Adaxes

Adaxes module doesnt work as intended?

0 votes

Hi

im using following power shell script to create a security group in AD.

Import-Module Adaxes
New-AdmGroup -Name "L-Admin_%fullname%" -Path "OU=Local Admins,OU=99X Oslo,DC=99x,DC=local" `
 -GroupCategory Security -GroupScope Global -Server "99x.local" `
 -AdaxesService localhost

Then im adding that newly created group to remote computer's Local admin group with the following powershell command. 

([ADSI]"WinNT://%fullname%/Administrators,group").Add("WinNT://99x.local/L-Admin-%fullname%")

however im getting the following error.

Exception calling "Add" with "1" argument(s): "A member could not be added to or removed from the local group because the member does not exist. "

the groups are created in ad and i verified the script aswell. the odd part is when i used the following code to create the groups, i can add the created group to the remote server's local admin account. it seems like the adaxes module is creating the group but it is only in memory and WinNT cant locate it. 

$dirsyncServer = "99xdc11001.99x.local" # TODO: modify me

Invoke-Command -ComputerName $dirsyncServer -ErrorAction Stop -ScriptBlock {
    Import-Module ActiveDirectory

    NEW-ADGroup –name "L-Admin-%fullname%" –groupscope DomainLocal –path "OU=Local Admins,OU=99X Oslo,DC=99x,DC=local"
}

can you tell me why this is happening? i had to enable powershell remoting in AD to achieve this. i would like to prevent using that and use the available functions to do this. hoping for a quick response.

Thanks alot. :)

by (50 points)

1 Answer

0 votes
by (271k points)
selected by
Best answer

Hello,

The issue can occur because Adaxes creates the group on one Domain Controller, but adding it to the Local Admin group is attempted on another DC. To remedy the issue, try using the following script:

Import-Module Adaxes

$domainName = $Context.GetObjectDomain("%distinguishedName%")
$rootDse = $Context.BindToObject("Adaxes://$domainName/rootDSE")
$domainControllerName = $rootDse.Get("dnsHostName")

New-AdmGroup -Name "L-Admin_%fullname%" -Path "OU=Local Admins,OU=99X Oslo,DC=99x,DC=local" `
-GroupCategory Security -GroupScope Global -Server $domainControllerName `
-AdaxesService localhost

([ADSI]"WinNT://%fullname%/Administrators,group").Add("WinNT://$domainControllerName/L-Admin-%fullname%")

If the issue persists, check if there are Property Patterns/Business Rules that modify the Group Name. For this purpose, create a group manually in Adaxes Web Interface or Administration Console and check the property value after the creation is completed.

0

Hi,

im afraid the script you provided didn't solve my problem. it created the group but was unable to add it to the local admin group with the same error i had before. theres no script/task/rule that is changing the group name. i believe anyone who reproduce the scenario would receive the same results. could this be a bug? thank you for your response. :)

by (50 points)
moved by
0

Hello,

As it was mentioned in our previous post, the issue occurs because synchronization takes time. As a workaround, you can add Sleep after creating the group. For example:

Import-Module Adaxes

$domainName = $Context.GetObjectDomain("%distinguishedName%")
$rootDse = $Context.BindToObject("Adaxes://$domainName/rootDSE")
$domainControllerName = $rootDse.Get("dnsHostName")

New-AdmGroup -Name "L-Admin_%fullname%" -Path "OU=Local Admins,OU=99X Oslo,DC=99x,DC=local" `
-GroupCategory Security -GroupScope Global -Server $domainControllerName `
-AdaxesService localhost

Sleep -Seconds 10

([ADSI]"WinNT://%fullname%/Administrators,group").Add("WinNT://$domainControllerName/L-Admin-%fullname%")
by (271k points)
moved by
0

Hi Guys,

I tried using the sleep option not for 10 Sec but for a whole 60 sec. but nothing has changed. following is the troubleshooting steps i did to ensure where the problem is.

1. Create a Manual Group in AD by logging to DC and running a Action (WinNT Command) on Adaxes to add the created group to a remote computers local admin account.

THIS WORKED - So theres no issues in my WinNT command. and this rule out the ad sync issue you guys were saying. i ran the adaxes action as soon as i created the group. may have taken 5 Sec.

2. tried the script you posted with 60 Sec sleep time.

DID NOT WORK- group creation worked. because when the 60 Sec sleep was running i manually refreshed the AD in DC and i could see the group created there. and from the previous task i ensured that the WinNT command works and theres no AD sync issues for it to fail. im getting the same "Member does not exist" error i posted earlier.

This is really frustrating and with the above troubleshooting steps, i believe the problem is with the adaxes module. therefore i tried importing the AD module to get my code to work. but since you're running Adaxes in Powershell V2 i cant get the AD module to load. it gives me the following error.

