Add-ADGroupMember 找不到具有标识的对象 [英] Add-ADGroupMember cannot find an object with identity
问题描述
我正在编写 PowerShell 脚本以将大量用户导入 AD.
I'm working on a PowerShell script to import a large number of users into AD.
其中一项是根据用户的程序编号将用户添加到 AD 安全组.大多数情况下,这运行良好,除非我拼错了某些内容或其他简单的人为错误.但是,我们有 2 个安全组,每个人都必须添加到其中,而 Add-ADGroupMember 在一个组上运行良好,但无法找到另一个组.这是我正在使用的脚本:
One of the items is to add the users to AD security groups according to their program number. Mostly, this is working well, unless I misspell something, or other simple human errors. However, we have 2 security groups everyone must be added to, and while the Add-ADGroupMember works perfectly on one, it can't find the other group. This is the the script I'm using:
$Users = Import-Csv "C:\PSScripts\Create\users.csv"
foreach ($User in $Users)
{
$AccountName = $User.firstname + "." + $User.lastname
$Program = $User.Program
$HomeDrive = 'H:'
$UserRoot = '\\twgeneral\homedrive\'
$HomeDirectory = $UserRoot+$AccountName
Set-ADUser $AccountName -HomeDrive $HomeDrive -HomeDirectory $HomeDirectory
If ($AccountName -eq $AccountName)
{
Add-ADGroupMember -Identity "ALL_USERS" -Member $Accountname
}
If ($AccountName -eq $AccountName)
{
Add-ADGroupMember -Identity "000-All users" -Member $Accountname
}
}
我得到这个错误返回:
Add-ADGroupMember : Cannot find an object with identity: '000-All users' under: 'DC=*****,CD=local'.
At C:\psscripts\create\Groups.ps1:15 char:23
+ {ADD-ADGroupMember <<<< -Identity "000-All users" -Member $Accountname
+ CategoryInfo : ObjectNotFound: <000-All users:ADGroup> [Add-ADGroupMember], ADIdentityNotFoundException
+ FullyQualifiedErrorId : Cannot find an object with identity: '000-All users' under: 'DC=*****,DC=local'.,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember
但我可以使用 ADUC 图形界面将用户添加到 000-All users 组.
Yet I can add users to the 000-All users group using the ADUC graphic interface.
同样,我在此之前运行了一个脚本,使用 SAM 创建用户;显示名称;交换.电子邮件帐户;密码;和域中的特定 OU,并且它执行时没有错误,我可以进入图形界面并查看用户应该在的位置,并配置了所有相关的详细信息,但有些用户返回相同的未找到对象"当我尝试执行确实有效的组脚本部分 ALL_USERS 组时出错.具体来说,是姓氏带连字符的用户,例如:Markiem-Chalmers 或 Tatem-Brown.
Similarly, I'm running a script prior to this one, creating users with SAM; Display Name; Exch. E-mail Account; Password; and specific OU within the domain, and it executes without errors, I can go into the graphic interface and see the user right where they are supposed to be with all pertinent details configured, yet some of the users return the same 'object not found' error when I try to execute the part of the groups script that DOES work, the ALL_USERS group. Specifically, it's users who have a hyphenated last name, ex: Markiem-Chalmers, or Tatem-Brown.
我知道 Add-ADGroupMember 的语法是正确的,因为我从之前的字符串复制并粘贴,它确实执行正确,只是将组的名称从 ALL_USERS 更改为 000-所有用户,我已经两次、三次、四次检查拼写是否正确.任何帮助将不胜感激!
I know that the syntax for the Add-ADGroupMember is correct, because I copied and pasted from the prior string, which does execute properly, only changing the name of the group from ALL_USERS to 000-All users, and I've double, triple, quadruple checked that the spelling is correct. Any help would be GREATLY appreciated!
推荐答案
回复您在评论中提出的问题:
In reply to the question you brought up in the comments:
Add-ADGroupMember 只能按 DN、SAM、GUID 或 Sid 搜索;您无法通过该 cmdlet 直接按名称或其他属性进行搜索.
Add-ADGroupMember can only search by DN, SAM, GUID, or Sid; you can't search by Name or other properties through that cmdlet directly.
您可以对 CSV 中的条目运行 Get-ADUser 以使用 Name 或其他方式提取 SAM,但如果问题是 SAM 被截断,为什么不是子串?
You could run a Get-ADUser on the entries in the CSV to pull the SAM using Name or otherwise, but if the issue is that the SAM is truncated, why not substring?
$limit = #The length a name can be before it gets truncated
if($AccountName.Length -gt $limit)
{
$AccountName = $AccountName.Substring(0,$limit)
}
这篇关于Add-ADGroupMember 找不到具有标识的对象的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
