Powershell command Distribution group user permissions
Hello, I am trying to create a script that can be used to create distribution groups however i am having a few problems. I am unable figure out a command to do the things I want.
I want to add a user to the security tab that has "Full Control" access. The command I was trying to use is something like this
Get-DistributionGroup $DLName | Add-ADpermission -extendedrights GenericAll -user $user
The other problem I am having is assigning the description field some text, originally I was trying to use something like this but i would usually get errors with setinfo and put
$ARNUM.text = some text input earlier in the program
$New = Get-Distributiongroup $DLName
$ADuser = [ADSI](”LDAP://corp.pep.tst/Messaging Resources/Groups/" + $New.DistinguishedName)
$ADuser.Put("description", $ARNUM.Text)
$ADuser.SetInfo()
SetAttribute
I have exhausted google searches for these answers. The only condition I have is that i cannot use QAD commandlets.
April 18th, 2011 3:46pm
On Mon, 18 Apr 2011 19:39:53 +0000, devinasj wrote:
>
>
>Hello, I am trying to create a script that can be used to create distribution groups however i am having a few problems. I am unable figure out a command to do the things I want.
>
> I want to add a user to the security tab that has "Full Control" access. The command I was trying to use is something like this
>
>Get-DistributionGroup $DLName | Add-ADpermission -extendedrights GenericAll -user $user
>
>
>
>The other problem I am having is assigning the description field some text, originally I was trying to use something like this but i would usually get errors with setinfo and put
>
>$ARNUM.text = some text input earlier in the program
>
>$New = Get-Distributiongroup $DLName
>
>$ADuser = [ADSI](?LDAP://corp.pep.tst/Messaging Resources/Groups/" + $New.DistinguishedName)
Try this instead:
$ADuser = [ADSI]("LDAP://corp.pep.tst/$($New.DistinguishedName))"
or just this, if you have only one domainin the forest:
$ADuser = [ADSI]("LDAP://$($New.DistinguishedName))"
Another thing to keep in mind is that a Distribution Group doesn't
have a "Description" property, but a group does. I don't think it
matters in this case, though, because the DN is going to lead you to
the same AD object.
>$ADuser.Put("description", $ARNUM.Text)
>$ADuser.SetInfo()
>
>I have exhausted google searches for these answers. The only condition I have is that i cannot use QAD commandlets.
It would be helpful if you also stated what your problem was and on
which line of code the error happend.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
April 18th, 2011 9:53pm
Well the original problem was that i would get an execution error regarding Put, Setinfo, and SetAttribute
$New = Get-DistributionGroup $DLName
$ADuser = [ADSI]("LDAP://corp.pep.tst/messaging/groups/$($New.DistinguishedName)")
$ADuser.Put("description", $ARNUM.Text)
$ADuser.SetInfo()
SetAttribute
Exception retrieving member "Put": "Unknown error (0x80005000)"
At D:\Powershell\Create_DL\Create_DL.ps1:993 char:15
+ $ADuser.Put( <<<< "description", $ARNUM.Text)
Exception retrieving member "SetInfo": "Unknown error (0x80005000)"
At D:\Powershell\Create_DL\Create_DL.ps1:994 char:19
+ $ADuser.SetInfo( <<<< )
The term 'SetAttribute' is not recognized as a cmdlet, function, operable program, or script file.
Verify the term and try again.
At D:\Powershell\Create_DL\Create_DL.ps1:995 char:16
+ SetAttribute <<<<
I think im going to opt to put the description in a custom attribute for the problem above or wait until i can use QAD cmdlets
Although the Last problem I am having is using this code at the end of a create DL script. If I run the create DL script with this included at the end I get the below error. However if I run the create DL script and then once it is finished I run the following
code in the shell window it assigns permissions just fine.
I think it has something to do with Get-DistributionGroup vs. Set-Distribution group as well as the creation timing. However this is one of the very last commands to run in the script (the last commands being logging commands).
foreach ($user in $Owners){
$tmpDL = Get-DistributionGroup $DLName
if($error.count -eq 0) {
$tmpDL | Add-ADPermission -AccessRights GenericAll -user $user
}
}
Add-ADPermission : corp.pep.tst/Messaging/Groups/DL - BIS test2 was not found. Please make sure you have typed it correctly.
