【发布时间】:2018-11-21 01:53:31
【问题描述】:
有人要求我调整我不久前正在编写的脚本。我得到了帮助here。在脚本中,我使用 splatting 和格式运算符。它在脚本上进一步工作,但失败了。我打破了一个小得多的样本,它显示了失败。如果您需要查看完整的脚本,我可以提供。看了一段时间的代码,我必须遗漏一些简单的东西。
# Creating the Event Log and Source if it doesn't already exist.
# You should only have to create the log/source once and it needs to be done with an elevated prompt.
$EventLogFile = Get-EventLog -list | Where-Object {$_.LogDisplayName -eq "AD User Creation Script"}
If (-Not $EventLogFile) {
New-EventLog -LogName "AD User Creation Script" -Source "User Creation"
New-EventLog -LogName "AD User Creation Script" -Source "Enable Existing User"
New-EventLog -LogName "AD User Creation Script" -Source "Flush Groups"
New-EventLog -LogName "AD User Creation Script" -Source "Change OU"
New-EventLog -LogName "AD User Creation Script" -Source "Populate Groups"
}
# Nested hash table for school codes.
$SchoolCodes = @{
"20" = @{
Name = "Exeter Township Senior High"
ADGroup1 = "Students"
ADGroup2 = "Secondary Students"
}
"30" = @{
Name = "Exeter Township Junior High"
ADGroup1 = "Students"
ADGroup2 = "Secondary Students"
}
"40" = @{
Name = "Lorane Elementary School"
ADGroup1 = "Students"
ADGroup2 = "K4 Students"
}
"50" = @{
Name = "Jacksonwald ES"
ADGroup1 = "Students"
ADGroup2 = "K4 Students"
}
"70" = @{
Name = "Reiffton School"
ADGroup1 = "Students"
ADGroup2 = "Secondary Students"
}
"90" = @{
Name = "Owatin Creek Elementary School"
ADGroup1 = "Students"
ADGroup2 = "K4 Students"
}
} # End hash table
# CSV file being imported.
$CsvFile = "$env:USERPROFILE\Downloads\SampleData.csv"
# Import the contents of the CSV file.
$Users = Import-Csv -Path "$CsvFile"
# Loop through each line of the CSV, creating variables for each field.
ForEach ($User in $Users) {
[String]$LoginName = $User.'Stu Access Login'
If (-Not (Get-ADUser -Filter {SamAccountName -eq $LoginName})) {
$FirstName = $User.'Student First Name'
$LastName = $User.'Student Last Name'
# The following is an example of SPLATTING. A couple of the parameters (AccountPassword and Path) also use the FORMAT OPERATOR.
$ADUserParams = @{
Name = "$FirstName $LastName"
SamAccountName = $LoginName
GivenName = $FirstName
Initials = $User.'I'
Surname = $LastName
DisplayName = "$FirstName $($User.'I') $LastName"
UserPrincipalName = "$LoginName@academic.exeter.k12.pa.us"
EmailAddress = "$LoginName@myexeter.org"
Company = "$LoginName@myexeter.org"
EmployeeID = $User.'Other ID'
AccountPassword = ConvertTo-SecureString -String (
'{0}{1}{2}#{3}' -f @(
$FirstName[0].ToString().ToUpper(),
$User.I[0].ToString().ToLower(),
$LastName[0].ToString().ToLower(),
$User.'Other ID')) -AsPlainText -Force
Enabled = $True
PasswordNeverExpires = $True
CannotChangePassword = $True
Path = 'OU={0},OU=Students,OU={1},OU=accounts,DC=academic,DC=exeter,DC=k12,DC=pa,DC=us' -f @(
$User.'Grad Year',
$SchoolCodes[$User.School].Name)
WhatIf = $False
} # End ADUserParams
Try {
# Create new user.
New-ADUser @ADUserParams -Verbose -ErrorAction Stop
}
Catch {
# If there's an error, write error to event the log.
Write-EventLog -LogName "AD User Creation Script" -Source "User Creation" -EntryType Warning -EventId 1 -Message "Something went wrong with the creation of a new user, [$LoginName] : $_"
}
Try {
# Add user to groups.
Get-ADUser -Identity $LoginName | Add-ADPrincipalGroupMembership -MemberOf $SchoolCodes[$User.School].ADGroup1, $SchoolCodes[$User.School].ADGroup2 -Verbose -ErrorAction Stop
}
Catch {
# If there's an error, write error to event the log.
Write-EventLog -LogName "AD User Creation Script" -Source "Populate Groups" -EntryType Warning -EventId 2 -Message "Something went wrong with adding [$LoginName] to groups : $_"
}
} # End If
# If the account already exists, it will likely be disabled. The following will enable it and add it to the correct groups.
