PowerShell Dealing with Active Directory Latency

Consider the following:

001 002 003 004 005 006 007

New-DistributionGroup -Name "karls test group" ` -SamAccountName "karlstestgroup" ` -DisplayName "Karls Test" ` -Type "Security" ` -OrganizationalUnit "contoso.com/Test/EmailTest" Add-DistributionGroupMember ` -Identity "karlstestgroup" -Member "karlmitschke@contoso.com"

If you have latency in your Active Directory, you most likely will get an error on the “Add-DistributionGroupMember” command:

Add-DistributionGroupMember : The operation could not be performed because ‘karlstestgroup’ could not be found.

Note that if you are adding a large number of members, your group will be found at some point, and will be partially populated.

The way I deal with the latency is to add a Do…While loop:

001 002 003 004 005 006 007 008 009 010 011 012 013

New-DistributionGroup -Name "karls test group" ` -SamAccountName "karlstestgroup" ` -DisplayName "Karls Test" ` -Type "Security" ` -OrganizationalUnit "contoso.com/Test/EmailTest" do{$group = Get-Group ` -identity "karlstestgroup" ` -ErrorAction SilentlyContinue}while ($group -eq $null) Add-DistributionGroupMember ` -Identity "karlstestgroup" -Member "karlmitschke@contoso.com"

Let’s look at that Do…While loop a bit:

do{$group = Get-Group `
-identity "karlstestgroup" `
-ErrorAction SilentlyContinue}while ($group -eq $null)

The Get-Group call will return an error until the group has replicated to the domain controller that Get-Group  queries. So, I add the –ErrorAction SilentlyContinue parameter to avoid having my console fill with errors.

The variable $group will be null until the Get-Group call returns the group object, so it’s a simple matter to run the loop until $group is not equal to $null.

From that point on, we can add members, or perform any other operation on the group.

Not that in this simplified example I could probably use the –DomainController parameter to bypass the wait like this:

001 002 003 004 005 006 007 008 009 010

New-DistributionGroup -Name "karls test group" ` -SamAccountName "karlstestgroup" ` -DisplayName "Karls Test" ` -Type "Security" ` -OrganizationalUnit "contoso.com/Test/EmailTest" ` -DomainController "DC400.contoso.com" Add-DistributionGroupMember ` -Identity "karlstestgroup" -Member "karlmitschke@contoso.com" ` -DomainController "DC400.contoso.com"

However, that won’t work if you are working with a cmdlet that doesn’t use the
–DomainController parameter, or are working with AD directly such as:

001 002 003 004

$objOU = [ADSI]"LDAP://ou=MyOu,dc=Contoso,dc=com" $objGroup = $objOU.Create("group", ("cn=karlstestgroup")) $objGroup.Put("sAMAccountName","karlstestgroup") $objGroup.SetInfo()

I use the Do…While loop to great effect when I use PowerShell to change a primary SMTP address on a mailbox:

001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021

$newaddressstring = "karlmitschketest@contoso.com" $user = "ktester" set-mailbox -identity  $user ` -PrimarySmtpAddress $newaddressstring ` -EmailAddressPolicyEnabled $false do{$address = get-mailbox ` -identity $user |select PrimarySmtpAddress}while ` ($address.PrimarySmtpAddress.ToString().ToLower() ` -ne $newaddressstring) $mailbox = Get-Mailbox -identity $user $mailbox.EmailAddresses | ` foreach { if ` (!$_.IsPrimaryAddress -and ($_.PrefixString -eq ‘SMTP’)) ` {$mailbox.EmailAddresses -= $_}} set-mailbox -identity $user ` -EmailAddresses $mailbox.EmailAddresseslbox.EmailAddresses

Note that on the script above, i have NOT verified that the line continuation characters will allow the script to functi0n, so I inserted blank lines around each line that has been continued onto another line, to make them easier to see.

Advertisement