Share via

Could not get user/group information from Active Directory

Glenn Maxwell 10,781 Reputation points
2024-01-28T12:03:03.52+00:00

Hi All In the below syntax i am able to provide access only to one user i.e user.1. if i add more than one user i am getting the below error. Could not get user/group information from Active Directory. please guide me.

# Define the $owner that will be able to manage the members of $group
 $owner = "user.1","user.2","user.3";
 $group = "MYADGroup";
 
# Try to get objects from AD            
 try {
     
     $ownerobject = get-aduser $owner;
     $groupobject = get-adgroup $group;
     
 # If AD could not be read
 } catch {
     
     write-host "Could not get user/group information from Active Directory";
     break;
 }
     
 # Try to set "write members" rights on the group 
 try {
     $ldapstring = "LDAP://" + $groupobject.distinguishedname;
     $ldapgroup = [ADSI]$ldapstring;
     
     [System.DirectoryServices.DirectoryEntryConfiguration]$secoptions = $ldapgroup.get_Options();
     $secoptions.SecurityMasks = [System.DirectoryServices.SecurityMasks]'Dacl';
        
     # Get SID
     $identityref = $ownerobject.sid.value;
     $sid = new-object System.Security.Principal.SecurityIdentifier ($identityref);
     
     # Define rights to be applied
     $adrights = [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty;
     $type = [System.Security.AccessControl.AccessControlType]::Allow;
     
     # Define permission attribute to modify (writeMembers)
     $objectguid = [Guid]"bf9679c0-0de6-11d0-a285-00aa003049e2";
     
     $adrule = new-object System.DirectoryServices.ActiveDirectoryAccessRule ($sid, $adrights, $type, $objectguid);
     
     # Apply new ACL
     $ldapgroup.get_ObjectSecurity().AddAccessRule($adrule);
     $ldapgroup.CommitChanges();
     
     write-host ("ACLs updated for group: " + $group);
     
     
 # If permissions could not be set
 } catch {
     
     write-host ("Could not set new ACLs on group: " + $group);
     break;
 }
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,436 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,244 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,462 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,328 questions
0 comments
Accepted answer
  1. Thameur-BOURBITA 32,636 Reputation points
    2024-01-28T12:27:50.59+00:00

    Hi @Glenn Maxwell 

    # Define the $owner that will be able to manage the members of $group
 $owner_list = "user.1","user.2","user.3";
 $group = "MYADGroup";
 foreach($owner in $owner_list)
{
# Try to get objects from AD            
 try {
     
     $ownerobject = get-aduser $owner;
     $groupobject = get-adgroup $group;
     
 # If AD could not be read
 } catch {
     
     write-host "Could not get user/group information from Active Directory";
     break;
 }
     
 # Try to set "write members" rights on the group 
 try {
     $ldapstring = "LDAP://" + $groupobject.distinguishedname;
     $ldapgroup = [ADSI]$ldapstring;
     
     [System.DirectoryServices.DirectoryEntryConfiguration]$secoptions = $ldapgroup.get_Options();
     $secoptions.SecurityMasks = [System.DirectoryServices.SecurityMasks]'Dacl';
        
     # Get SID
     $identityref = $ownerobject.sid.value;
     $sid = new-object System.Security.Principal.SecurityIdentifier ($identityref);
     
     # Define rights to be applied
     $adrights = [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty;
     $type = [System.Security.AccessControl.AccessControlType]::Allow;
     
     # Define permission attribute to modify (writeMembers)
     $objectguid = [Guid]"bf9679c0-0de6-11d0-a285-00aa003049e2";
     
     $adrule = new-object System.DirectoryServices.ActiveDirectoryAccessRule ($sid, $adrights, $type, $objectguid);
     
     # Apply new ACL
     $ldapgroup.get_ObjectSecurity().AddAccessRule($adrule);
     $ldapgroup.CommitChanges();
     
     write-host ("ACLs updated for group: " + $group);
     
     
 # If permissions could not be set
 } catch {
     
     write-host ("Could not set new ACLs on group: " + $group);
     break;
 }

}

    I think you can use foreach in your script to add each owner in array $owner_list. above a example you can adjust it and test it.

    about_Foreach

    Please don't forget to accept helpful answer

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andreas Baumgarten 104K Reputation points MVP
    2024-01-28T12:30:59.34+00:00

    Hi @Glenn Maxwell , you need to work with foreach loops to get the user and group objects from AD. Something that looks like this:

    # Define the $owner that will be able to manage the members of $group
 $owners = "user1","user2","jdoe";
 $groups = "Group1","Group2";
 $ownerobject = @()
 $groupobject = @()
# Try to get objects from AD            
 try {
     foreach ($owner in $owners){
     $ownerobject += get-aduser $owner;
    }
      foreach ($group in $groups){
      $groupobject += get-adgroup $group;
    }
     
 # If AD could not be read
 } catch {
     
     write-host "Could not get user/group information from Active Directory";
     break;
 }

    This way you have all user and group objects in arrays and you should loop through this with additional foreach loops.

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards

    Andreas Baumgarten

    0 comments