Adaxes

Add users to group

0 votes

Hello,

I try to run following powershell code from Script Repository "Add users to group in bulk". I always get the message "User TestUser1 was not found".

We use Adaxes to manage more then 10 domains. I think the problematic line is with the Get-AdmUser command. When I remove "-AdaxesService localhost", script runs well in the domain where Adaxes server resides. Or if I specify an "Run as" account from the domain where the group resides - users were added to the group. But Custom Command should run in every Managed Domain with the configured Service Account.

regards Helmut

by (510 points)
0

Hello,

This is exactly how the script is designed to work. It only searches for users in the domain where the group is located. Also, when you remove the -AdaxesService parameter for the Get-AdmUser cmdlet, the search is performed in AD avoiding Adaxes. In this case, users that are in the Adaxes unmanaged list can also be added to the group. We will update the script to add group members independently of their domain. Once the script is ready, we will get back to you right away.

by (289k points)

1 Answer

0 votes
by (289k points)

Hello,

We updated the script to meet your needs. You can copy it here.

0

Hello,

thanks for updating script to our meets. I have an additional question: because our admin accounts are named in all manged Domain the same we get the message "Found more then one account..." How can we change the filter to search only in domain where the group resides?

regards Helmut

by (510 points)
+1

Hello Helmut,

It cannot be done by only updating the search filter. It is required to change the search base. Below is the version of the script that will perform the search only in the domain of the target group.

$propertyForUsernames = "adm-CustomAttributeText1" #TODO: modify me

function SearchObjects($filter)
{
    $searcher = $Context.BindToObjectByDN("%adm-DomainDN%")
    $searcher.SearchFilter = $filter
    $searcher.SearchScope = "ADS_SCOPE_SUBTREE"
    $searcher.SizeLimit = 2    

    try
    {
        # Execute search
        $searchResultIterator = $searcher.ExecuteSearch()
        $searchResults = $searchResultIterator.FetchAll()

        return ,$searchResults
    }
    finally
    {
        # Release resources
        if ($searchResultIterator){ $searchResultIterator.Dispose() }
    }
}

# Get usernames from the custom attribute
try
{
    $sAMAccountNames = ($Context.TargetObject.Get($propertyForUsernames)).Split(",")
}
catch
{
    return
}

# Get the current group members
try
{
    $memberGuidsBytes = $Context.TargetObject.GetEx("adm-DirectMembersGuid")
}
catch
{
    $memberGuidsBytes = @()
}

$memberGuids = New-Object "System.Collections.Generic.HashSet[System.Guid]"
$memberGuidsBytes | %%{ $memberGuids.Add([Guid]$_) }

$domainName = $Context.GetObjectDomain("%distinguishedName%")
foreach ($sAMAccountName in $sAMAccountNames)
{
    $searchResults = SearchObjects "(sAMAccountName=$sAMAccountName)"
    if ($searchResults.Length -eq 0)
    {
        $Context.LogMessage("Account with username $sAMAccountName not found.", "Warning")
        continue
    }
    elseif ($searchResults.Length -gt 1)
    {
        $Context.LogMessage("Found more than one account with username $sAMAccountName", "Warning")
        continue
    }

    # Add the user to the group
    $userGuid = [Guid]$searchResults[0].Properties["objectGUID"].Value
    if (-not($memberGuids.Contains($userGuid)))
    {
        try
        {
            $Context.TargetObject.Add("Adaxes://<GUID=$userGuid>")
        }
        catch
        {
            $Context.LogMessage("An error occurred when addingaccount with username $sAMAccountName to the group. Error: " + $_.Exception.Message, "Warning") # TODO: modify me
        }
    }
    else
    {
        $Context.LogMessage("User $sAMAccountName is already a member of the group.", "Information") # TODO: modify me
    }
}

# Clear custom attribute
$Context.TargetObject.Put($propertyForUsernames, $NULL)
$Context.TargetObject.SetInfoEx(@($propertyForUsernames))
by (289k points)

Related questions

0 votes
1 answer
Need a script to add users who are enrolled in MFA to an AD group.

I'm trying to automate adding users who are enrolled in MFA to an AD group. The scripts I found elsewhere here that do not work so I believe they may have been written against a prior Adaxes version or referencing a report that does not meet our needs.

asked May 31 by neal (50 points)
0 votes
1 answer
Can't add on-prem users to Azure AD group

We have a Hybrid enviroment where our On-Prem AD is leading. We also have cloud only groups. Now I need to give key users rights to manage the memebership of the cloud ... cannot select the On-Prem domain. The option is greyed out. Am I missing something?

asked Jan 30 by a.blonk (170 points)
0 votes
1 answer
Allow users to only add themselves to distribution group

Hi All, I was following the following documentation https://www.adaxes.com/tutorials_DelegatingPermissions_GrantRightsToModifyADGroupMembership.htm However I cannot work out how to make it ... can only add themselves. Any help would be great. Many Thanks

asked Mar 30, 2020 by antondubek (440 points)
0 votes
1 answer
Scheduled Task to add users in multiple OUs to a group

Hello, I have my OUs structured so each department we're working with has an OU for their service accounts under their department OU. e.g. OU=Service Accounts,OU=Sales,OU= ... add each new OU to the scheduled task but I was hoping for something more hands off.

asked Oct 19, 2015 by drew.tittle (810 points)
0 votes
1 answer
[Administration Console] Add multiple users to a group

From the Administration Console, when adding users to a group, I would like the ability to paste a list of users, like I can in ADUC. Also, I would like the ability to paste a list of groups to a user.

asked Mar 22, 2013 by Kikaida (1.1k points)
3,550 questions
3,241 answers
8,235 comments
547,827 users