$APS = $APE.CreatePolicySetting()
$APS.Name = 83
$APS.Value = "$GroupGUID"
$APE.AddPolicySetting($APS)
How can I add multiple GUIDS here.
$APS = $APE.CreatePolicySetting()
$APS.Name = 83
$APS.Value = "$GroupGUID"
$APE.AddPolicySetting($APS)
How can I add multiple GUIDS here.
Hi amitsingh
Have you tried adding an array of GUIDs to the Values (not value) property?
IE, in my case add all groups where the samAccountName start with Test
$GroupGUIDs = (Get-QADGroup -LdapFilter "(&(objectCLass=group)(samAccountName=test*))").guid.guid
$APS = $APE.CreatePolicySetting()
$APS.Name = $EDS_APE_PARAM_GRPGUIDs
$APS.Values = $GroupGUIDs
$APE.AddPolicySetting($APS)
May I know the value for $EDS_APE_PARAM_GRPGUIDs variable
Hi Stu, when I have tried an array, the error returned is "Unable to case object of type System.Object[] to type System.String".
I have also tried a ForEach loop but this doesn't result in multiple '83' entries ($APS.Name = 83) being added to the policy, it seems to just continue overriding the single entry until the last GUID is processed, resulting in only one '83' entry.
Same happens in my case also but when I tried it directly it works:
$APS = $APE.CreatePolicySetting()
$APS.Name = 83
$APS.Values = "1stGUID","2ndGUID"
$APE.AddPolicySetting($APS)
I tried pitting it as a string but that also failed.
$GroupID = "1stGUID","2ndGUID"
Sorry, yes I'd declared $EDS_APE_PARAM_GRPGUIDs as 83
But its not taking the input from a variable even if its declared as string.
But its not taking the input from a variable even if its declared as string.
# Create a group membership automprovision Administration Policy Entry # initialise objects $POObject = $null $APE = $Null $APS=$null # Define constants $EDS_APE_TTYPE_GroupAuto = 0x33 $EDS_APE_PARAM_ERROR_MSG = 1 $EDS_APE_PARAM_APPLY_ONTO = 50 $EDS_APE_PARAM_DESCRIPTION = 57 $EDS_APE_PARAM_PolicyID = 59 $EDS_APE_PARAM_68 = 68 $EDS_APE_PARAM_GRPGUIDs = 83 $EDS_APE_PARAM_ACTION = 84 $EDS_APE_PARAM_POLCON = 85 $EDS_APE_PARAM_203 = 203 # Entry variables # Policy Error $PolicyError = "Provisioning policy failure. The 'Group Membership AutoProvisioning' policy encountered an error.;" # Policy Object Type $PolicyObjectType = 'user' # Action $PolicyAdd = "0x0" $PolicyRem = "0x1" #Condition $PolicyCondition = "<PolicyCondition Version=`"1.0`"/>" # Policy Description $PolicyDescription = "Automatically adds or removes specified objects from specified groups" # Policy Setting GUID $PolicyGUID = New-Guid # Get array of objectGUIDs $GroupGUIDs = [string[]](Get-QADGroup -LdapFilter "(&(objectClass=group)(samAccountName=test*))").guid.guid # Define the AP to bind to $POName = "EDMS://CN=AP1,CN=Administration,CN=Policies,CN=Configuration" # Bind to existing Administration Policy $POObject = [ADSI]$POName # Add a new Policy Entry $APE = $POObject.CreatePolicyEntry() # Set the Policy Entry Type - 33 = Group Memembership autoProvisioning $APE.type = $EDS_APE_TTYPE_GroupAuto # Add AP Entry # 1 - Error Message $APS = $APE.CreatePolicySetting() $APS.Name = $EDS_APE_PARAM_ERROR_MSG $APS.Value = $PolicyError $APE.AddPolicySetting($APS) # 50 - Object Type $APS = $APE.CreatePolicySetting() $APS.Name = $EDS_APE_PARAM_APPLY_ONTO $APS.Value = $PolicyObjectType $APE.AddPolicySetting($APS) # 57 - Description $APS = $APE.CreatePolicySetting() $APS.Name = $EDS_APE_PARAM_DESCRIPTION $APS.Value = $PolicyDescription $APE.AddPolicySetting($APS) # 68 - TBC $APS = $APE.CreatePolicySetting() $APS.Name = $EDS_APE_PARAM_68 $APS.Value = "0x1" $APE.AddPolicySetting($APS) # 83 - Groups to be add to or removed from $APS = $APE.CreatePolicySetting() $APS.Name = $EDS_APE_PARAM_GRPGUIDs $APS.Values = $GroupGUIDs $APE.AddPolicySetting($APS) # 84 - Policy Action $APS = $APE.CreatePolicySetting() $APS.Name = $APS.Name = $EDS_APE_PARAM_ACTION $APS.Value = $PolicyAdd $APE.AddPolicySetting($APS) # 85 - Policy Condition $APS = $APE.CreatePolicySetting() $APS.Name = $EDS_APE_PARAM_POLCON $APS.Value = $PolicyCondition $APE.AddPolicySetting($APS) # 203 - TBC $APS = $APE.CreatePolicySetting() $APS.Name = $EDS_APE_PARAM_203 $APS.Value = "0" $APE.AddPolicySetting($APS) $POObject.AddPolicyEntry($APE) $PoObject.SetInfo()
The above is code I used for testing.
So the issue here is that you need to use the Values property of the APS, but it expect a string array (or GUIDs), not an object array.
All I changed in my code was to cast the results of my query (about line 42) to be a string array.
I couldn't remember what a couple of the constant values were, incase you're wondering why some of the comments say TBC.
Unable to cast object of type 'System.String[]' to type 'System.String' Still the same issue
I think $GroupGUIDs needs to be a string list. The SDK shows an example of how to declare that.
The best thing to do then is iterate the list of group guida returned by get-adgroup and add them to the string list using a loop.
The tricky bit there is that you first have to convert each returned GUiD itself to a string in the right format before adding it to the string list.
Could you please share some example
Is it possible to update the group membership on a later time after creating the provisioning policy through PowerShell?
amitsingh - did you ever get an example - or get this group as stringlist suggestion to work?
Catching up here, with the same net result - and I only have one group to add the computer too