PowerShell Active Directory ADSI question

Ask your Windows PowerShell-related questions, including questions on cmdlet development!
Forum rules
Do not post any licensing information in this forum.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
Locked
User avatar
ErnieB
Posts: 56
Joined: Thu Jan 19, 2017 2:14 pm

PowerShell Active Directory ADSI question

Post by ErnieB » Thu Aug 30, 2018 7:31 am

Hello,

I notice then getting an Group object via ADSI as follows


$GroupDN = Get-AdGroup TestGroup01 | Select-Object -ExpandProperty Distinguishedname
$Group = [ADSI]”LDAP://$GroupDN”

The .Add method no longer appears to exist (using Winows Server 2012 R2 with PowerShell v4)


Therefore using reflection as follows

$User = “CN=Jane,CN=Users,DC=LAB,DC=pri”

$NativeComObject = $Group.psbase.NativeObject
[System.__ComObject].InvokeMember(“member”,[System.Reflection.BindingFlags]::SetProperty,$null,$NativeComObject,$User)
$Group.commitchanges()


The above adds Jane to the group but removes all other members, (basically I am setting the value of the member attribute to Jane and that is all, hence removing the other users)


What is the correct syntax to add Jane but not remove the other members please


I am sure Jim will know the answer to this is he still contrabutes to this forum

Thanks

User avatar
jvierra
Posts: 13798
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: PowerShell Active Directory ADSI question

Post by jvierra » Thu Aug 30, 2018 7:40 am

Use "Add-AdGroupMember" to add members to a group. There is no need to use the COM interface. That is only needed for groups on a workstation (local groups).

With Win 10 and later we also can use: "Add-LocalGroupMember"

User avatar
jvierra
Posts: 13798
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: PowerShell Active Directory ADSI question

Post by jvierra » Thu Aug 30, 2018 7:51 am

If you want a pure ADSI solution then we would do it like this:

Code: Select all

$user = [adsi]'LDAP://CN=Jane,CN=Users,DC=LAB,DC=pri'
$group =([adsisearcher]'samaccountname=TestGroup01').FindOne().GetDirectoryEntry()
$group.Add($user.Path)

User avatar
ErnieB
Posts: 56
Joined: Thu Jan 19, 2017 2:14 pm

Re: PowerShell Active Directory ADSI question

Post by ErnieB » Thu Aug 30, 2018 11:19 am

Thanks Jim, that worked fine

The odd thing is I did not see the .Add method on the Group object (see below), but it still works :) I am sure in other versions of PowerShell I used to see the .Add method, any why it worked so that is all that matters, thanks again.

PS C:\Users\Administrator> $group | gm -Force


TypeName: System.DirectoryServices.DirectoryEntry

Name MemberType Definition
---- ---------- ----------
ConvertDNWithBinaryToString CodeMethod static string ConvertDNWithBinaryToString(psobject deInstance, psobject dnWithBinaryInstance)
ConvertLargeIntegerToInt64 CodeMethod static long ConvertLargeIntegerToInt64(psobject deInstance, psobject largeIntegerInstance)
pstypenames CodeProperty System.Collections.ObjectModel.Collection`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]] pstypenames{get=P.
psadapted MemberSet psadapted {objectClass, cn, member, distinguishedName, instanceType, whenCreated, whenChanged, uSNCreated, uSNChanged, nTSecurityDescriptor, name, objectGU.
psbase MemberSet psbase {AuthenticationType, Children, Guid, ObjectSecurity, Name, NativeGuid, NativeObject, Parent, Password, Path, Properties, SchemaClassName, SchemaEntr.
psextended MemberSet psextended {ConvertLargeIntegerToInt64, ConvertDNWithBinaryToString}
psobject MemberSet psobject {BaseObject, Members, Properties, Methods, ImmediateBaseObject, TypeNames, get_BaseObject, get_Members, get_Properties, get_Methods, get_Immediate.
PSStandardMembers MemberSet PSStandardMembers {DefaultDisplayPropertySet}
cn Property System.DirectoryServices.PropertyValueCollection cn {get;set;}
distinguishedName Property System.DirectoryServices.PropertyValueCollection distinguishedName {get;set;}
dSCorePropagationData Property System.DirectoryServices.PropertyValueCollection dSCorePropagationData {get;set;}
groupType Property System.DirectoryServices.PropertyValueCollection groupType {get;set;}
instanceType Property System.DirectoryServices.PropertyValueCollection instanceType {get;set;}
member Property System.DirectoryServices.PropertyValueCollection member {get;set;}
name Property System.DirectoryServices.PropertyValueCollection name {get;set;}
nTSecurityDescriptor Property System.DirectoryServices.PropertyValueCollection nTSecurityDescriptor {get;set;}
objectCategory Property System.DirectoryServices.PropertyValueCollection objectCategory {get;set;}
objectClass Property System.DirectoryServices.PropertyValueCollection objectClass {get;set;}
objectGUID Property System.DirectoryServices.PropertyValueCollection objectGUID {get;set;}
objectSid Property System.DirectoryServices.PropertyValueCollection objectSid {get;set;}
sAMAccountName Property System.DirectoryServices.PropertyValueCollection sAMAccountName {get;set;}
sAMAccountType Property System.DirectoryServices.PropertyValueCollection sAMAccountType {get;set;}
uSNChanged Property System.DirectoryServices.PropertyValueCollection uSNChanged {get;set;}
uSNCreated Property System.DirectoryServices.PropertyValueCollection uSNCreated {get;set;}
whenChanged Property System.DirectoryServices.PropertyValueCollection whenChanged {get;set;}
whenCreated Property System.DirectoryServices.PropertyValueCollection whenCreated {get;set;}

User avatar
jvierra
Posts: 13798
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: PowerShell Active Directory ADSI question

Post by jvierra » Thu Aug 30, 2018 11:45 am

COM objects are only discoverable if they have the correct type library. The ADSI objects are documented. Older documentation addresses use in VBScript and other scripting environments. PowerShell can dig into these libraries and "find" the properties and methods on the LDAP provider but are not as successful with the WinNT provider. In all cases the Invoke" method of COM should work.

User avatar
ErnieB
Posts: 56
Joined: Thu Jan 19, 2017 2:14 pm

Re: PowerShell Active Directory ADSI question

Post by ErnieB » Sat Sep 01, 2018 11:24 am

Thanks Jim :)

Locked