Set-ADGroup cannot find group just created in same script (PowerShell)

2
votes

I'm working on a script to create Security and Distribution groups so that they will follow our naming standards. In the script I use New-DistributionGroup to create the group, Set-DistributionGroup to add some Custom attributes, and then want to use Set-ADGroup to add a Description. (aside: what a pain that New-DistributionGroup can't do these things!) Despite setting sleep times up to 30 seconds, Set-ADGroup always fails with:

Set-ADGroup : Cannot find an object with identity: 'AcctTesting1' under: [our domain].

Yet if I remove the line of code from Set-ADGroup, run the script, and then immediately run the Set-ADGroup code, it works perfectly.

Here is the relevant portion of the script: (our domain name removed)

    $GroupTypeName = "Assignment"
    $OU = $BaseOU + "AssignmentGroups"
    New-DistributionGroup -Name $SAMname -Alias $Alias -DisplayName $DisplayName -ManagedBy `
        "CN=Administrator,CN=Users,[our domain]" -OrganizationalUnit $OU `
        -SamAccountName $SAMname -Type Security
    Set-DistributionGroup -Identity $SAMname -CustomAttribute10 "ASSIGNMENT GROUP" `
        -CustomAttribute11 $PRMCode
    echo "Waiting for new group to replicate"
    Start-Sleep -s 20
    Set-ADGroup -Identity $SAMname -Description "$Alias AssignmentGroup"

I'm relatively new to PowerShell scripting, so if you have ideas on how to fix this, I'd appreciate a little detail!

4
powershellactive-directorypowershell-2.0

4 Answers

1
votes

Here's what you can try,

You can direct New-DistributionGroup to create the group on a specific DC (using the DomainController parameter). New-DistributionGroup emits the group so you can pipe the group to Set-DistributionGroup and set the properties you need. Finally, you can get the group from the DC using Set-ADGroup -Server parameter.

New-DistributionGroup -DomainController DC1 -Name $SAMname ... | Set-DistributionGroup -CustomAttribute10 "ASSIGNMENT GROUP" -CustomAttribute11 $PRMCode 

Set-ADGroup -Server DC1 -Description "$Alias AssignmentGroup"
1
votes

I'am not able to test it but here is a possible explanation.

New-DistributionGroup is an Exchange Cmdlet that create an Universal Groups. Universal Groups are created on a Domain Controller that own the Global Catalog. Set-ADGroup is an active Directory Cmdlet that try to find a group on any Domain Controller.

So one reason of your problem is that you have to wait for the replication from your GC to your referent Domain Controller. You perhaps try to run your script on a controller with the Global Catalog to test this.

0
votes

The info received on this site showed me why the errors were happening, but I still needed to fix it. Another web-site expert suggested a loop-until structure to hold execution until the group was available. His solution worked, but filled the screen with error messages at each iteration of the loop. The post, below, gave me the information required to build a working loop.

https://stackoverflow.com/a/9421291/1299495

After executing the New-DistributionGroup command, this loop delays the succeeding commands until the just-created group is available for modification.

    Write-Host -NoNewline "Waiting for replication"
    Do
    {
        If($Idx -gt 0) {Start-sleep -s 5}
        $r = Get-ADGroup -Filter {SamAccountName -eq $SAMname}
        Write-Host -NoNewline "."
        $Idx = $Idx + 1
    }
    Until($r)

Dann

0
votes

I had also this problem and since i use the group for an remote filesystem ACL i wanted to make sure the group is synced on all DCs.

On the above base my implementation is actually

    function createADSecurityGroup{


Param(  [Parameter(mandatory = $true)] [String] $GroupScope,
        [Parameter(mandatory = $true)] [String] $Name, 
        [Parameter(mandatory = $true)] [String] $Description,  
        [Parameter(mandatory = $true)] [String] $Path)


try{

    New-ADGroup -GroupScope $GroupScope -Name $Name -Description $Description -GroupCategory Security -Path $Path

    foreach( $dc in Get-ADDomainController -Filter * | Select-Object name){

        $Idx=0
        $MaxTries=99
        $timeout=$false
        Write-Host -NoNewline "`nWaiting for group " $name " to appear on server " $dc.name
        Do {
            If($Idx -gt 0) {Start-sleep -s 5}

            try{
                $r=$null
                $r = Get-ADGroup -Server $dc.name -Filter {SamAccountName -eq $name }
                #Timeout-Error-Similation #$r = Get-ADGroup -Server $dc.name -Filter {SamAccountName -eq 'NoNe'} 
                Write-Host -NoNewline "."
                $Idx = $Idx + 1

                if( $Idx -gt $MaxTries ){

                    $timeout=$true
                    throw "Timeout waiting for appearance of group "
                }

            }catch{

                $ErrorMessage = $_.Exception.Message
                Write-Host $ErrorMessage

                if( $timeout ){

                    throw $ErrorMessage
                }
            }



        }
        Until($r)
    }

    Write-Host ""

}catch{

         $ErrorMessage = $_.Exception.Message
         $txt="createADSecurityGroup-Function FAILURE: "+$ErrorMessage+" "+$Name
         Write-Host "`n" $txt
         throw $txt
 }
}