"Server is unwilling to process the request" when creating an AD group_问答_开发者

"Server is unwilling to process the request" when creating an AD group

开发者 https://www.devze.com 2023-03-21 08:26 出处：网络

I\'m trying to create a Powershell script to create a new group (\"TestUsers\") under the Users container in my domain controller.The domain controller runs on a 2008 Server R2 64bit VM.

I'm trying to create a Powershell script to create a new group ("TestUsers") under the Users container in my domain controller.The domain controller runs on a 2008 Server R2 64bit VM.

My code is like this:

#  Group Types in AD
#
# -2147483646 Global security group
# -2147483644 Domain local security group
# -2147483640 Universal security group

$groupName = "TestUsers"
$groupType = -2147483646

$root = [ADSI]""
$rootdn = $root.distinguishedName
$UsersNode = [ADSI]("LDAP://localhost:389/cn=Users,"+$rootdn)
$UsersNode.Create("group", "cn=" + $groupName)
$usersNode.Put("g开发者_高级运维roupType", $groupType)    
$UsersNode.Put("sAMAccountName", $groupName)
$UsersNode.SetInfo()

When executing $UsersNode.SetInfo() the script throws the following error:

Exception calling "SetInfo" with "0" argument(s): "The server is unwilling to process the request.
"
At line:1 char:19
+ $UsersNode.SetInfo <<<< ()
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI

I'm running the script on the domain controller itself, logged in as domain administrator account i.e. mydomain\Administrator

Tried also different group types without any luck.

I'm a newbie with AD scripting so I have pretty much followed below article.

http://geekseat.wordpress.com/2011/02/10/script-of-the-day-creating-ad-groups-without-qad-cmdlets/

As in the article above, I would not like to install 3rd party cmdlets.

Thanks.

You just forget that the group object (here $CreatedGroup) is returned by the creation in the users node. you have to add attributes on the groupe object.

Here is the solution :

#  Group Types in AD
#
# -2147483646 Global security group
# -2147483644 Domain local security group
# -2147483640 Universal security group

$groupName = "TestUsers"
$groupType = -2147483646

$root = [ADSI]""
$rootdn = $root.distinguishedName
$UsersNode = [ADSI]("LDAP://localhost:389/cn=Users,"+$rootdn)
$CreatedGrp = $UsersNode.Create("group", "cn=" + $groupName)
$CreatedGrp.Put("groupType", $groupType)  
$CreatedGrp.Put("sAMAccountName", $groupName)
$CreatedGrp.SetInfo()

Be careful to run it as administrator.

If you are using Windows server 2008 R2 you can use Cmdlet from the ActiveDirectory module (shortest, more readable)

Import-Module ActiveDirectory
New-ADGroup -Name $groupName -SamAccountName $groupName -GroupCategory Security -GroupScope Global -DisplayName $groupName -Path "CN=Users" + $rootdn