将新广告用户添加到组时发出警告

时间:2016-11-15 13:03:46

标签: powershell active-directory

作为我的创建用户脚本的一部分,我将基于公司的用户添加到两个AD安全组。用户正被添加到组中但我收到警告。我很困惑为什么在用户仍然被正确添加时我会收到警告。

警告:无法向ADGroup添加成员:'CN = HS,CN = Users,DC = MY,DC = DOMAIN'。错误是:'指定的帐户名已经是该组的成员'。

警告:无法向ADGroup添加成员:'CN = HS学生,CN =用户,DC =我,DC = DOMAIN'。错误是:'指定的帐户名已经是该组的成员'。

这是我的创建用户脚本

foreach ($User in $ADUsers)
{
#Read user data from each field in each row and assign the data to a  variable as below

$Username   = $User.ID
$Password   = $User.BDATE
$Firstname  = $User.FNAME
$Lastname   = $User.LNAME
$Department = $User.GRD
$Company    = $User.SCHID #This field refers to the OU the user account is to be moved to

# Choose OU
Switch ($Company)
{
    "1480" {$OU = 'OU=students,OU=users,ou=hs,dc=clasd,dc=net'}
    "1479" {$OU = 'OU=students,OU=users,ou=elem,dc=clasd,dc=net'}
}

#Check to see if the user already exists in AD
if (Get-ADUser -F {SamAccountName -eq $Username})
{
     #If user does exist, give a warning
     Write-Warning "A user account with username $Username already exist in Active Directory."
}
else
{
    #User does not exist then proceed to create the new user account
    "Processing started (on " + $date + "): " | Out-File $log -append
    "--------------------------------------------" | Out-File $log -append

    #Account will be created in the OU provided by the $OU variable read from the CSV file
    New-ADUser `
        -SamAccountName $Username `
        -UserPrincipalName "$Username@clasd.net" `
        -Name "$Firstname $Lastname" `
        -GivenName $Firstname `
        -Department "$Department" `
        -Company "$Company" `
        -EmailAddress "$Username@clasd.net" `
        -Surname $Lastname `
        -Enabled $True `
        -Scriptpath "login.vbs" `
        -DisplayName "$Firstname $Lastname" `
        -Path $OU `
        -AccountPassword (convertto-securestring $Password -AsPlainText -Force) `
        -ChangePasswordAtLogon $true

    #Start-Sleep 5

    # Add User to Groups
    Get-Aduser -filter 'company -eq "1480"' | %{Add-ADPrincipalGroupMembership -Identity $_.SamAccountName -MemberOf "HS", "HS Students"}

}
}

2 个答案:

答案 0 :(得分:1)

那么,为什么你要使用get-aduser,你得到公司设置为1480的所有用户?你需要做类似的事情:

New-ADUser @args -PassThru | 
  ForEach-Object { Add-ADPrincipalGroupMembership -Identity $_.SamAccountName -MemberOf "HS", "HS Students" }

另外,考虑创建一个包含所需值的哈希表,并将其展示给new-aduser命令,看起来更清晰,如下所示:

$args = @{
    DisplayName = $_.DisplayName 
    GivenName = $_.GivenName
    Surname = $_.sn
    SamAccountName = $_.SamAccountName
    UserPrincipalName = $($_.SamAccountName + "@xxx.xxx")
    Department = $_.Department
    Title = $_.Title
    City = $_.City
    Office = $_.Office
    MobilePhone = $_.MobilePhone
    OfficePhone = $_.telephoneNumber
    Name = $_.DisplayName
    Company = "xxx"
    Path = $path
    State = $region
}
New-ADUser @args -PassThru

答案 1 :(得分:0)

如您所说,用户没有“正确添加”。

警告只是告诉您,您的命令尚未完成其功能,因为它尝试执行的操作已经完成。

编辑:您可以将WarningAction参数设置为SilentlyContinue,以便在您不希望它出现时禁止显示黄色警告文本:

Get-Aduser -filter 'company -eq "1480"' | %{Add-ADPrincipalGroupMembership -Identity $_.SamAccountName -MemberOf "HS", "HS Students" -WarningAction SilentlyContinue}
Get-Aduser -filter 'company -eq "1479"' | %{Add-ADPrincipalGroupMembership -Identity $_.SamAccountName -MemberOf "Elem", "Elem Students" -WarningAction SilentlyContinue}

这两个命令也需要移动到脚本的末尾 - 因此它们不在foreach循环中。这意味着它们仅在创建所有新帐户后运行一次。