0 votes

Hello,

I try to run following powershell code from Script Repository "Add users to group in bulk". I always get the message "User TestUser1 was not found".

We use Adaxes to manage more then 10 domains. I think the problematic line is with the Get-AdmUser command. When I remove "-AdaxesService localhost", script runs well in the domain where Adaxes server resides. Or if I specify an "Run as" account from the domain where the group resides - users were added to the group. But Custom Command should run in every Managed Domain with the configured Service Account.

regards Helmut

by (510 points)
0

Hello,

This is exactly how the script is designed to work. It only searches for users in the domain where the group is located. Also, when you remove the -AdaxesService parameter for the Get-AdmUser cmdlet, the search is performed in AD avoiding Adaxes. In this case, users that are in the Adaxes unmanaged list can also be added to the group. We will update the script to add group members independently of their domain. Once the script is ready, we will get back to you right away.

1 Answer

0 votes
by (270k points)

Hello,

We updated the script to meet your needs. You can copy it here.

0

Hello,

thanks for updating script to our meets. I have an additional question: because our admin accounts are named in all manged Domain the same we get the message "Found more then one account..." How can we change the filter to search only in domain where the group resides?

regards Helmut

+1

Hello Helmut,

It cannot be done by only updating the search filter. It is required to change the search base. Below is the version of the script that will perform the search only in the domain of the target group.

$propertyForUsernames = "adm-CustomAttributeText1" #TODO: modify me

function SearchObjects($filter)
{
    $searcher = $Context.BindToObjectByDN("%adm-DomainDN%")
    $searcher.SearchFilter = $filter
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.SizeLimit = 2    

    try
    {
        # Execute search
        $searchResultIterator = $searcher.ExecuteSearch()
        $searchResults = $searchResultIterator.FetchAll()

        return ,$searchResults
    }
    finally
    {
        # Release resources
        if ($searchResultIterator){ $searchResultIterator.Dispose() }
    }
}

# Get usernames from the custom attribute
try
{
    $sAMAccountNames = ($Context.TargetObject.Get($propertyForUsernames)).Split(",")
}
catch
{
    return
}

# Get the current group members
try
{
    $memberGuidsBytes = $Context.TargetObject.GetEx("adm-DirectMembersGuid")
}
catch
{
    $memberGuidsBytes = @()
}

$memberGuids = New-Object "System.Collections.Generic.HashSet[System.Guid]"
$memberGuidsBytes | %%{ $memberGuids.Add([Guid]$_) }

$domainName = $Context.GetObjectDomain("%distinguishedName%")
foreach ($sAMAccountName in $sAMAccountNames)
{
    $searchResults = SearchObjects "(sAMAccountName=$sAMAccountName)"
    if ($searchResults.Length -eq 0)
    {
        $Context.LogMessage("Account with username $sAMAccountName not found.", "Warning")
        continue
    }
    elseif ($searchResults.Length -gt 1)
    {
        $Context.LogMessage("Found more than one account with username $sAMAccountName", "Warning")
        continue
    }

    # Add the user to the group
    $userGuid = [Guid]$searchResults[0].Properties["objectGUID"].Value
    if (-not($memberGuids.Contains($userGuid)))
    {
        try
        {
            $Context.TargetObject.Add("Adaxes://<GUID=$userGuid>")
        }
        catch
        {
            $Context.LogMessage("An error occurred when addingaccount with username $sAMAccountName to the group. Error: " + $_.Exception.Message, "Warning") # TODO: modify me
        }
    }
    else
    {
        $Context.LogMessage("User $sAMAccountName is already a member of the group.", "Information") # TODO: modify me
    }
}

# Clear custom attribute
$Context.TargetObject.Put($propertyForUsernames, $NULL)
$Context.TargetObject.SetInfoEx(@($propertyForUsernames))

Related questions

0 votes
1 answer

We have a Hybrid enviroment where our On-Prem AD is leading. We also have cloud only groups. Now I need to give key users rights to manage the memebership of the cloud ... cannot select the On-Prem domain. The option is greyed out. Am I missing something?

asked Jan 30 by a.blonk (170 points)
0 votes
1 answer

Hi All, I was following the following documentation https://www.adaxes.com/tutorials_DelegatingPermissions_GrantRightsToModifyADGroupMembership.htm However I cannot work out how to make it ... can only add themselves. Any help would be great. Many Thanks

asked Mar 30, 2020 by antondubek (440 points)
0 votes
1 answer

Hello, I have my OUs structured so each department we're working with has an OU for their service accounts under their department OU. e.g. OU=Service Accounts,OU=Sales,OU= ... add each new OU to the scheduled task but I was hoping for something more hands off.

asked Oct 19, 2015 by drew.tittle (810 points)
0 votes
1 answer

From the Administration Console, when adding users to a group, I would like the ability to paste a list of users, like I can in ADUC. Also, I would like the ability to paste a list of groups to a user.

asked Mar 22, 2013 by Kikaida (1.1k points)
0 votes
1 answer

Hi again, It seems that there is a problem with the Blind Users role and the add to group features : i configured a user as he can see only a specific OU through blind ... " (Where My User stands for the real user name obviously). Am i doing something wrong ?

asked Jul 5, 2011 by sroux (800 points)
3,326 questions
3,026 answers
7,727 comments
544,678 users