verbose information for add-adgroupmember

This topic contains 10 replies, has 4 voices, and was last updated by  Jon 1 month, 2 weeks ago.

  • Author
    Posts
  • #96224

    Jon
    Participant

    For doing bulk group adds, I usually put everything in a CSV file with two columns, one being "group" and the other being "useradd" then run a function that contains this

    import-csv C:\scripts\sp\groupmod.csv | % {Add-ADGroupMember -Identity $_.group -Members $_.useradd}

    No big deal, pretty straightforward. However I've noticed around 2-3 times now, that users that are in the csv do not get added to the groups. I do not get any errors, I just find out later when the Sharepoint team asks where the users are!

    I tried doing -verbose but it doesn't really give me any information beyond something being added to that group. If I put write-output in front of add-adgroupmember it does seem to give me some information on what is being added to the groups. Just not sure if this is the best method? I thought try/catch might help, but I don't actually get an errors when it doesn't add them so not sure if that would help.

    Any thoughts are appreciated, thanks!

  • #96237

    Olaf Soyk
    Participant

    There is no built in way to determine if the accounts have been added or not. If you want make sure that the desired accounts have been added to the group you will have to check it by yourself.

  • #96300

    Jason Palatty
    Participant

    Hey Jon,
    I have a similar script that adds members to a group in bulk. I actually just use a txt file and do one group at a time and have never had a problem with it skipping members. Although if you had a lot of groups to do at one time, using a CSV definitely scales better. At the end of my script I usually output the group members and spot check the ones I have just added. Similar to what Olaf said you could always try getting a count of the members before and after to see if it matches up with what your adding.

    • #96306

      Olaf Soyk
      Participant

      you could always try getting a count of the members before and after to see if it matches up with what your adding

      Please have in mind that would only provide a helpful information if none of the accounts you try to add is already in the group.

    • #96311

      Jason Palatty
      Participant

      If the account you were trying to add were already a member of the group that would actually generate an error stating "The specified account name is already a member of the group", and I think in Jon's case he said he is not getting any errors. I haven't tried testing with a csv but I don't think it would be any different.

  • #96312

    Olaf Soyk
    Participant

    I haven't tried testing with a csv ...

    It does not matter where the names come from but you should have.

    If the account you were trying to add were already a member of the group that would actually generate an error
    ...

    NO, it does not. That's why I said you have to check each single name if it's there or not. I tested it before.

  • #96387

    Jon
    Participant

    Olag is right, it will not tell if you a user/group is already a member of the group.

    It seems like there isn't a real good way to get this done. Since it's only happened a few times, and it's not a huge deal when it does. I'll just let them complain when they don't get added and then fix it 🙂

  • #96396

    Jason Palatty
    Participant

    not sure if I am doing something different but if I run this in my AD environment(Win Server 2008 R2), it does let me know that someone is already a member of the group. You can always try this if it helps, if not, you can just ignore me.

    Import-Module ActiveDirectory
    $ErrorActionPreference = "Stop"
    
    $users = Import-Csv -Path C:\Scripts\AddADGroupMembers.csv
    
    foreach ($user in $users)
    {
    	try
    	{
    		$GroupMemberCountBefore = (Get-ADGroupMember -Identity $user.group).count
    		Add-ADGroupMember -Identity $user.group -Member $user.username
    		$GroupMemberCountAfter = (Get-ADGroupMember -Identity $user.group).count
    		
    		if ($GroupMemberCountBefore -eq $GroupMemberCountAfter)
    		{
    			Write-Host "Please check to make sure " $user.username " got added to " $user.group
    		}
    	}
    	catch
    	{
    		Write-Host $user.username " may already be a member of the group."
    	}
    	
    	
    }
    
  • #96425

    Olaf Soyk
    Participant

    OK, I don't know how an out of support Windows 😉 works in this situation but on a W2K12 R2 there won't be any message if a user is already in the group.
    So your script wouldn't deliver a reliable statement about the success of the desired action.
    Lets say you have already in your group User1 and User2 and you try to add with a single command line User1, User2, User3 and User4. For whatever reason adding User 3 works just as intended but User4 won't. Then your count is different to the count before but there won't be any error message.
    So the only reliable way to check if all the desired users are added to the group is – get the group members and compare them to the "adding candidates".

  • #96618

    David Schmidtberger
    Participant

    i would probably approach it in this fashion

    $csv = import-csv C:\scripts\sp\groupmod.csv
    $errorlog = "c:\scripts\sp\group_add_error.txt"
    foreach ($entry in $csv)
    {
        Add-ADGroupMember -Identity $entry.group -Members $entry.useradd
        $membership = get-aduser $entry.useradd -properties memberof
        if ($membership.memberof -like "*$entry.group*")
        {
    
        }
        else
        {
            "$($entry.useradd) was not added to $($entry.group)"|out-file $errorlog
        }
    }
    

    you could also add a success message in the first check but this is relatively simple

  • #97984

    Jon
    Participant

    Wanted to give a quick update, Thanks David for your script. I had to make a few modifications, as I needed to account for when I was adding groups into groups.

    Here is my final code which is working great.

    $csv = import-csv C:\scripts\sp\groupmod.csv
    $errorlog = "c:\scripts\sp\group_add_error.txt"
    foreach ($entry in $csv)
    {
        Add-ADGroupMember -Identity $entry.group -Members $entry.useradd
        $membership = (get-adgroupmember $entry.group).samaccountname
        if ($membership -like $entry.useradd)
        {
    
        }
        else
        {
            "$($entry.useradd) was not added to $($entry.group)"|out-file $errorlog
        }
    }
    
    

You must be logged in to reply to this topic.