0 votes

Hello,

I'm trying to write a simple powershell script to check if a user is a member of one of two groups and output a true value if the user is a member of either group so I can use it with a scheduled task.

In order to do this I think I need to use the Adaxes cmdlet Get-admPrincipalGroupMembership to get the groups the user is a member of.

If I enter this command in the default PS ISE as well as the Adaxes Module:

Get-AdmPrincipalGroupMembership -AdaxesService Adaxes.domain.com -Identity "CN=testuser,OU=TestAccounts,OU=Users,OU=Shared,DC=domain,DC=com"

I get this error:

Get-AdmPrincipalGroupMembership : Can't find an object with identity 'CN=testuser,OU=TestAccounts,OU=Users,OU=Shared,DC=domain,DC=com'.
At line:1 char:1
+ Get-AdmPrincipalGroupMembership -AdaxesService Adaxes.domain.com -Identity " ...
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-AdmPrincipalGroupMembership], IdentityResolvingException
+ FullyQualifiedErrorId : Softerra:Adaxes:PowerShellModule:Commands:GetAdmPrincipalGroupMembershipCommandExecutor:ProcessRecord:ResolveIdentity,Softerra.Adaxes.PowerShellModule.Commands.GetAdmPrincipalGroupMembershipCommand

When I run the built in Get-ADPrincipalGroupMembership looking for the same user with this command:

Get-ADPrincipalGroupMembership -Identity "CN=testuser,OU=TestAccounts,OU=Users,OU=Shared,DC=domain,DC=com"

I get back a list of the test users groups as I would expect.

What am doing wrong with the Adaxes cmdlet? Do I need to use that in my PS scripts intended to be run as Adaxes scheduled tasks or can I use the default Powershell cmdlets instead?

by (810 points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

When calling the cmdlet, you pass the -AdaxesService parameter, which means that the operation is performed via Adaxes service.

Get-AdmPrincipalGroupMembership -AdaxesService Adaxes.domain.com -Identity "CN=testuser,OU=TestAccounts,OU=Users,OU=Shared,DC=domain,DC=com"

Judging by the error message, you didn't specify a correct fully qualified domain name (FQDN) of your service and used the name specified in our SDK example:
At line:1 char:1
+ Get-AdmPrincipalGroupMembership -AdaxesService Adaxes.domain.com -Identity " ...

To remedy the issue, specify the correct fully qualified domain name (FQDN) of the computer where Adaxes service is installed.

0

Good Morning,

I removed the actual FQDN of my Adaxes services server from my example. The FQDN is specified correctly in the actual command I'm testing. I'll check for typos in the actual command.

EDIT: I just verified the FQDN is correct in the command. I can ping and resolve the hostname without issues, I even get the same error if I run it from the Adaxes server and use -AdaxesService localhost. If I specify a non existent hostname for the -AdaxesService parameter I get a different error:

Get-AdmPrincipalGroupMembership : Failed to obtain information about the service.

If you look at the error I posted it looks like it's saying it can't find the object.

Can't find an object with identity 'CN=testuser,OU=TestAccounts,OU=Users,OU=Shared,DC=domain,DC=com'

I've tried specifying the DN of the object as well as the SamAccountname for -Identity. I get the same error for both of them. However using the built in get-ADPrincipalGroupMembership I can specify the same DN or Samaccountname for -identity and it finds the object without issue.

0

Then, the reason for the issue is that you don't have sufficient permissions to view the user account in AD. The thing is that when you specify the -AdaxesService parameter, all operations are executed via Adaxes service. This means, in particular, that permissions granted via Adaxes Security Roles are also applied. To remedy the issue, you need to update the Security Roles assigned to you to grant you permissions to view the account.

0

Thanks! I knew I was missing something!

Related questions

0 votes
1 answer

Get-AdmPrincipalGroupMembership always throws an exception, even for users which absolutely exist (eg: piped ... :Commands:GetAdmPrincipalGroupMembershipCommand:ProcessRecord,Softerra.Adaxes.PowerShellModule.Commands.GetAdmPrincipalGroupMembershipCommand

asked May 4, 2023 by Viajaz (210 points)
0 votes
1 answer

Hi im using following power shell script to create a security group in AD. Import-Module Adaxes New-AdmGroup -Name "L-Admin_%fullname%" -Path "OU=Local Admins,OU=99X Oslo,DC ... the available functions to do this. hoping for a quick response. Thanks alot. :)

asked Feb 22, 2018 by ashensha (50 points)
0 votes
0 answers

When we copy a user to create a new user within Adaxes. The new user is not able to outlook client. The error message is "The connection to Microsoft Exchange is ... rule to create the exchange accounts in both situations. What might be causing this issue?

asked Apr 9, 2015 by ollonw (20 points)
0 votes
1 answer

Hi I'm trying to set up a process where when a user (on prem) is added to an Azure group, they are removed from some conflicting groups automatically. When ... $group -Members $user -Server "domain.onmicrosoft.com" -AdaxesService localhost } } Thanks Matt

asked Mar 2, 2023 by chappers77 (2.0k points)
0 votes
1 answer

I'm learning how to use the Adaxes powershell commands. I've tried searching for a group and that fails to find anything but the local domain. ... one domain. Get-AdmGroup -AdaxesService ADAXES01.domain.com -Credential $myCredentials -Identity Administrators

asked Jul 29, 2020 by ComputerHabit (790 points)
3,326 questions
3,026 answers
7,727 comments
544,678 users