Could not get user/group information from Active Directory

Glenn Maxwell 9,666 Reputation points
2024-01-28T12:03:03.52+00:00

Hi All In the below syntax i am able to provide access only to one user i.e user.1. if i add more than one user i am getting the below error. Could not get user/group information from Active Directory. please guide me.

# Define the $owner that will be able to manage the members of $group
 $owner = "user.1","user.2","user.3";
 $group = "MYADGroup";
 
# Try to get objects from AD            
 try {
     
     $ownerobject = get-aduser $owner;
     $groupobject = get-adgroup $group;
     
 # If AD could not be read
 } catch {
     
     write-host "Could not get user/group information from Active Directory";
     break;
 }
     
 # Try to set "write members" rights on the group 
 try {
     $ldapstring = "LDAP://" + $groupobject.distinguishedname;
     $ldapgroup = [ADSI]$ldapstring;
     
     [System.DirectoryServices.DirectoryEntryConfiguration]$secoptions = $ldapgroup.get_Options();
     $secoptions.SecurityMasks = [System.DirectoryServices.SecurityMasks]'Dacl';
        
     # Get SID
     $identityref = $ownerobject.sid.value;
     $sid = new-object System.Security.Principal.SecurityIdentifier ($identityref);
     
     # Define rights to be applied
     $adrights = [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty;
     $type = [System.Security.AccessControl.AccessControlType]::Allow;
     
     # Define permission attribute to modify (writeMembers)
     $objectguid = [Guid]"bf9679c0-0de6-11d0-a285-00aa003049e2";
     
     $adrule = new-object System.DirectoryServices.ActiveDirectoryAccessRule ($sid, $adrights, $type, $objectguid);
     
     # Apply new ACL
     $ldapgroup.get_ObjectSecurity().AddAccessRule($adrule);
     $ldapgroup.CommitChanges();
     
     write-host ("ACLs updated for group: " + $group);
     
     
 # If permissions could not be set
 } catch {
     
     write-host ("Could not set new ACLs on group: " + $group);
     break;
 }
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,321 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,570 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,279 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
1,861 questions
0 comments No comments
{count} votes

Accepted answer
  1. Thameur-BOURBITA 29,351 Reputation points
    2024-01-28T12:27:50.59+00:00

    Hi @Glenn Maxwell

    # Define the $owner that will be able to manage the members of $group
     $owner_list = "user.1","user.2","user.3";
     $group = "MYADGroup";
     foreach($owner in $owner_list)
    {
    # Try to get objects from AD            
     try {
         
         $ownerobject = get-aduser $owner;
         $groupobject = get-adgroup $group;
         
     # If AD could not be read
     } catch {
         
         write-host "Could not get user/group information from Active Directory";
         break;
     }
         
     # Try to set "write members" rights on the group 
     try {
         $ldapstring = "LDAP://" + $groupobject.distinguishedname;
         $ldapgroup = [ADSI]$ldapstring;
         
         [System.DirectoryServices.DirectoryEntryConfiguration]$secoptions = $ldapgroup.get_Options();
         $secoptions.SecurityMasks = [System.DirectoryServices.SecurityMasks]'Dacl';
            
         # Get SID
         $identityref = $ownerobject.sid.value;
         $sid = new-object System.Security.Principal.SecurityIdentifier ($identityref);
         
         # Define rights to be applied
         $adrights = [System.DirectoryServices.ActiveDirectoryRights]::WriteProperty;
         $type = [System.Security.AccessControl.AccessControlType]::Allow;
         
         # Define permission attribute to modify (writeMembers)
         $objectguid = [Guid]"bf9679c0-0de6-11d0-a285-00aa003049e2";
         
         $adrule = new-object System.DirectoryServices.ActiveDirectoryAccessRule ($sid, $adrights, $type, $objectguid);
         
         # Apply new ACL
         $ldapgroup.get_ObjectSecurity().AddAccessRule($adrule);
         $ldapgroup.CommitChanges();
         
         write-host ("ACLs updated for group: " + $group);
         
         
     # If permissions could not be set
     } catch {
         
         write-host ("Could not set new ACLs on group: " + $group);
         break;
     }
    
    }
    
    

    I think you can use foreach in your script to add each owner in array $owner_list. above a example you can adjust it and test it.

    about_Foreach


    Please don't forget to accept helpful answer


1 additional answer

Sort by: Most helpful
  1. Andreas Baumgarten 92,396 Reputation points MVP
    2024-01-28T12:30:59.34+00:00

    Hi @Glenn Maxwell , you need to work with foreach loops to get the user and group objects from AD. Something that looks like this:

    # Define the $owner that will be able to manage the members of $group
     $owners = "user1","user2","jdoe";
     $groups = "Group1","Group2";
     $ownerobject = @()
     $groupobject = @()
    # Try to get objects from AD            
     try {
         foreach ($owner in $owners){
         $ownerobject += get-aduser $owner;
        }
          foreach ($group in $groups){
          $groupobject += get-adgroup $group;
        }
         
     # If AD could not be read
     } catch {
         
         write-host "Could not get user/group information from Active Directory";
         break;
     }
    

    This way you have all user and group objects in arrays and you should loop through this with additional foreach loops.


    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards

    Andreas Baumgarten

    0 comments No comments