Add-ADGroupMember fails if a member is already in the group (Network Steve Forum)

Add-ADGroupMember fails if a member is already in the group

I am having an issue with the Active Directory module for Powershell. The issue is...I have a csv file that contains machine accounts in my active directory domain.

In the command below "a_wirelesspilot" is the name of the group I am trying to modify - and following that are the machine accounts I am trying to add.

If one of the machine accounts in the domain is already a member of the group, it fails and doesn't add any additional machine accounts that follow it.

PS C:\Windows\system32> Add-ADGroupMember a_wirelesspilot 5TN9DT1L$,BGBWCT1L$,8Q

4JDT1L$

PS C:\Windows\system32> Add-ADGroupMember a_wirelesspilot 9CLKDT1L$,7S5CGT1L$,23

BWCT1L$,D9R9GT1L$,D72QFT1L$,7FLMRS1L$,5TN9DT1L$,7KFXCT1L$,JQRTFT1L$,HHF7GT1L$

Add-ADGroupMember : The specified account name is already a member of the group

At line:1 char:18

+ Add-ADGroupMember <<<< a_wirelesspilot 9CLKDT1L$,7S5CGT1L$,23BWCT1L$,D9R9GT1

L$,D72QFT1L$,7FLMRS1L$,5TN9DT1L$,7KFXCT1L$,JQRTFT1L$,HHF7GT1L$

+ CategoryInfo : NotSpecified: (a_wirelesspilot:ADGroup) [Add-ADG

roupMember], ADException

+ FullyQualifiedErrorId : The specified account name is already a member o

f the group,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember

The problem is with the error handling. I have tried to add:

-ea silently continue

and...

-ea stop

to the command and neither works. (same error) Please advise.

-Thor Kakar

January 16th, 2013 8:30pm

You will need to first check to see if the object you are trying to add to the group already exists, if it doesn't add it, else do nothing

Take a look at the Get-ADGroupMember cmdlet

Free Windows Admin Tool Kit Click here and download it now

January 16th, 2013 8:45pm

You will need to first check to see if the object you are trying to add to the group already exists, if it doesn't add it, else do nothing

Take a look at the Get-ADGroupMember cmdlet

January 16th, 2013 8:53pm

More or less, what you will need to do is create a function that checks to see if the current user is a member of the group if so, it returns true, otherwsie return false. Then you can use conditional statements based upon the value returned from the function, to add the user to the group is the returned value is false.

I actually have some functions which do this, but they are at home, not sure if it is the best way, but it works. I am leaving work in a little bit, once I get home, I can try and find them and then post them for you.

Free Windows Admin Tool Kit Click here and download it now

January 16th, 2013 9:19pm

OK, so this is what I did. Also, this assumes that your csv file has the first line called sAMAccountName for the heading, and each entry is the users sAMAccountName

# Import the Active Directory module
Import-Module ActiveDirectory

# Name of group to work with
$group = "SomeGroup"

# Get all members of a specifed group and add them thier
# sAMAccountName to an array
$members = @()
Get-ADGroupMember -Identity $group | Select-Object -ExpandProperty sAMAccountName | ForEach-Object{ $members += $_ }

# Now that we have all members of the group, lets get all
# the users from the csv file
$users = Import-Csv "C:\somefile.csv"

# Loop through the collection of users, and make sure they
# do not exist before trying to add them
ForEach($user in $users) {
  If ($members -notcontains $user.sAMAccountName) {
    Add-ADGroupMember $group $user.sAMAccountName
    # Also add the new member to the $members array
    $members += $user.sAMAccountName
  }
}

January 16th, 2013 10:07pm

You probably can use the -ErrorAction parameter to have the cmdlet ignore errors. I personally use code similar to below to add users identified by sAMAccountName to a specified group. Once you bind to the group object, you can use the IsMember and Add methods exposed by the IADsGroup interface.

# Specify the group.
$Group = [ADSI]"LDAP://cn=Test Group,ou=West,dc=MyDomain,dc=com"

# Use DirectorySearcher.
$Domain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher = New-Object System.DirectoryServices.DirectorySearcher
$Searcher.SearchRoot = $Domain
$Searcher.PageSize = 200
$Searcher.SearchScope = "subtree"

$Searcher.PropertiesToLoad.Add("distinguishedName") > $Null

# Read user pre-Windows 2000 Names from file.
$Users = Import-CSV c:\Scripts\Users.csv

Foreach ($User in $Users)
{
    $Name = $User.Name
    $Searcher.Filter = "(sAMAccountName=$Name)"
    $Results = $Searcher.FindAll()
    ForEach ($Result In $Results)
    {
        $DN = $Result.Properties.Item("distinguishedName")
        # Check if user a member of the group.
        If ($Group.IsMember("LDAP://$DN") -eq $False)
        {
            # Add the user to the group.
            $Group.Add("LDAP://$DN")
        }
    }
}

-----

Free Windows Admin Tool Kit Click here and download it now

January 17th, 2013 1:24am

You probably can use the -ErrorAction parameter to have the cmdlet ignore errors. I personally use code similar to below to add users identified by sAMAccountName to a specified group. Once you bind to the group object, you can use the IsMember and Add methods exposed by the IADsGroup interface.

# Specify the group.
$Group = [ADSI]"LDAP://cn=Test Group,ou=West,dc=MyDomain,dc=com"

# Use DirectorySearcher.
$Domain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher = New-Object System.DirectoryServices.DirectorySearcher
$Searcher.SearchRoot = $Domain
$Searcher.PageSize = 200
$Searcher.SearchScope = "subtree"

$Searcher.PropertiesToLoad.Add("distinguishedName") > $Null

# Read user pre-Windows 2000 Names from file.
$Users = Import-CSV c:\Scripts\Users.csv

Foreach ($User in $Users)
{
    $Name = $User.Name
    $Searcher.Filter = "(sAMAccountName=$Name)"
    $Results = $Searcher.FindAll()
    ForEach ($Result In $Results)
    {
        $DN = $Result.Properties.Item("distinguishedName")
        # Check if user a member of the group.
        If ($Group.IsMember("LDAP://$DN") -eq $False)
        {
            # Add the user to the group.
            $Group.Add("LDAP://$DN")
        }
    }
}
-----

October 30th, 2013 8:42am

OK, so this is what I did. Also, this assumes that your csv file has the first line called sAMAccountName for the heading, and each entry is the users sAMAccountName

# Import the Active Directory module
Import-Module ActiveDirectory

# Name of group to work with
$group = "SomeGroup"

# Get all members of a specifed group and add them thier
# sAMAccountName to an array
$members = @()
Get-ADGroupMember -Identity $group | Select-Object -ExpandProperty sAMAccountName | ForEach-Object{ $members += $_ }

# Now that we have all members of the group, lets get all
# the users from the csv file
$users = Import-Csv "C:\somefile.csv"

# Loop through the collection of users, and make sure they
# do not exist before trying to add them
ForEach($user in $users) {
  If ($members -notcontains $user.sAMAccountName) {
    Add-ADGroupMember $group $user.sAMAccountName
    # Also add the new member to the $members array
    $members += $user.sAMAccountName
  }
}

Free Windows Admin Tool Kit Click here and download it now

May 11th, 2015 3:23pm

This topic is archived. No further replies will be accepted.