The 'C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\ActiveDirectory.psd1' module cannot be imported because its manifest contains one or more members that are not valid. The valid manifest members are ('ModuleToProcess', 'NestedModules', 'GUID', 'Author', 'CompanyName', 'Copyright', 'ModuleVersion', 'Description', 'PowerShellVersion', 'PowerShellHostName', 'PowerShellHostVersion', 'CLRVersion', 'DotNetFrameworkVersion', 'ProcessorArchitecture', 'RequiredModules', 'TypesToProcess', 'FormatsToProcess', 'ScriptsToProcess', 'PrivateData', 'RequiredAssemblies', 'ModuleList', 'FileList', 'FunctionsToExport', 'VariablesToExport', 'AliasesToExport', 'CmdletsToExport'). Remove the members that are not valid ('HelpInfoUri'), then try to import the module again.

Hoping if somebody could figure out whats wrong here. Or else let me know a way to load the ActiveDirectory module to get this to work.

We are planning to use adaxes for every customer domain we currently have. but if this task doesnt work, we may have to look for another way. but im sure you guys could help me in solving this.

Thanks alot guys.. :)

by (50 points)
moved by
0

Hello,

The issue is not related to Adaxes PowerShell module, the same issue can occur in the PowerShell Module for Active Directory. It occurs because the group is created on the domain controller to which Adaxes service is connected, but to add the group to local admins the WinNT provider connects to the domain controller the computer is authenticated against.
As long as there is no possibility to specify a domain controller in the WinNT provider, we recommend creating the group on the domain controller the computer is authenticated against. To do so, use the below script:

Import-Module Adaxes

# Get flat domain name
$domainName = $Context.GetObjectDomain("%distinguishedName%")
$flatDomainName = $domainName.SubString(0,$domainName.IndexOf("."))

# Get domain controller the computer is authenticated against
$ntDomain = Get-WmiObject -Class Win32_NTDomain -Filter "DomainName = '$flatDomainName'" -ComputerName "%dNSHostName%"
if ($ntDomain -eq $NULL)
{
    $Context.LogMessage("Could not get domain controller the computer is authenticated against", "Warning")
    return
}
$domainControllerFQDN = $ntDomain.DomainControllerName.Replace("\\", "") + "." + $domainName

# Create group
$groupName = "L-Admin-%fullname%"
New-AdmGroup -Name $groupName -AdaxesService "localhost" -Path "OU=Local Admins,OU=99X Oslo,DC=99x,DC=local" -GroupScope Global -GroupCategory Security -Server $domainControllerFQDN

# Add new group to computer Administrators
([ADSI]"WinNT://%dNSHostName%/Administrators,group").Add("WinNT://$domainName/$groupName,group")
by (271k points)
moved by

Related questions

0 votes
1 answer
Get-AdmPrincipalGroupMembership doesn't work

Get-AdmPrincipalGroupMembership always throws an exception, even for users which absolutely exist (eg: piped ... :Commands:GetAdmPrincipalGroupMembershipCommand:ProcessRecord,Softerra.Adaxes.PowerShellModule.Commands.GetAdmPrincipalGroupMembershipCommand

asked May 4, 2023 by Viajaz (210 points)
0 votes
1 answer
Get-admPrincipalGroupMembership doesn't work

Hello, I'm trying to write a simple powershell script to check if a user is a member of one of two groups and output a true value if the user is a member of ... intended to be run as Adaxes scheduled tasks or can I use the default Powershell cmdlets instead?

asked Nov 4, 2015 by drew.tittle (810 points)
0 votes
0 answers
Outlook 2013 client doesnt work when copying a user.

When we copy a user to create a new user within Adaxes. The new user is not able to outlook client. The error message is "The connection to Microsoft Exchange is ... rule to create the exchange accounts in both situations. What might be causing this issue?

asked Apr 9, 2015 by ollonw (20 points)
0 votes
1 answer
Is it possible to put % characters in HTML emails that aren't intended for Adaxes attributes

Hi Support, I'm trying to use adaxes to send a couple of branded emails with User information such as UPN and First name. I've written some HTML email code but would ... <table class="wrapper" width="100%" cellspacing="0" align=center cellpadding="0">

asked Feb 18, 2020 by richarddewis (260 points)
0 votes
0 answers
Password Self Service Autoenrollment script is non-functional and manual enrollment does not work as well.

Whether I try to run a script or manually run the commands to enroll users, users remain unenrolled. Example of a basic script: Import-Module ... ` -QuestionsAndAnswers @{$question1=$answer1;$question2=$answer2} -AdaxesService localhost Adaxes version 2021

asked Mar 27, 2023 by gwadmin (80 points)
3,341 questions
3,041 answers
7,764 comments
544,925 users