PowerShell Dealing with Active Directory Latency


Consider the following:

001
002
003
004
005
006
007
New-DistributionGroup -Name "karls test group" `
-SamAccountName "karlstestgroup" `
-DisplayName "Karls Test" `
-Type "Security" `
-OrganizationalUnit "contoso.com/Test/EmailTest"
Add-DistributionGroupMember `
-Identity "karlstestgroup" -Member "karlmitschke@contoso.com"

If you have latency in your Active Directory, you most likely will get an error on the “Add-DistributionGroupMember” command:

Add-DistributionGroupMember : The operation could not be performed because ‘karlstestgroup’ could not be found.

Note that if you are adding a large number of members, your group will be found at some point, and will be partially populated.

The way I deal with the latency is to add a Do…While loop:

001
002
003
004
005
006
007
008
009
010
011
012
013
New-DistributionGroup -Name "karls test group" `
-SamAccountName "karlstestgroup" `
-DisplayName "Karls Test" `
-Type "Security" `
-OrganizationalUnit "contoso.com/Test/EmailTest"

do{$group = Get-Group `
-identity "karlstestgroup" `
-ErrorAction SilentlyContinue}while ($group -eq $null)

Add-DistributionGroupMember `
-Identity "karlstestgroup" -Member "karlmitschke@contoso.com"

Let’s look at that Do…While loop a bit:

do{$group = Get-Group `
-identity "karlstestgroup" `
-ErrorAction SilentlyContinue}while ($group -eq $null)

The Get-Group call will return an error until the group has replicated to the domain controller that Get-Group  queries. So, I add the –ErrorAction SilentlyContinue parameter to avoid having my console fill with errors.

The variable $group will be null until the Get-Group call returns the group object, so it’s a simple matter to run the loop until $group is not equal to $null.

From that point on, we can add members, or perform any other operation on the group.

Not that in this simplified example I could probably use the –DomainController parameter to bypass the wait like this:

001
002
003
004
005
006
007
008
009
010
New-DistributionGroup -Name "karls test group" `
-SamAccountName "karlstestgroup" `
-DisplayName "Karls Test" `
-Type "Security" `
-OrganizationalUnit "contoso.com/Test/EmailTest" `
-DomainController "DC400.contoso.com"

Add-DistributionGroupMember `
-Identity "karlstestgroup" -Member "karlmitschke@contoso.com" `
-DomainController "DC400.contoso.com"

However, that won’t work if you are working with a cmdlet that doesn’t use the
–DomainController parameter, or are working with AD directly such as:

001
002
003
004
$objOU = [ADSI]"LDAP://ou=MyOu,dc=Contoso,dc=com"
$objGroup = $objOU.Create("group", ("cn=karlstestgroup"))
$objGroup.Put("sAMAccountName","karlstestgroup")
$objGroup.SetInfo()

I use the Do…While loop to great effect when I use PowerShell to change a primary SMTP address on a mailbox:

001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
$newaddressstring = "karlmitschketest@contoso.com"
$user = "ktester"

set-mailbox -identity  $user `
-PrimarySmtpAddress $newaddressstring `
-EmailAddressPolicyEnabled $false

do{$address = get-mailbox `
-identity $user |select PrimarySmtpAddress}while `
($address.PrimarySmtpAddress.ToString().ToLower() `
-ne $newaddressstring)

$mailbox = Get-Mailbox -identity $user

$mailbox.EmailAddresses | `
foreach { if `
(!$_.IsPrimaryAddress -and ($_.PrefixString -eq ‘SMTP’)) `
{$mailbox.EmailAddresses -= $_}}

set-mailbox -identity $user `
-EmailAddresses $mailbox.EmailAddresseslbox.EmailAddresses

Note that on the script above, i have NOT verified that the line continuation characters will allow the script to functi0n, so I inserted blank lines around each line that has been continued onto another line, to make them easier to see.

Advertisements
  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: