Add a computer to an AD group on a specific domain controller via ADSI adapter

0

I run this script in a user context that has privileges to add members to my AD group. I verified permissions already and I can add members manually via ADUC.

I'd like to add my machine to a specific group on a specific domain controller. I'm very unfamiliar with ADSI usage and I pieced together the below script based on other examples. I'm unable to use PS AD module at the time this script will be ran.

Param(
    [Parameter(Mandatory)]
        [string]$GroupName
)

#Find domain controllers
$searcher = New-Object System.DirectoryServices.DirectorySearcher([adsi] "LDAP://OU=Domain Controllers,DC=corp,DC=thing,DC=com")
$searcher.Filter = "(objectclass=computer)"
$DomainControllers = $searcher.FindAll()
Write-Verbose "Found DCs:"
foreach ($dc in $DomainControllers.Properties.cn)
{
    Write-Verbose "$dc"
}

$TargetController = $null
$ComputerDn = $null
foreach ($dc in $DomainControllers.Properties.cn)
{        
    $searcher = New-Object System.DirectoryServices.DirectorySearcher([adsi] "LDAP://$dc/DC=corp,DC=thing,DC=com")
    $searcher.Filter = "(&(objectclass=computer)(cn=$env:COMPUTERNAME))"
    $result = $searcher.FindOne()

    try {
        if ($result)
        {
            $TargetController = $dc
            Write-Verbose "Target controller set: $TargetController"

            $ComputerDn = $result.Properties.distinguishedname
            Write-Verbose "Computer DN: $ComputerDn"
                        
            break
        }
        else
        {
            Write-Verbose "Did not find $env:COMPUTERNAME on $dc"
        }
    }
    catch
    {
        Write-Verbose "$dc ERROR"
    }
}

if ($TargetController)
{
    $GroupSearcher = New-Object System.DirectoryServices.DirectorySearcher([adsi] "LDAP://$TargetController/DC=corp,DC=thing,DC=com")
    $GroupSearcher.Filter = "(&(objectclass=group)(cn=$GroupName))"
    $GroupDn = $GroupSearcher.FindOne().Properties.distinguishedname
    $Group = [ADSI] "LDAP://$TargetController/$GroupDn"

    $ComputerSearcher = New-Object System.DirectoryServices.DirectorySearcher([adsi] "LDAP://$TargetController/DC=corp,DC=thing,DC=com")
    $ComputerSearcher.Filter = "(&(objectclass=computer)(cn=$env:COMPUTERNAME))"
    $result = $ComputerSearcher.FindOne().Properties.memberof -match "cn=$GroupName,"
    
    if (!$result)
    {
        try
        {            
            $Computer = [adsi] "LDAP://$TargetController/$ComputerDn"
            $Group.Add("$Computer")
        }
        catch 
        {
            $_.Exception.Message ; Exit 1
        }
    }
    else
    {
        Write-Verbose "$env:COMPUTERNAME already a member of $GroupName"
    }
}

Running this I get the error "Exception calling "Add" with "1" argument(s): "Exception from HRESULT: 0x80005000". I'm open to any alternatives!

powershell
active-directory
adsi
asked on Stack Overflow Nov 17, 2020 by Residualfail

1 Answer

1

As Bill Stewart commented you should either remove the [adsi] accelerator

$Computer = "LDAP://$TargetController/$ComputerDn"
$Group.Add($Computer)

or specify the path

$Computer = [adsi] "LDAP://$TargetController/$ComputerDn"
$Group.Add($Computer.path)

The method expects the path which you've already constructed with "LDAP://$TargetController/$ComputerDn" which makes the cast to an adsi object unnecessary.

answered on Stack Overflow Nov 17, 2020 by Doug Maurer

User contributions licensed under CC BY-SA 3.0