Forum Discussion

StevenWatts's avatar
StevenWatts
Copper Contributor
Jan 24, 2023

Check user is in Security Group after being added by PowerShell script.

I have an issue whereby once the PS script attempts to add a user to the security group it will drop into the else statement on line 18. Regardless of whether the user was added into the security group. I'm not a windows administrator so my knowledge is fairly high level. Could this possible be because the DCs haven't replicated the changes yet and as such when line 15 runs it's returning false?

 

Any assistance would be appreciated.

 

# Get the user and group information
$user = get-aduser $UserName -server $UserController -credential $MyCredentials
$group = get-adgroup $GroupName -server $DomainController -credential $MyCredentials
$members = Get-ADGroupMember -server $DomainController -credential $MyCredentials -Identity $GroupName -Recursive |Select -ExpandProperty distinguishedName

# Check group membership

If ($members -contains $user) {
    Write-Host("User exists in the group")
}
Else
{
    Set-ADObject -identity $group -add @{member=$user.DistinguishedName} -server $DomainController -credential $MyCredentials	
    
	If ($members -contains $user) {
    		Write-Host("User successfully added to group")
	}
		Else {
			Write-Host("Automation has failed, user not added to group")
		}
				  
}  
  • StevenWatts 

    Ran the script on my test Domain Controller. I don't think there's a need to specify the Domain Controller because you are running the adding of the user and the query if it's in the group in the same connection. But...

     

    You gather all the members in the $members variable. Then you test if the user is part of the group. If it isn't, then you add it to the group. And then you check the same $members variable again, which isn't updated with the user being in it 🙂 And that's why it reports it as not added to the group. You should add the $members= get-adgroupmember... on line 14 again to verify if the user has been added to the group.

     

    When adding the user to the group, the script below with a try/catch will check if that succeeds. If it fails, it will report that on screen. If it works, it will tell you without rechecking the group. (Trust your AD 😉 )

     

    # Get the user and group information
    $user = Get-ADUser $UserName 
    $group = Get-ADGroup $GroupName
    $members = Get-ADGroupMember -Identity $GroupName -Recursive | Select-Object -ExpandProperty distinguishedName
    
    # Check group membership
    
    If ($members -contains $user) {
        Write-Host("User {0} already (indirect) member of group {1}" -f $user.UserPrincipalName , $group.Name) -ForegroundColor Green
    }
    Else {
        try {
            Set-ADObject -identity $group -add @{member = $user.DistinguishedName } -ErrorAction Stop
            Write-Host("User {0} successfully added to group {1}" -f $user.UserPrincipalName , $group.Name) -ForegroundColor Green
        }
        catch {
            Write-Warning ("Error adding {0} to {1}, check the name of the group and/or permissions" -f $user.UserPrincipalName , $group.Name)
        }				  
    }  
  • StevenWatts 

    Ran the script on my test Domain Controller. I don't think there's a need to specify the Domain Controller because you are running the adding of the user and the query if it's in the group in the same connection. But...

     

    You gather all the members in the $members variable. Then you test if the user is part of the group. If it isn't, then you add it to the group. And then you check the same $members variable again, which isn't updated with the user being in it 🙂 And that's why it reports it as not added to the group. You should add the $members= get-adgroupmember... on line 14 again to verify if the user has been added to the group.

     

    When adding the user to the group, the script below with a try/catch will check if that succeeds. If it fails, it will report that on screen. If it works, it will tell you without rechecking the group. (Trust your AD 😉 )

     

    # Get the user and group information
    $user = Get-ADUser $UserName 
    $group = Get-ADGroup $GroupName
    $members = Get-ADGroupMember -Identity $GroupName -Recursive | Select-Object -ExpandProperty distinguishedName
    
    # Check group membership
    
    If ($members -contains $user) {
        Write-Host("User {0} already (indirect) member of group {1}" -f $user.UserPrincipalName , $group.Name) -ForegroundColor Green
    }
    Else {
        try {
            Set-ADObject -identity $group -add @{member = $user.DistinguishedName } -ErrorAction Stop
            Write-Host("User {0} successfully added to group {1}" -f $user.UserPrincipalName , $group.Name) -ForegroundColor Green
        }
        catch {
            Write-Warning ("Error adding {0} to {1}, check the name of the group and/or permissions" -f $user.UserPrincipalName , $group.Name)
        }				  
    }  
    • StevenWatts's avatar
      StevenWatts
      Copper Contributor

      Harm_Veenstra 

       

      Thanks for your assistance. I should have mentioned that the below script was the last third of a larger script which takes the inputs as arguments from ServiceNow. We have multiple DCs depending on the region of the requested for user. 

      I had to make a few very minor amendments to the changes you made below but this is now working. 

       

      # Get the user and group information
      $user = get-aduser $UserName -server $UserController -credential $MyCredentials
      $group = get-adgroup $GroupName -server $DomainController -credential $MyCredentials
      $members = Get-ADGroupMember -server $DomainController -credential $MyCredentials -Identity $GroupName -Recursive |Select -ExpandProperty distinguishedName
      
      # Check group membership
      
      If ($members -contains $user) {
          Write-Host("User {0} already a member of the group {1}" -f $UserName , $GroupName)
      }
      Else {
      	try {
          		Set-ADObject -identity $group -add @{member=$user.DistinguishedName} -server $DomainController -credential $MyCredentials	
          		Write-Host("User {0} successfully added to group {1}" -f $UserName , $GroupName) 
      	}
      	catch {
      		Write-Host("Error adding {0} to {1}" -f $UserName , $GroupName) 
      	}
      				  
      }  

       

      • Harm_Veenstra's avatar
        Harm_Veenstra
        MVP
        Ah, ok 🙂 Good to hear that it works now! Please mark my answer as a solution to mark this solved

Resources