Else {
Try {
# Enable the account if it already exists.
Enable-ADAccount -Identity $LoginName -Confirm:$False -Verbose -ErrorAction Stop
}
Catch {
# If there's an error, write error to event the log.
Write-EventLog -LogName "AD User Creation Script" -Source "Enable Existing User" -EntryType Warning -EventId 3 -Message "Something went wrong with the enabling of the existing user, [$LoginName] : $_"
}
Try {
# Move user to the correct OU.
$MoveADObjectParams = @{
Identity = $LoginName
TargetPath = 'OU={0},OU=Students,OU={1},OU=accounts,DC=academic,DC=exeter,DC=k12,DC=pa,DC=us' -f @(
$User.'Grad Year',
$SchoolCodes[$User.School].Name)
} # End MoveADObjectParams
Move-ADObject @MoveADObjectParams -Verbose -ErrorAction Stop
}
Catch {
# If there's an error, write error to event the log.
Write-EventLog -LogName "AD User Creation Script" -Source "Change OU" -EntryType Warning -EventId 4 -Message "Something went wrong with moving the user, $LoginName, to another OU : $_"
}
Try {
# Remove user from all groups except for Domain Users.
$ExcessGroups = Get-ADPrincipalGroupMembership -Identity $LoginName | Where-Object {$_.Name -ne "Domain Users"}
Remove-ADPrincipalGroupMembership -Identity $LoginName -MemberOf $ExcessGroups -Verbose -Confirm:$False
}
Catch {
# If there's an error, write error to event the log.
Write-EventLog -LogName "AD User Creation Script" -Source "Flush Groups" -EntryType Warning -EventId 5 -Message "Something went wrong with adding [$LoginName] to groups : $_"
}
Try {
# Add user to groups.
Get-ADUser -Identity $LoginName | Add-ADPrincipalGroupMembership -MemberOf $SchoolCodes[$User.School].ADGroup1, $SchoolCodes[$User.School].ADGroup2 -Verbose -ErrorAction Stop
}
Catch {
# If there's an error, write error to event the log.
Write-EventLog -LogName "AD User Creation Script" -Source "Populate Groups" -EntryType Warning -EventId 2 -Message "Something went wrong with adding [$LoginName] to groups : $_"
}
} # End Else
} # End ForEach
我看到的错误如下。看起来它没有看到正确的用户,但对象在 AD 中:
Move-ADObject:在以下位置找不到标识为“sicklsen000”的对象: 'DC=学术,DC=exeter,DC=k12,DC=pa,DC=us'。 在行:1 字符:1 + 移动 ADObject @MoveADObjectParams -Verbose + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (sicklsen000:ADObject) [Move-ADObject], ADIdentityNotFoundException + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.MoveADObject奇怪的是,它在我所能告诉的范围内获取正确的信息:
PS C:\Users\User:> $MoveADObjectParams 名称 值 ---- ----- TargetPath OU=2018,OU=Students,OU=Exeter Township Senior High,OU=accounts,DC=academic,DC=exeter,DC=k12,DC=pa,DC=us 身份sicklsen000我的测试脚本正在使用 3 个用户的数据。它们都存在。这是一个例子:
PS C:\WINDOWS\system32> Get-ADUser sicklsen000 | Select-Object SamAccountName, DistinguishedName
SamAccountName DistinguishedName
-------------- -----------------
sicklsen000 CN=Seneca Sickler,OU=2018,OU=Students,OU=Exeter Township Senior High,OU=accounts,DC=academic,DC=exeter,DC=k12,DC=pa,DC=us
【问题讨论】:
-
您的示例中可能缺少一些代码。可能是
foreach($user in $users){循环。 -
该错误非常清楚地表明它找不到用户。验证 'sicklsen000' 是 Academic.exeter.k12.pa.us 域中的有效用户。
-
认为问题出在
Move-Object的-Identity参数上。显然,它需要 DistinguishedName,而不是 SamAccountName。不过,我需要想出一个干净的方法来解决这个问题。
标签: powershell active-directory