作为我的创建用户脚本的一部分,我将基于公司的用户添加到两个AD安全组。用户正被添加到组中但我收到警告。我很困惑为什么在用户仍然被正确添加时我会收到警告。
警告:无法向ADGroup添加成员:'CN = HS,CN = Users,DC = MY,DC = DOMAIN'。错误是:'指定的帐户名已经是该组的成员'。
警告:无法向ADGroup添加成员:'CN = HS学生,CN =用户,DC =我,DC = DOMAIN'。错误是:'指定的帐户名已经是该组的成员'。
这是我的创建用户脚本
foreach ($User in $ADUsers)
{
#Read user data from each field in each row and assign the data to a variable as below
$Username = $User.ID
$Password = $User.BDATE
$Firstname = $User.FNAME
$Lastname = $User.LNAME
$Department = $User.GRD
$Company = $User.SCHID #This field refers to the OU the user account is to be moved to
# Choose OU
Switch ($Company)
{
"1480" {$OU = 'OU=students,OU=users,ou=hs,dc=clasd,dc=net'}
"1479" {$OU = 'OU=students,OU=users,ou=elem,dc=clasd,dc=net'}
}
#Check to see if the user already exists in AD
if (Get-ADUser -F {SamAccountName -eq $Username})
{
#If user does exist, give a warning
Write-Warning "A user account with username $Username already exist in Active Directory."
}
else
{
#User does not exist then proceed to create the new user account
"Processing started (on " + $date + "): " | Out-File $log -append
"--------------------------------------------" | Out-File $log -append
#Account will be created in the OU provided by the $OU variable read from the CSV file
New-ADUser `
-SamAccountName $Username `
-UserPrincipalName "$Username@clasd.net" `
-Name "$Firstname $Lastname" `
-GivenName $Firstname `
-Department "$Department" `
-Company "$Company" `
-EmailAddress "$Username@clasd.net" `
-Surname $Lastname `
-Enabled $True `
-Scriptpath "login.vbs" `
-DisplayName "$Firstname $Lastname" `
-Path $OU `
-AccountPassword (convertto-securestring $Password -AsPlainText -Force) `
-ChangePasswordAtLogon $true
#Start-Sleep 5
# Add User to Groups
Get-Aduser -filter 'company -eq "1480"' | %{Add-ADPrincipalGroupMembership -Identity $_.SamAccountName -MemberOf "HS", "HS Students"}
}
}
答案 0 :(得分:1)
那么,为什么你要使用get-aduser,你得到公司设置为1480的所有用户?你需要做类似的事情:
New-ADUser @args -PassThru |
ForEach-Object { Add-ADPrincipalGroupMembership -Identity $_.SamAccountName -MemberOf "HS", "HS Students" }
另外,考虑创建一个包含所需值的哈希表,并将其展示给new-aduser命令,看起来更清晰,如下所示:
$args = @{
DisplayName = $_.DisplayName
GivenName = $_.GivenName
Surname = $_.sn
SamAccountName = $_.SamAccountName
UserPrincipalName = $($_.SamAccountName + "@xxx.xxx")
Department = $_.Department
Title = $_.Title
City = $_.City
Office = $_.Office
MobilePhone = $_.MobilePhone
OfficePhone = $_.telephoneNumber
Name = $_.DisplayName
Company = "xxx"
Path = $path
State = $region
}
New-ADUser @args -PassThru
答案 1 :(得分:0)
如您所说,用户没有“正确添加”。
警告只是告诉您,您的命令尚未完成其功能,因为它尝试执行的操作已经完成。
编辑:您可以将WarningAction参数设置为SilentlyContinue,以便在您不希望它出现时禁止显示黄色警告文本:
Get-Aduser -filter 'company -eq "1480"' | %{Add-ADPrincipalGroupMembership -Identity $_.SamAccountName -MemberOf "HS", "HS Students" -WarningAction SilentlyContinue}
Get-Aduser -filter 'company -eq "1479"' | %{Add-ADPrincipalGroupMembership -Identity $_.SamAccountName -MemberOf "Elem", "Elem Students" -WarningAction SilentlyContinue}
这两个命令也需要移动到脚本的末尾 - 因此它们不在foreach循环中。这意味着它们仅在创建所有新帐户后运行一次。