- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-31-2019 06:49 AM
Oh hi,
I created a Custom AD Activity, "Add User to Multiple AD Groups" which is a copy from the OOB "Add User to Group," however I just added a 'foreach' loop to allow multiple groups to be added to a single user. This works swimmingly.
My issue with this activity though is that if given "GroupA, GroupB, GroupC" and user is already a member of GroupB, the user will be added to GroupA then fail stating "the object already exists" when trying to add GroupB, and will not attempt to add GroupC.
How can I update this script to ignore this error and move to the next element without manipulating the OOB function, "adADUserAccountToGroup"?
import-module "$executingScriptDirectory\AD\ActiveDirectory"
if (test-path env:\SNC_groupname) {
$groupname = $env:SNC_groupname;
$username = $env:SNC_username;
};
$groups = $groupname -split ","
foreach ($group in $groups) {
addADUserAccountToGroup -domainController $computer -username $username -groupname $group -useCred $useCred -credential $cred
}
Thanks,
Solved! Go to Solution.
- Labels:
-
Scripting and Coding
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-31-2019 08:34 AM
I don't have a direct answer for your question, but would like to chime in with a different way of approaching this.
Instead of trying and add the user to all groups in your array and ignore any errors you encounter, I believe you should instead check and see if they're already a member of each group and then add as necessary.
Something like the top answer on this thread should help you out.
If you're still curious on error handling in PowerShell, here's an article that may help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-31-2019 08:34 AM
I don't have a direct answer for your question, but would like to chime in with a different way of approaching this.
Instead of trying and add the user to all groups in your array and ignore any errors you encounter, I believe you should instead check and see if they're already a member of each group and then add as necessary.
Something like the top answer on this thread should help you out.
If you're still curious on error handling in PowerShell, here's an article that may help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-31-2019 11:52 AM
Great point! I will try the query approach to achieve this, thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-31-2019 12:44 PM
For future reference for anyone that would like it, I used the link Matthew provided me above to rewrite the script as so to achieve my needs:
import-module "$executingScriptDirectory\AD\ActiveDirectory"
if (test-path env:\SNC_groupname) {
$groupname = $env:SNC_groupname;
$username = $env:SNC_username;
};
$groups = $groupname -split ","
foreach ($group in $groups) {
$members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty SamAccountName
#If the user is already a member of the group, do nothing
If ($members -contains $username) {
#Do not add the group
} Else {
#Otherwise, add the user to the group
addADUserAccountToGroup -domainController $computer -username $username -groupname $group -useCred $useCred -credential $cred
}
}
As Matthew mentioned above, this is a much better solution as this will throw an error if the name is provided that does not exist in AD but will simply not try adding the AD group if the user is already a member.
I was clearly under-thinking this.
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-28-2020 08:35 AM
EDIT: Well, never mind 😉 When I use the custom activity in a workflow it worked perfectly, so must have been something I was doing in the testing inputs.
Thank you! This is exactly what I've been looking for, however in testing inputs, the script is only adding the user to the first group listed. I assume the two (or more) groups are separated by a comma, correct?
The only thing I think I did differently than you is that I copied the OOB MidServer script and created a new/custom one that I call in the activity. Here is my debug messages. Any help would be appreciated.
2020-04-28 08:30:38 Executing command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -executionpolicy unrestricted -noninteractive -nologo -noprofile -command "& {& 'scripts\PowerShell\PSScript.ps1' -computer '10.201.116.10' -script 'C:\ServiceNow\Mid Server 2 Dev\agent\scripts\PowerShell\AD\CustomAddUserToADGroups.ps1' 'use_mid_service_account' $false -useCred $true -ismid $false -isDiscovery $false -debug $true -logInfo $true -skipTest $false -executeRemote $false -copyScriptToTarget $false; exit $LASTEXITCODE}"
2020-04-28 08:30:38 Credential: corp\svc_servicenowdisc
2020-04-28 08:30:39 PowerShell Version: 5.1.14393.2339
2020-04-28 08:30:39 Env vars: $env:SNC_credType:AD $env:SNC_groupname:qor.g.citrix.users.external, qor.g.citrix.users $env:SNC_username:tsutherland
2020-04-28 08:30:39 Executing PSScript.ps1 10.201.116.10 C:\ServiceNow\Mid Server 2 Dev\agent\scripts\PowerShell\AD\CustomAddUserToADGroups.ps1 True False False
2020-04-28 08:30:39 Running testCredentialAD with user corp\svc_servicenowdisc
2020-04-28 08:30:40 Credential created for AD
2020-04-28 08:30:40 Vars: $computer : 10.201.116.10 $copyScriptToTarget : False $debug : True $executeRemote : False $isDiscovery : False $isMid : False $script : C:\ServiceNow\Mid Server 2 Dev\agent\scripts\PowerShell\AD\CustomAddUserToADGroups.ps1 $skipTest : False $useCred : True
2020-04-28 08:30:45 Running addADUserAccountToGroup 10.201.116.10 tsutherland qor.g.citrix.users.external
2020-04-28 08:30:45 Running getADObject 10.201.116.10 User tsutherland
2020-04-28 08:30:45 Running getDirectoryEntryObject LDAP://10.201.116.10
2020-04-28 08:30:45 Invoking New-Object for DirectoryEntry with LDAP://10.201.116.10 corp\svc_servicenowdisc ***
2020-04-28 08:30:45 $directoryEntry:System.DirectoryServices.DirectoryEntry
2020-04-28 08:30:45 Running getSAMAccountName tsutherland User
2020-04-28 08:30:45 $sAMAccountName:tsutherland
2020-04-28 08:30:45 Running getADObject 10.201.116.10 Group qor.g.citrix.users.external
2020-04-28 08:30:45 Running getDirectoryEntryObject LDAP://10.201.116.10
2020-04-28 08:30:45 Invoking New-Object for DirectoryEntry with LDAP://10.201.116.10 corp\svc_servicenowdisc ***
2020-04-28 08:30:45 $directoryEntry:System.DirectoryServices.DirectoryEntry
2020-04-28 08:30:45 Running getSAMAccountName qor.g.citrix.users.external Group
2020-04-28 08:30:45 $sAMAccountName:qor.g.citrix.users.external
