This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 72%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERR%3C/text%3E%3C/svg%3E)
Hi All
The following script doesn't work for AD groups. Members of ADGroup1 should be able to add or remove users from other AD Group. please guide me.
# Define the $owner that will be able to manage the members of $group
$owner = "ADGroup1";
$group = "AnyADGroup";
# Try to get objects from AD
try {
$ownerobject = get-aduser $owner;
$groupobject = get-adgroup $group;
# If AD could not be read
} catch {
write-host "Could not get user/group information from Active Directory";
break;
}
# Try to set "write members" rights on the group
try {
$ldapstring = "LDAP://" + $groupobject.distinguishedname;
$ldapgroup = [ADSI]$ldapstring;
[System.DirectoryServices.DirectoryEntryConfiguration]$secoptions = $ldapgroup.get_Options();
$secoptions.SecurityMasks = [System.DirectoryServices.SecurityMasks]'Dacl';
# Get SID
$identityref = $ownerobject.sid.value;
$sid = new-object System.Security.Principal.SecurityIdentifier ($identityref);
# Define rights to be applied
$adrights = [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty;
$type = [System.Security.AccessControl.AccessControlType]::Allow;
# Define permission attribute to modify (writeMembers)
$objectguid = [Guid]"bf9679c0-0de6-11d0-a285-00aa003049e2";
$adrule = new-object System.DirectoryServices.ActiveDirectoryAccessRule ($sid, $adrights, $type, $objectguid);
# Apply new ACL
$ldapgroup.get_ObjectSecurity().AddAccessRule($adrule);
$ldapgroup.CommitChanges();
write-host ("ACLs updated for group: " + $group);
# If permissions could not be set
} catch {
write-host ("Could not set new ACLs on group: " + $group);
break;
}
What error do you get?
Your catch blocks are not displaying any error details. You need to display the error message and the statement that it occurred on so that you know what didn't work. Maybe remove the try/catch's temporarily and just let the script crash.
Are your variables being populated correctly? Display their contents or pipe the variable to Format-List or Format-Table to display the contents of collections.
when i put $owner = "user1", it works fine
If $owner contains a group name, then call get-adgroup and not get-aduser.
$owner = "ADGroup1";
$ownerobject = get-adgroup $owner;
i am getting the below error for AD groups. The above scripts works for individual users for example when i put $owner = "user1", it works fine
Could not get user/group information from Active Directory
That's the message that your catch block outputs. Not the actual error.
If you just run Get-AdUser and Get-AdGroup, is it able to connect to your active directory and display users and groups?
https://woshub.com/get-aduser-getting-active-directory-users-data-via-powershell/
To display the list of all domain user accounts, run this command:
Get-ADUser -filter *
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Add "$_" between the "Write-Host" and "break" in that first catch block. That will send the error record to the default stream (a.k.a. SYSOUT).
Your existing code (and its output) doesn't distinguish between an error in Get-ADUser of Get-ADGroup.
by make the below change it worked, i am unable to mark answer to this post.
$owner = "ADGroup1";
$ownerobject = get-adgroup $owner;
I converted my comment to an answer. Thanks.