Home > OS >  get-adgroup will not accept group distinguished name in a variable
get-adgroup will not accept group distinguished name in a variable

Time:05-12

See here that I can do a get-adgroup by specifying the actual group DN for Identity

PS C:\Users\gdewrell> get-adgroup -Identity "CN=Group_3d2ec95b-5465-4d1e-99cc-fa06ea1190a9,DC=PDINET,DC=COM" -server $DC

DistinguishedName : CN=Group_3d2ec95b-5465-4d1e-99cc-fa06ea1190a9,DC=PDINET,DC=COM
GroupCategory     : Security
GroupScope        : Universal
Name              : Group_3d2ec95b-5465-4d1e-99cc-fa06ea1190a9
ObjectClass       : group
ObjectGUID        : 2aa8581b-3a60-4e94-bd25-ca0825fd2bb2
SamAccountName    : $G98000-HD196N3A163E
SID               : S-1-5-21-1869882585-404498175-2374520063-8496

Notice that I have a variable called $group.memberof (gotten by get-aduser and the member of parameter) and contains the exact same DN as above.

PS C:\Users\gdewrell> $group.memberof

CN=Group_3d2ec95b-5465-4d1e-99cc-fa06ea1190a9,DC=PDINET,DC=COM

Now if I try to use get-adgroup using the variable I get this error.

PS C:\Users\gdewrell> get-adgroup -Identity $group.memberof -server $DC

Get-ADGroup : Cannot convert 'Microsoft.ActiveDirectory.Management.ADPropertyValueCollection' to the type 
'Microsoft.ActiveDirectory.Management.ADGroup' required by parameter 'Identity'. Specified method is not supported.
At line:1 char:23

What am I missing here?

CodePudding user response:

The MemberOf attribute of a given ADObject is a multi-valued attribute (a ADPropertyValueCollection<T> collection to be more specific). This means that even if the MemberOf attribute of your group has only one value (a DistinguishedName), it is still a collection. See User Security Attributes for details.

None of the Constructors from the ADGroup Class accept an ADPropertyValueCollection as argument hence why you see this error, which is basically PowerShell telling you that it cannot convert the collection to the type of an ADGroup.

However, if you select the first item in the collection (index 0), which is a string, the issue should be resolved. Here is a simple demonstration:

class ADGroupTest {
    [string] $Name
    [Collections.ArrayList] $MemberOf = [Collections.ArrayList]::new()

    ADGroupTest ([string] $Name) {
        $this.Name = $Name
    }

    [void] AddMemberOf ([string] $Value) {
        $this.MemberOf.Add($Value)
    }
}

$group = [ADGroupTest] 'MyGroup'
$group.AddMemberOf('hello')

# After instantiating our ADGroupTest object, we see something like this:

# Name    MemberOf
# ----    --------
# MyGroup {hello}

function Get-ADGroupTest {
    [cmdletbinding()]
    param(
        [parameter(Mandatory)]
        [ADGroupTest] $Identity
    )

    $Identity
}

Now if we attempt to use this test function that takes ADGroupTest as argument, giving it the collection:

Get-ADGroupTest $group.MemberOf

We would see this error:

Get-ADGroupTest : Cannot process argument transformation on parameter 'Identity'. Cannot convert the "System.Collections.ArrayList" value of type "System.Collections.ArrayList" to type "ADGroupTest".

However, if we try the same using the first element in the collection, we can see it has no problem instantiating a new object of the type ADGroupTest:

Get-ADGroupTest $group.MemberOf[0]

Name  MemberOf
----  --------
hello {}

CodePudding user response:

The -Identity parameter of Get-ADGroup accepts setting the parameter by pipeline.

Should be able to do this.

$group.ForEach( {$_.Memberof | Get-ADGroup -server $DC } )

Answer by Santiago - Has a great explanation on why the original code did not work

Page link:https//www.codepudding.com/os/404364.html

Prev:What is the Powershell equivalent to C's argv[0]?
Next:Compare item in Array with next item
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding