be modified (for Linux Groups).

I can successfully obtain the GID from the AD Group SID, but I am then unable to pass this to the Set-ADGroup -replace parameter.

Headers (for CSV file):

Name,SamAccountName,Path,DisplayName,Description
Test Group,Test Group,"OU=Groups,DC=HomeDomain,DC=Local",tstgrp,Test Group
Test2 Group,Test2 Group,"OU=Groups,DC=HomeDomain,DC=Local",tstgrp2,Test Group

$GID = foreach ($group in $groups){

Get-adgroup $group.SamAccountName | select @{l="GID";e={[int]$_.SID.Value.Substring([int]$_.SID.Value.Lastindexof("-")+1)+1000}} | Select -ExpandProperty GID

Get-adgroup $group.SamAccountName | Set-ADGroup -Replace @{gidNumber="GID"} -Verbose

}

I think it is to do with the @{gidNumber="GID"} scriptblock but cannot think how to take each GID and then put it into the gidNumber one at a time.

This is the error I get :


Set-ADGroup : The parameter is incorrect
At line:8 char:37
+ Get-adgroup $group.SamAccountName | Set-ADGroup -Replace @{gidNumber="GID"} -Ver ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (CN=Test Group,DC=Homenet,DC=Local:ADGroup) [Set-ADGroup], ADInvalidOperationException
+ FullyQualifiedErrorId : ActiveDirectoryServer:87,Microsoft.ActiveDirectory.Management.Commands.SetADGroup

Any assistance would be very much appreciated.

September 12, 2013 at 7:44 am

Out of curiosity, how did you create the $groups variable? Is it from running Get-ADGroup, or from something like a database or CSV file? You don't need to keep making multiple calls to Get-ADGroup. Assuming that you ran something like $groups = Get-ADGroup -Filter * before the foreach loop, try this:

foreach ($group in $groups) {
    $GID = [int]$group.SID.Value.Substring([int]$group.SID.Value.Lastindexof("-")+1)+1000
    $group | Set-ADGroup -Replace @{gidNumber=$GID} -Verbose
}

September 12, 2013 at 8:04 am

Hi Dave,

Thanks for you response apologies for missing this part in my original post.

The $Groups variable is as per the following:


$Groups = Import-Csv C:\Scripts\GroupsgidNumber.csv -UseCulture

As per my original post I have specified the CSV header and content.

I only want to set the gidNumber for specific Groups that I have newly created (another part of my script).

Many Thanks.

September 12, 2013 at 8:40 am

OK, the code should just need a small update to include a single call to Get-ADGroup, then. Try this:

foreach ($csvEntry in $groups)
{
    try
    {
        $group = Get-ADGroup -Identity $csvEntry.SamAccountName -ErrorAction Stop

        $GID = [int]$group.SID.Value.Substring([int]$group.SID.Value.Lastindexof("-")+1)+1000
    
        $group | Set-ADGroup -Replace @{gidNumber=$GID} -Verbose -ErrorAction Stop
    }
    catch
    {
        # handle error however you like
    }
}

September 12, 2013 at 9:02 am

Thanks Dave you are amazing 😀
Perfect!
I think I will take a break now 😀

Below creates the new groups that are required and then modifies the gidNumber.


$Groups = Import-Csv C:\Scripts\CSVFILE.csv -UseCulture

foreach ($Group in $Groups) {

New-ADGroup -Name $Group.Name -Description $Group.Description -GroupCategory "Security" -GroupScope "Universal" -DisplayName $Group.displayNamePrintable -Path $Group.Path -SamAccountName $Group.SamAccountName -Verbose

}

foreach ($csvEntry in $groups)
{
try
{
$group = Get-ADGroup -Identity $csvEntry.SamAccountName -ErrorAction Stop

$GID = [int]$group.SID.Value.Substring([int]$group.SID.Value.Lastindexof("-")+1)+1000

$group | Set-ADGroup -Replace @{gidNumber=$GID} -Verbose -ErrorAction Stop
}
catch
{
# handle error however you like
}
}

Once again many thanks.
Iain

September 12, 2013 at 9:17 am

You might be able to consolidate that code even further, eliminating the call to Get-ADGroup. I'm not at home, so I can't test this code yet, but you can try it:

$Groups = Import-Csv C:\Scripts\CSVFILE.csv -UseCulture
foreach ($csvEntry in $groups)
{
    try
    {
        $group = New-ADGroup -PassThru -Name $csvEntry.Name -Description $csvEntry.Description -GroupCategory "Security" -GroupScope "Universal" -DisplayName $csvEntry.displayNamePrintable -Path $csvEntry.Path -SamAccountName $csvEntry.SamAccountName -Verbose -ErrorAction Stop

        $GID = [int]$group.SID.Value.Substring([int]$group.SID.Value.Lastindexof("-")+1)+1000

        $group | Set-ADGroup -Replace @{gidNumber=$GID} -Verbose -ErrorAction Stop
    }
    catch
    {
        # handle error however you like
    }
}

Edit: Forgot the -PassThru parameter to New-ADGroup

September 13, 2013 at 4:42 am

I couldn't get the following to work, it appears that nothing was being passed to $GID or $Group | Get-Adgroup

$Groups = Import-Csv C:\Scripts\CSVFILE.csv -UseCulture
foreach ($csvEntry in $groups)
{
    try
    {
        $group = New-ADGroup -PassThru -Name $csvEntry.Name -Description $csvEntry.Description -GroupCategory "Security" -GroupScope "Universal" -DisplayName $csvEntry.displayNamePrintable -Path $csvEntry.Path -SamAccountName $csvEntry.SamAccountName -Verbose -ErrorAction Stop

        $GID = [int]$group.SID.Value.Substring([int]$group.SID.Value.Lastindexof("-")+1)+1000

        $group | Set-ADGroup -Replace @{gidNumber=$GID} -Verbose -ErrorAction Stop
    }
    catch
    {
        # handle error however you like
}

Whereas modifying it to the below worked perfectly (it works with and with out specifying a variable in front of New-ADGroup i.e. $NewGroup = New-ADGroup ).

$Groups = Import-Csv C:\PSInput\MQUser\MQGroups.csv -UseCulture

foreach ($CSVEntry in $Groups ) 
{
    try
    {
        New-ADGroup -Name $CSVEntry.Name -Description $CSVEntry.Description -GroupCategory Security -GroupScope Universal -DisplayName $CSVEntry.DisplayNamePrintable -Path $CSVEntry.Path -SamAccountName $CSVEntry.SamAccountName -Verbose -ErrorAction Stop

        $Group = Get-ADGroup -Identity $CSVEntry.SamAccountName -ErrorAction Stop

        $GID = [int]$Group.SID.Value.Substring([int]$Group.SID.Value.Lastindexof("-")+1)+1000

        $Group | Set-ADGroup -Replace @{gidNumber=$GID} -Verbose -ErrorAction Stop
    }
    catch
    {
        # Handle error however you like
    }
}