At D:\Powershell\Create_DL\Create_DL.ps1:1090 char:31
+ $tmpDL | Add-ADPermission <<<< -AccessRights GenericAll -user $user
April 20th, 2011 1:43pm
On Wed, 20 Apr 2011 17:42:08 +0000, devinasj wrote:
>
>
>Well the original problem was that i would get an execution error regarding Put, Setinfo, and SetAttribute $New = Get-DistributionGroup $DLName
>$ADuser = [ADSI]("LDAP://corp.pep.tst/messaging/groups/$($New.DistinguishedName)")
>$ADuser.Put("description", $ARNUM.Text)
>$ADuser.SetInfo()
>SetAttribute
>
>
>
>
> Exception retrieving member "Put": "Unknown error (0x80005000)"
>At D:\Powershell\Create_DL\Create_DL.ps1:993 char:15
>+ $ADuser.Put( <<<< "description", $ARNUM.Text)
>Exception retrieving member "SetInfo": "Unknown error (0x80005000)"
>At D:\Powershell\Create_DL\Create_DL.ps1:994 char:19
>+ $ADuser.SetInfo( <<<< )
>The term 'SetAttribute' is not recognized as a cmdlet, function, operable program, or script file.
>Verify the term and try again.
>At D:\Powershell\Create_DL\Create_DL.ps1:995 char:16
>+ SetAttribute <<<<
Have you verified that $ADUser actually contains what you expect? I'm
guessing it doesn't.
Since the DN contains the complete location of the object you should
need only this:
$ADUser = [ADSI]("LDAP://" + $New.DistinguishedName)
Instead of using the ADSI method of setting properties you can use
this:
$ADSuser.psbase.properties.description = $ARNUM.Text
$ADUser.psbase.commitchanges()
>I think im going to opt to put the description in a custom attribute for the problem above or wait until i can use QAD cmdlets
>
>Although the Last problem I am having is using this code at the end of a create DL script. If I run the create DL script with this included at the end I get the below error. However if I run the create DL script and then once it is finished I run the
following code in the shell window it assigns permissions just fine.
Ahhh . . . you have more than one DC in the AD site? And the script is
creating the DL? You probably create the DL on one DC and try to
update it on another. Use the "-domaincontroller corp.pep.tst"
parameter on the cmdlet that creates the DL and use the $ADuser =
[ADSI]("LDAP://corp.pep.tst/messaging/groups/$($New.DistinguishedName)")'
to update it.
>I think it has something to do with Get-DistributionGroup vs. Set-Distribution group as well as the creation timing. However this is one of the very last commands to run in the script (the last commands being logging commands). foreach ($user in $Owners){
> $tmpDL = Get-DistributionGroup $DLName
> if($error.count -eq 0) {
> $tmpDL | Add-ADPermission -AccessRights GenericAll -user $user
> }
>}
>Add-ADPermission : corp.pep.tst/Messaging/Groups/DL - BIS test2 was not found. Please make sure you have typed it correctly.
>At D:\Powershell\Create_DL\Create_DL.ps1:1090 char:31
>+ $tmpDL | Add-ADPermission <<<< -AccessRights GenericAll -user $user
Use the "-domaincontroller" parameter on the get-distributiongroup AND
on the add-adpermission cmdlets.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
Free Windows Admin Tool Kit Click here and download it now
April 20th, 2011 10:31pm
Using -domain controller has worked for updating the AD permissions, thank you so much!
However it seems assigning a value to the description is still giving an error.
When using the code:
$New = Get-DistributionGroup -domaincontroller corp.pep.tst $DLName
$ADUser = [ADSI]("LDAP://" + $New.DistinguishedName)
$ADuser.psbase.Properties.Description = $ARNUM.Text
$ADuser.psbase.commitchanges()
I get the error:
New PropertyValueCollection cannot be set into a DirectoryEntry PropertyCollect
ion.
At D:\Powershell\Create_DL.ps1:1016 char:30
+ $ADuser.psbase.Properties.D <<<< escription = $ARNUM.Text
I have tried making $ARNUM into a standard string just to see if it would make a difference, but no change there. I researched the error a little and some people were saying that the line
$ADuser.psbase.Properties.Description = $ARNUM.Text
should have a .value at the end like this
$ADuser.psbase.Properties.Description.Value = $ARNUM.Text
But that just gave me a error about "Value"
I really appreciate the help on this. Let me know what you think.
Thank you,
April 25th, 2011 1:42pm
I found a way to make it work using the method that you gave me.
$New = Get-DistributionGroup -domaincontroller $Cfg.DC $DLName
$ADUser = [ADSI]("LDAP://"+ $Cfg.DC +"/" + $New.DistinguishedName)
$ADuser.Put("description", $ARNUM.Text)
$ADuser.SetInfo()
Thank you very much Rich
Free Windows Admin Tool Kit Click here and download it now
April 25th, 2011 5:44pm