Share via

Powershell - how do I make it skip a step if there is no data

Gareth Davies 276 Reputation points
2022-12-28T20:48:15.38+00:00

I have created a form for helpdesk staff using Sapien PowerShell Studio, the form is used to create new user accounts. As part of this I have included 4 combo boxes listing all the security groups and 4 more listing all our distribution groups.
The form works, accounts are created and logic to add users to various default groups based on other criteria works as intended.
However, if an account is not being added to 4 groups it gives an error, it still creates the account but it tells me 

Add-ADGroupMember : Cannot find an object with identity: '' under: 'DC=xxx,DC=xxxxxxxxxxx,DC=com'.

So it's saying it can't find a group with a blank name, and it does this for each blank combobox, so if a user is being added to 1 security group and nothing else it gives 7 of these errors
As I said, this doesn't stop anything, but just for the sake of my OCD I want it to skip the step if no group is selected from the combobox.

The code used to add the new account to a group is 

Add-ADGroupMember -Identity $NewUserSecurityGroupsComboBox1.Text -Members $NewUserIDEntryBox.Text -confirm:$false

I have tried using if statements but no matter how I try to add this it just creates a new error and stops the script.

How can I tell this to use a $null value if the combobox selection is blank?

I can't paste the entire script in here, it is several thousand lines long (most of this is the code for the GUI) and includes images and recovery data

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | PowerShell
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Gareth Davies 276 Reputation points
    2022-12-30T14:15:26.013+00:00

    That did it, thank you.
    I hadn't thought of using the length of the data entry, I was trying to use null value.

    As for the trustworthiness of domain admins, I get that in a medium/large organization with multiple admins, however in a small team you know what is going on so in my situation it is not an issue.
    The flaw in the trust argument is if a rogue admin decides to start adding things to AD they can do it with or without a script, how do you prevent somaone logging into ADAC or ADUC and creating their own accounts/groups? My script is an attempt to ensure all required fields for our model are entered, comboboxes are used so only valid entries are used and no fat finger typos creep in.
    In my book, if you don't trust an admin, they shouldn't be an admin, you wouldn't give the keys to your house to someone you suspected might be thief so why give domain admin to someone who hasn't proven they can be trusted?

    0 comments
  2. Rich Matheisen 48,041 Reputation points
    2022-12-29T15:58:41.253+00:00

    If all you want to do is to NOT attempt to add a user to a group whose name is missing, then this should be all you need: 

    if ($NewUserSecurityGroupsComboBox1.text.Length -gt 0){  
       Add-ADGroupMember -Identity $NewUserSecurityGroupsComboBox1.text -Members $NewUserIDEntryBox.Text -confirm:$false  
}

    . . . only available to IT staff, and in order to use it you must be a domain admin. Also, even if you could type your own entry in the combobox what purpose would it serve?

    Domain Admins can create their own security groups outside your script. Just because they're a Domain Admin doesn't imply they're entirely trustworthy.

    0 comments
  3. Rich Matheisen 48,041 Reputation points
    2022-12-28T22:49:13.277+00:00

    You don't say what style of combo box is being used. If the user is allowed to either pick an item from a predefined list or enter their own value then you should be doing come data validation before you use the data.

    Something like this maybe: 

    [regex]$allowed = "^[A-Za-z0-9_-]+$"    # set of permissible characters in group names  
[regex]$Begin   = "^[A-Za-z]{1}"        # allowed characters to begin a group name  
[regex]$End     = "[A-Za-z0-9]{1}$"     # allowed characters to end a group name  
$MinAllowedLength = 10                  # minimum length of a group name  
$MaxAllowedLength = 50                  # maximum length of a group name  
$val = ($NewUserIDEntryBox.Text).trim() # remove whitespace from both ends of the value  
if  ( -NOT   ( $val.Length -ge $MinAllowedLength) -and  
             ( $val.Length -le $MaxAllowedLength) -and  
             ( $val -match $allowed ) -and  
             ( $val -match $Begin) -and  
             ( $val -match $End)  
    ){  
        # do something here so the value gets corrected!  
        Throw "Invalid Group Name $($NewUserIDEntryBox.Text)"  
    }  
else{  
    # do somthing with the group name in $val  
}
  4. Jordan Millama 1,391 Reputation points
    2022-12-28T21:12:32.04+00:00

    What about: 

    $newUser = $NewUserSecurityGroupsComboBox1.text  
  if ($newUser -ne $null){  
     Add-ADGroupMember -Identity $newUser - Members $NewUserIDEntryBox.Text -confirm:$false  
     }

    or 

    if($newUser -ne '')

    ----------

    Please accept as answer if this was helpful.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.