verbose information for add-adgroupmember

Welcome Forums General PowerShell Q&A verbose information for add-adgroupmember

This topic contains 10 replies, has 4 voices, and was last updated by

Jon
 
Participant
7 months, 1 week ago.

  • Author
    Posts
  • #96224
    Jon

    Participant
    Points: 24
    Rank: Member

    For doing bulk group adds, I usually put everything in a CSV file with two columns, one being "group" and the other being "useradd" then run a function that contains this

    import-csv C:\scripts\sp\groupmod.csv | % {Add-ADGroupMember -Identity $_.group -Members $_.useradd}

    No big deal, pretty straightforward. However I've noticed around 2-3 times now, that users that are in the csv do not get added to the groups. I do not get any errors, I just find out later when the Sharepoint team asks where the users are!

    I tried doing -verbose but it doesn't really give me any information beyond something being added to that group. If I put write-output in front of add-adgroupmember it does seem to give me some information on what is being added to the groups. Just not sure if this is the best method? I thought try/catch might help, but I don't actually get an errors when it doesn't add them so not sure if that would help.

    Any thoughts are appreciated, thanks!

  • #96237

    Participant
    Points: 140
    Helping Hand
    Rank: Participant

    There is no built in way to determine if the accounts have been added or not. If you want make sure that the desired accounts have been added to the group you will have to check it by yourself.

  • #96300

    Participant
    Points: 0
    Rank: Member

    Hey Jon,
    I have a similar script that adds members to a group in bulk. I actually just use a txt file and do one group at a time and have never had a problem with it skipping members. Although if you had a lot of groups to do at one time, using a CSV definitely scales better. At the end of my script I usually output the group members and spot check the ones I have just added. Similar to what Olaf said you could always try getting a count of the members before and after to see if it matches up with what your adding.

    • #96306

      Participant
      Points: 140
      Helping Hand
      Rank: Participant

      you could always try getting a count of the members before and after to see if it matches up with what your adding

      Please have in mind that would only provide a helpful information if none of the accounts you try to add is already in the group.

    • #96311

      Participant
      Points: 0
      Rank: Member

      If the account you were trying to add were already a member of the group that would actually generate an error stating "The specified account name is already a member of the group", and I think in Jon's case he said he is not getting any errors. I haven't tried testing with a csv but I don't think it would be any different.

  • #96312

    Participant
    Points: 140
    Helping Hand
    Rank: Participant

    I haven't tried testing with a csv ...

    It does not matter where the names come from but you should have.

    If the account you were trying to add were already a member of the group that would actually generate an error
    ...

    NO, it does not. That's why I said you have to check each single name if it's there or not. I tested it before.

  • #96387
    Jon

    Participant
    Points: 24
    Rank: Member

    Olag is right, it will not tell if you a user/group is already a member of the group.

    It seems like there isn't a real good way to get this done. Since it's only happened a few times, and it's not a huge deal when it does. I'll just let them complain when they don't get added and then fix it 🙂

  • #96396

    Participant
    Points: 0
    Rank: Member

    not sure if I am doing something different but if I run this in my AD environment(Win Server 2008 R2), it does let me know that someone is already a member of the group. You can always try this if it helps, if not, you can just ignore me.

    Import-Module ActiveDirectory
    $ErrorActionPreference = "Stop"
    
    $users = Import-Csv -Path C:\Scripts\AddADGroupMembers.csv
    
    foreach ($user in $users)
    {
    	try
    	{
    		$GroupMemberCountBefore = (Get-ADGroupMember -Identity $user.group).count
    		Add-ADGroupMember -Identity $user.group -Member $user.username
    		$GroupMemberCountAfter = (Get-ADGroupMember -Identity $user.group).count
    		
    		if ($GroupMemberCountBefore -eq $GroupMemberCountAfter)
    		{
    			Write-Host "Please check to make sure " $user.username " got added to " $user.group
    		}
    	}
    	catch
    	{
    		Write-Host $user.username " may already be a member of the group."
    	}
    	
    	
    }
    
  • #96425

    Participant
    Points: 140
    Helping Hand
    Rank: Participant

    OK, I don't know how an out of support Windows 😉 works in this situation but on a W2K12 R2 there won't be any message if a user is already in the group.
    So your script wouldn't deliver a reliable statement about the success of the desired action.
    Lets say you have already in your group User1 and User2 and you try to add with a single command line User1, User2, User3 and User4. For whatever reason adding User 3 works just as intended but User4 won't. Then your count is different to the count before but there won't be any error message.
    So the only reliable way to check if all the desired users are added to the group is – get the group members and compare them to the "adding candidates".

  • #96618

    Participant
    Points: 14
    Rank: Member

    i would probably approach it in this fashion

    $csv = import-csv C:\scripts\sp\groupmod.csv
    $errorlog = "c:\scripts\sp\group_add_error.txt"
    foreach ($entry in $csv)
    {
        Add-ADGroupMember -Identity $entry.group -Members $entry.useradd
        $membership = get-aduser $entry.useradd -properties memberof
        if ($membership.memberof -like "*$entry.group*")
        {
    
        }
        else
        {
            "$($entry.useradd) was not added to $($entry.group)"|out-file $errorlog
        }
    }
    

    you could also add a success message in the first check but this is relatively simple

  • #97984
    Jon

    Participant
    Points: 24
    Rank: Member

    Wanted to give a quick update, Thanks David for your script. I had to make a few modifications, as I needed to account for when I was adding groups into groups.

    Here is my final code which is working great.

    $csv = import-csv C:\scripts\sp\groupmod.csv
    $errorlog = "c:\scripts\sp\group_add_error.txt"
    foreach ($entry in $csv)
    {
        Add-ADGroupMember -Identity $entry.group -Members $entry.useradd
        $membership = (get-adgroupmember $entry.group).samaccountname
        if ($membership -like $entry.useradd)
        {
    
        }
        else
        {
            "$($entry.useradd) was not added to $($entry.group)"|out-file $errorlog
        }
    }
    
    

The topic ‘verbose information for add-adgroupmember’ is closed to new replies.