This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 98%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGD%3C/text%3E%3C/svg%3E)
I have created a form for helpdesk staff using Sapien PowerShell Studio, the form is used to create new user accounts. As part of this I have included 4 combo boxes listing all the security groups and 4 more listing all our distribution groups.
The form works, accounts are created and logic to add users to various default groups based on other criteria works as intended.
However, if an account is not being added to 4 groups it gives an error, it still creates the account but it tells me
Add-ADGroupMember : Cannot find an object with identity: '' under: 'DC=xxx,DC=xxxxxxxxxxx,DC=com'.
So it's saying it can't find a group with a blank name, and it does this for each blank combobox, so if a user is being added to 1 security group and nothing else it gives 7 of these errors
As I said, this doesn't stop anything, but just for the sake of my OCD I want it to skip the step if no group is selected from the combobox.
The code used to add the new account to a group is
Add-ADGroupMember -Identity $NewUserSecurityGroupsComboBox1.Text -Members $NewUserIDEntryBox.Text -confirm:$false
I have tried using if statements but no matter how I try to add this it just creates a new error and stops the script.
How can I tell this to use a $null value if the combobox selection is blank?
I can't paste the entire script in here, it is several thousand lines long (most of this is the code for the GUI) and includes images and recovery data
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 96%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
What about:
$newUser = $NewUserSecurityGroupsComboBox1.text
if ($newUser -ne $null){
Add-ADGroupMember -Identity $newUser - Members $NewUserIDEntryBox.Text -confirm:$false
}
or
if($newUser -ne '')
----------
Please accept as answer if this was helpful.
I had tried this, it still gives the same error,
Add-ADGroupMember : Cannot find an objec`t with identity: '' "
The provided code does not tell it to ignore the instruction, it just tells it to do what it is already doing. What I'm looking for is code to tell it if the value is $null skip the instruction.
I changed the variable name, $newuser is already in use in my script, so the code I tested was:
$secgrp1 = $NewUserSecurityGroupsComboBox1.text
if ($secgrp1 -ne $null){
Add-ADGroupMember -Identity $secgrp1 -Members $NewUserIDEntryBox.Text -confirm:$false
}
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
You don't say what style of combo box is being used. If the user is allowed to either pick an item from a predefined list or enter their own value then you should be doing come data validation before you use the data.
Something like this maybe:
[regex]$allowed = "^[A-Za-z0-9_-]+$" # set of permissible characters in group names
[regex]$Begin = "^[A-Za-z]{1}" # allowed characters to begin a group name
[regex]$End = "[A-Za-z0-9]{1}$" # allowed characters to end a group name
$MinAllowedLength = 10 # minimum length of a group name
$MaxAllowedLength = 50 # maximum length of a group name
$val = ($NewUserIDEntryBox.Text).trim() # remove whitespace from both ends of the value
if ( -NOT ( $val.Length -ge $MinAllowedLength) -and
( $val.Length -le $MaxAllowedLength) -and
( $val -match $allowed ) -and
( $val -match $Begin) -and
( $val -match $End)
){
# do something here so the value gets corrected!
Throw "Invalid Group Name $($NewUserIDEntryBox.Text)"
}
else{
# do somthing with the group name in $val
}
validation is not a concern, users cannot free type their own selection. The comboboxes are type 2, populated using
Get-ADGroup -Filter 'GroupCategory -eq "Security"'
or
Get-ADGroup -Filter 'GroupCategory -eq "distribution"'
There is more code to tell it how to order the groups and what attribute
To prevent every account accidentally being added to the first group in the list each combobox is prefixed with a blank line, so if no selection is made it sees "", or a blank space, as the selection and as there is no group called "" it gives the error.
Further to the validation non concern, as this script is used to create new users it is only available to IT staff, and in order to use it you must be a domain admin. Also, even if you could type your own entry in the combobox what purpose would it serve? There is no code in the script to tell it to create a new group so it would just give an error saying it couldn't find a group called whatever you'd typed, the only difference being the error message displayed.
Again, I'm looking for a way to tell it to skip the step if there is no selection made so it doesn't throw an error that doesn't stop anything but is annoying. Your code, while doing validation of the entry also tells it to throw an error if it is not valid. It already does this because no selection from the predefined list gives an invalid group name of "". I want it to skip the step if no selection is made, i.e. no selection = take no action and move on.
If all you want to do is to NOT attempt to add a user to a group whose name is missing, then this should be all you need:
if ($NewUserSecurityGroupsComboBox1.text.Length -gt 0){
Add-ADGroupMember -Identity $NewUserSecurityGroupsComboBox1.text -Members $NewUserIDEntryBox.Text -confirm:$false
}
. . . only available to IT staff, and in order to use it you must be a domain admin. Also, even if you could type your own entry in the combobox what purpose would it serve?
Domain Admins can create their own security groups outside your script. Just because they're a Domain Admin doesn't imply they're entirely trustworthy.
That did it, thank you.
I hadn't thought of using the length of the data entry, I was trying to use null value.
As for the trustworthiness of domain admins, I get that in a medium/large organization with multiple admins, however in a small team you know what is going on so in my situation it is not an issue.
The flaw in the trust argument is if a rogue admin decides to start adding things to AD they can do it with or without a script, how do you prevent somaone logging into ADAC or ADUC and creating their own accounts/groups? My script is an attempt to ensure all required fields for our model are entered, comboboxes are used so only valid entries are used and no fat finger typos creep in.
In my book, if you don't trust an admin, they shouldn't be an admin, you wouldn't give the keys to your house to someone you suspected might be thief so why give domain admin to someone who hasn't proven they can be trusted?