Hello Guys I was looking for a way to add multiple entries: $APS = $APE.CreatePolicySetting() $APS.Name = 83 $APS.Value = "$GroupGUID" $APE.AddPolicySetting($APS) How can I add multiple GUIDS here.

Any response ???

Hi amitsingh 

Have you tried adding an array of GUIDs to the Values  (not value) property?

IE, in my case add all groups where the samAccountName start with Test

$GroupGUIDs = (Get-QADGroup -LdapFilter "(&(objectCLass=group)(samAccountName=test*))").guid.guid

$APS = $APE.CreatePolicySetting()
$APS.Name = $EDS_APE_PARAM_GRPGUIDs
$APS.Values = $GroupGUIDs
$APE.AddPolicySetting($APS)

May I know the value for $EDS_APE_PARAM_GRPGUIDs variable

May I know the value for $EDS_APE_PARAM_GRPGUIDs variable

Sorry, yes I'd declared $EDS_APE_PARAM_GRPGUIDs as 83

But its not taking the input from a variable even if its declared as string.

# Create a group membership automprovision Administration Policy Entry

# initialise objects
$POObject = $null
$APE = $Null
$APS=$null

# Define constants
$EDS_APE_TTYPE_GroupAuto     = 0x33

$EDS_APE_PARAM_ERROR_MSG     = 1
$EDS_APE_PARAM_APPLY_ONTO    = 50
$EDS_APE_PARAM_DESCRIPTION   = 57
$EDS_APE_PARAM_PolicyID      = 59
$EDS_APE_PARAM_68             = 68
$EDS_APE_PARAM_GRPGUIDs      = 83
$EDS_APE_PARAM_ACTION        = 84
$EDS_APE_PARAM_POLCON        = 85
$EDS_APE_PARAM_203             = 203

# Entry variables
    # Policy Error
    $PolicyError = "Provisioning policy failure. The 'Group Membership AutoProvisioning' policy encountered an error.;"

    # Policy Object Type
    $PolicyObjectType = 'user'

    # Action
    $PolicyAdd = "0x0"
    $PolicyRem = "0x1"

    #Condition
    $PolicyCondition = "<PolicyCondition Version=`"1.0`"/>"

    # Policy Description
    $PolicyDescription = "Automatically adds or removes specified objects from specified groups"

    # Policy Setting GUID
    $PolicyGUID = New-Guid

    # Get array of objectGUIDs
    $GroupGUIDs = [string[]](Get-QADGroup -LdapFilter "(&(objectClass=group)(samAccountName=test*))").guid.guid

    # Define the AP to bind to
    $POName = "EDMS://CN=AP1,CN=Administration,CN=Policies,CN=Configuration"

    # Bind to existing Administration Policy
    $POObject = [ADSI]$POName

    # Add a new Policy Entry
    $APE = $POObject.CreatePolicyEntry()

    # Set the Policy Entry Type - 33 = Group Memembership autoProvisioning
    $APE.type = $EDS_APE_TTYPE_GroupAuto

# Add AP Entry

    # 1 - Error Message
    $APS = $APE.CreatePolicySetting()
    $APS.Name = $EDS_APE_PARAM_ERROR_MSG
    $APS.Value = $PolicyError
    $APE.AddPolicySetting($APS)

    # 50 - Object Type
    $APS = $APE.CreatePolicySetting()
    $APS.Name = $EDS_APE_PARAM_APPLY_ONTO
    $APS.Value = $PolicyObjectType
    $APE.AddPolicySetting($APS)

    # 57 - Description
    $APS = $APE.CreatePolicySetting()
    $APS.Name = $EDS_APE_PARAM_DESCRIPTION
    $APS.Value = $PolicyDescription
    $APE.AddPolicySetting($APS)

    # 68 - TBC
    $APS = $APE.CreatePolicySetting()
    $APS.Name = $EDS_APE_PARAM_68
    $APS.Value = "0x1"
    $APE.AddPolicySetting($APS)

    # 83 - Groups to be add to or removed from
    $APS = $APE.CreatePolicySetting()
    $APS.Name = $EDS_APE_PARAM_GRPGUIDs 
    $APS.Values = $GroupGUIDs
    $APE.AddPolicySetting($APS)

    # 84 - Policy Action
    $APS = $APE.CreatePolicySetting()
    $APS.Name = $APS.Name = $EDS_APE_PARAM_ACTION
    $APS.Value = $PolicyAdd
    $APE.AddPolicySetting($APS)

    # 85 - Policy Condition
    $APS = $APE.CreatePolicySetting()
    $APS.Name = $EDS_APE_PARAM_POLCON
    $APS.Value = $PolicyCondition
    $APE.AddPolicySetting($APS)

    # 203 - TBC
    $APS = $APE.CreatePolicySetting()
    $APS.Name = $EDS_APE_PARAM_203
    $APS.Value = "0"
    $APE.AddPolicySetting($APS)


$POObject.AddPolicyEntry($APE)
$PoObject.SetInfo()

The above is code I used for testing.

So the issue here is that you need to use the Values property of the APS, but it expect a string array (or GUIDs), not an object array.

All I changed in my code was to cast the results of my query (about line 42) to be a string array.

I couldn't remember what a couple of the constant values were, incase you're wondering why some of the comments say TBC.

Unable to cast object of type 'System.String[]' to type 'System.String' Still the same issue

I think $GroupGUIDs needs to be a string list.  The SDK shows an example of how to declare that.

The best thing to do then is iterate the list of group guida returned by get-adgroup and add them to the string list using a loop.

The tricky bit there is that you first  have to convert each returned GUiD itself to a string in the right format before adding it to the string list.

Could you please share some example

Is it possible to update the group membership on a later time after creating the provisioning policy through PowerShell?

amitsingh - did you ever get an example - or get this group as stringlist suggestion to work?   

Catching up here, with the same  net result - and I only have one group to add the computer too