• State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 61 subscribers
  • Views 12385 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Add-QADGroupMember Error Handling

jnchase
over 7 years ago

Hello all.  At my company we use ARS to delegate AD permissions for most users.  I wrote a script that worked perfectly for what I was trying to achieve using the Add-ADGroupMember command via Powershell v4.  While I have native rights and use the ARS cmdlets intermixed with native powershell ones, I came to find out that when writing Powershell scripts for use through ARS you must use the ARS cmdlets.  I found out that using the native cmdlets gives an insufficient access error, which was very disappointing.  That said, I had to convert from using Add-ADGroupMember to Add-QADGroupMember.  What I am finding is that the error handling for Add-QADGroupMember does not catch error messages as well as the native version.  I cannot seem to catch any error messages in my script, so I was hoping I could get some assistance in my alternative process.  First, let me recap what I am trying to achieve. 

The typical situation would be where a user has a target group and then a list of groups to nest into the target group.  I want to:

1. verify they have access to the target group

2. try to nest the group to the target group

3. if group nesting fails, try to validate if the member group exists.

4. if the member group exists, validate if it is already a member of the target group.

5. if all of those fail, present an error signifying something went wrong. 

Here is part of the main code I am just trying to get to work:

$TargetGroup = "Group1"

$Member = "Member1"

Try {

Add-QADGroupMember -Identity $TargetGroup -Member $Member -ErrorAction Stop | out-null

Write-Host "$Group added successfully"

}

Catch {

$Group = Get-QADGroup $Member

If (!$Group) {

Write-Host "$Member does not exist."

}

ElseIf ((Get-QADGroup $Group -Properties memberof).memberof -like "CN=$TargetGroup*") {

Write-Host "$Member is already a member of $TargetGroup."

}

Else {

Write-Host "Error has occurred adding $Group to $TargetGroup"

}

}

I will eventually have to add something for validation of access and an import of the group list, but for now, I can't seem to get past the initial main logic.  If I put a member group name in that does not exist at all in AD, the script logic seems to work fine.  But if I try to add a group that is already a member of the target group, that is where it just continues on and gives me a group added successfully message.  Any thoughts?  Thank you in advance.

Parents
  • 0 over 7 years ago

    Thanks for your reply.  I have a line at the beginning of my script that performs a Connect-QADService for the proxy.  That said, I will try your suggestion.  Hopefully that will work for what I am trying to accomplish.

    On a side note, does adding the -proxy switch after native Powershell commands, like Add-ADGroupMember, allow use of the commands through ARS?  If not, is there a way to do that?

Reply
  • 0 over 7 years ago

    Thanks for your reply.  I have a line at the beginning of my script that performs a Connect-QADService for the proxy.  That said, I will try your suggestion.  Hopefully that will work for what I am trying to accomplish.

    On a side note, does adding the -proxy switch after native Powershell commands, like Add-ADGroupMember, allow use of the commands through ARS?  If not, is there a way to do that?

Children
No Data