0 votes

Hello,

I'm trying to write a simple powershell script to check if a user is a member of one of two groups and output a true value if the user is a member of either group so I can use it with a scheduled task.

In order to do this I think I need to use the Adaxes cmdlet Get-admPrincipalGroupMembership to get the groups the user is a member of.

If I enter this command in the default PS ISE as well as the Adaxes Module:

Get-AdmPrincipalGroupMembership -AdaxesService Adaxes.domain.com -Identity "CN=testuser,OU=TestAccounts,OU=Users,OU=Shared,DC=domain,DC=com"

I get this error:

Get-AdmPrincipalGroupMembership : Can't find an object with identity 'CN=testuser,OU=TestAccounts,OU=Users,OU=Shared,DC=domain,DC=com'.
At line:1 char:1
+ Get-AdmPrincipalGroupMembership -AdaxesService Adaxes.domain.com -Identity " ...
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-AdmPrincipalGroupMembership], IdentityResolvingException
+ FullyQualifiedErrorId : Softerra:Adaxes:PowerShellModule:Commands:GetAdmPrincipalGroupMembershipCommandExecutor:ProcessRecord:ResolveIdentity,Softerra.Adaxes.PowerShellModule.Commands.GetAdmPrincipalGroupMembershipCommand

When I run the built in Get-ADPrincipalGroupMembership looking for the same user with this command:

Get-ADPrincipalGroupMembership -Identity "CN=testuser,OU=TestAccounts,OU=Users,OU=Shared,DC=domain,DC=com"

I get back a list of the test users groups as I would expect.

What am doing wrong with the Adaxes cmdlet? Do I need to use that in my PS scripts intended to be run as Adaxes scheduled tasks or can I use the default Powershell cmdlets instead?

by (4.5k points)

1 Answer

0 votes
by (215k points)
selected by
Best answer

Hello,

When calling the cmdlet, you pass the -AdaxesService parameter, which means that the operation is performed via Adaxes service.

Get-AdmPrincipalGroupMembership -AdaxesService Adaxes.domain.com -Identity "CN=testuser,OU=TestAccounts,OU=Users,OU=Shared,DC=domain,DC=com"

Judging by the error message, you didn't specify a correct fully qualified domain name (FQDN) of your service and used the name specified in our SDK example:
At line:1 char:1
+ Get-AdmPrincipalGroupMembership -AdaxesService Adaxes.domain.com -Identity " ...

To remedy the issue, specify the correct fully qualified domain name (FQDN) of the computer where Adaxes service is installed.

0

Good Morning,

I removed the actual FQDN of my Adaxes services server from my example. The FQDN is specified correctly in the actual command I'm testing. I'll check for typos in the actual command.

EDIT: I just verified the FQDN is correct in the command. I can ping and resolve the hostname without issues, I even get the same error if I run it from the Adaxes server and use -AdaxesService localhost. If I specify a non existent hostname for the -AdaxesService parameter I get a different error:

Get-AdmPrincipalGroupMembership : Failed to obtain information about the service.

If you look at the error I posted it looks like it's saying it can't find the object.

Can't find an object with identity 'CN=testuser,OU=TestAccounts,OU=Users,OU=Shared,DC=domain,DC=com'

I've tried specifying the DN of the object as well as the SamAccountname for -Identity. I get the same error for both of them. However using the built in get-ADPrincipalGroupMembership I can specify the same DN or Samaccountname for -identity and it finds the object without issue.

0

Then, the reason for the issue is that you don't have sufficient permissions to view the user account in AD. The thing is that when you specify the -AdaxesService parameter, all operations are executed via Adaxes service. This means, in particular, that permissions granted via Adaxes Security Roles are also applied. To remedy the issue, you need to update the Security Roles assigned to you to grant you permissions to view the account.

0

Thanks! I knew I was missing something!

Related questions

0 votes
1 answer

Hi im using following power shell script to create a security group in AD. Import-Module Adaxes New-AdmGroup -Name "L-Admin_%fullname%" -Path "OU=Local Admins,OU=99X Oslo,DC ... the available functions to do this. hoping for a quick response. Thanks alot. :)

asked Feb 22, 2018 by ashensha (280 points)
0 votes
0 answers

When we copy a user to create a new user within Adaxes. The new user is not able to outlook client. The error message is "The connection to Microsoft Exchange is ... rule to create the exchange accounts in both situations. What might be causing this issue?

asked Apr 9, 2015 by ollonw (250 points)
0 votes
1 answer

I'm learning how to use the Adaxes powershell commands. I've tried searching for a group and that fails to find anything but the local domain. ... one domain. Get-AdmGroup -AdaxesService ADAXES01.domain.com -Credential $myCredentials -Identity Administrators

asked Jul 29 by ComputerHabit (5.6k points)
0 votes
1 answer

My code works in the powershell ISE, but doesn't work in Adaxes admin console, and I have no idea why... Here is my code: Import-module Adaxes ... use Remove-ADMGroupMember -Identity $dg.DistinguishedName -Members $userDN and got the same error message.

asked Jan 2, 2015 by jbest (280 points)
0 votes
1 answer

I have a scheduled task that exports the members from a Business unit. However the number of members in the Business Unit (4648), does not equal the number of rows ... of where else I could look to determine the discrepancy, I would greatly appreciate it.

asked Aug 11, 2016 by sandramnc (3.4k points)
2,288 questions
2,043 answers
5,580 comments
55,022 users