Forum Discussion
Check user is in Security Group after being added by PowerShell script.
I have an issue whereby once the PS script attempts to add a user to the security group it will drop into the else statement on line 18. Regardless of whether the user was added into the security group. I'm not a windows administrator so my knowledge is fairly high level. Could this possible be because the DCs haven't replicated the changes yet and as such when line 15 runs it's returning false?
Any assistance would be appreciated.
# Get the user and group information
$user = get-aduser $UserName -server $UserController -credential $MyCredentials
$group = get-adgroup $GroupName -server $DomainController -credential $MyCredentials
$members = Get-ADGroupMember -server $DomainController -credential $MyCredentials -Identity $GroupName -Recursive |Select -ExpandProperty distinguishedName
# Check group membership
If ($members -contains $user) {
Write-Host("User exists in the group")
}
Else
{
Set-ADObject -identity $group -add @{member=$user.DistinguishedName} -server $DomainController -credential $MyCredentials
If ($members -contains $user) {
Write-Host("User successfully added to group")
}
Else {
Write-Host("Automation has failed, user not added to group")
}
}
Ran the script on my test Domain Controller. I don't think there's a need to specify the Domain Controller because you are running the adding of the user and the query if it's in the group in the same connection. But...
You gather all the members in the $members variable. Then you test if the user is part of the group. If it isn't, then you add it to the group. And then you check the same $members variable again, which isn't updated with the user being in it 🙂 And that's why it reports it as not added to the group. You should add the $members= get-adgroupmember... on line 14 again to verify if the user has been added to the group.
When adding the user to the group, the script below with a try/catch will check if that succeeds. If it fails, it will report that on screen. If it works, it will tell you without rechecking the group. (Trust your AD 😉 )
# Get the user and group information $user = Get-ADUser $UserName $group = Get-ADGroup $GroupName $members = Get-ADGroupMember -Identity $GroupName -Recursive | Select-Object -ExpandProperty distinguishedName # Check group membership If ($members -contains $user) { Write-Host("User {0} already (indirect) member of group {1}" -f $user.UserPrincipalName , $group.Name) -ForegroundColor Green } Else { try { Set-ADObject -identity $group -add @{member = $user.DistinguishedName } -ErrorAction Stop Write-Host("User {0} successfully added to group {1}" -f $user.UserPrincipalName , $group.Name) -ForegroundColor Green } catch { Write-Warning ("Error adding {0} to {1}, check the name of the group and/or permissions" -f $user.UserPrincipalName , $group.Name) } }
Ran the script on my test Domain Controller. I don't think there's a need to specify the Domain Controller because you are running the adding of the user and the query if it's in the group in the same connection. But...
You gather all the members in the $members variable. Then you test if the user is part of the group. If it isn't, then you add it to the group. And then you check the same $members variable again, which isn't updated with the user being in it 🙂 And that's why it reports it as not added to the group. You should add the $members= get-adgroupmember... on line 14 again to verify if the user has been added to the group.
When adding the user to the group, the script below with a try/catch will check if that succeeds. If it fails, it will report that on screen. If it works, it will tell you without rechecking the group. (Trust your AD 😉 )
# Get the user and group information $user = Get-ADUser $UserName $group = Get-ADGroup $GroupName $members = Get-ADGroupMember -Identity $GroupName -Recursive | Select-Object -ExpandProperty distinguishedName # Check group membership If ($members -contains $user) { Write-Host("User {0} already (indirect) member of group {1}" -f $user.UserPrincipalName , $group.Name) -ForegroundColor Green } Else { try { Set-ADObject -identity $group -add @{member = $user.DistinguishedName } -ErrorAction Stop Write-Host("User {0} successfully added to group {1}" -f $user.UserPrincipalName , $group.Name) -ForegroundColor Green } catch { Write-Warning ("Error adding {0} to {1}, check the name of the group and/or permissions" -f $user.UserPrincipalName , $group.Name) } }
- StevenWattsCopper Contributor
Thanks for your assistance. I should have mentioned that the below script was the last third of a larger script which takes the inputs as arguments from ServiceNow. We have multiple DCs depending on the region of the requested for user.
I had to make a few very minor amendments to the changes you made below but this is now working.
# Get the user and group information $user = get-aduser $UserName -server $UserController -credential $MyCredentials $group = get-adgroup $GroupName -server $DomainController -credential $MyCredentials $members = Get-ADGroupMember -server $DomainController -credential $MyCredentials -Identity $GroupName -Recursive |Select -ExpandProperty distinguishedName # Check group membership If ($members -contains $user) { Write-Host("User {0} already a member of the group {1}" -f $UserName , $GroupName) } Else { try { Set-ADObject -identity $group -add @{member=$user.DistinguishedName} -server $DomainController -credential $MyCredentials Write-Host("User {0} successfully added to group {1}" -f $UserName , $GroupName) } catch { Write-Host("Error adding {0} to {1}" -f $UserName , $GroupName) } }
- Ah, ok 🙂 Good to hear that it works now! Please mark my answer as a solution to mark this solved