1

Here get-adgroups returns false when querying from script while it returns true when run manually using the very same PowerShell ISE Window. Please see the following code which produces the error. Group, OU and DN exist. Quite likely no Typo. Reproducible by manually running the command (see further below), which works fine.

Import-Module ActiveDirectory
$Group="ProductInternalInstallProductOnNextLogin"
$BaseDN="OU=Product,DC=int,DC=Domain,DC=de"
write-host "get-adgroup -Filter DistinguishedName -eq CN=$Group,$BaseDN"
$Result=get-adgroup -Filter {(DistinguishedName -eq "CN=$Group,$BaseDN")}
if($Result)
{
    write-host "Group $Group found"
}
else
{
    write-host "Group $Group not found, trying to create $Group"
    New-ADGroup -path "$BaseDN" -GroupScope Global -name $Group
    if (!$?)
    {
        write-host "ERROR creating new group $Group"
        exit
    }
}

This results in the following output where you can see the error:

____________________________________________________________________________________________________________________________________________________________________________________________________________________
PS C:\Users\MyName.INT> G:\DevPath\Tools\PowerShell-Scripte\Unbenannt2.ps1
get-adgroup -Filter DistinguishedName -eq CN=ProductInternalInstallProductOnNextLogin,OU=Product,DC=int,DC=Domain,DC=de
Group ProductInternalInstallProductOnNextLogin not found, trying to create ProductInternalInstallProductOnNextLogin
New-ADGroup : Die angegebene Gruppe ist bereits vorhanden
Bei G:\DevPath\Tools\PowerShell-Scripte\Unbenannt2.ps1:13 Zeichen:16
+     New-ADGroup <<<<  -path "$BaseDN" -GroupScope Global -name $Group
+ CategoryInfo          : NotSpecified: (CN=ProductInte...nt,DC=Domain,DC=de:String) [New-ADGroup], ADException
+ FullyQualifiedErrorId : Die angegebene Gruppe ist bereits vorhanden,Microsoft.ActiveDirectory.Management.Commands.NewADGroup

ERROR creating new group ProductInternalInstallProductOnNextLogin

____________________________________________________________________________________________________________________________________________________________________________________________________________________

How can New-ADGroup fail if I'm only running it in case the group is not there? PowerShell is running in German here, so the error message "New-ADGroup : Die angegebene Gruppe ist bereits vorhanden" means "This group already exists".

To verify this, I ran this manually in the console, where it works out fine:

PS C:\Users\MyName.INT> write-host "the following command was run manually from the commandline of the PowerShellISE"
$Result=get-adgroup -Filter {(DistinguishedName -eq "CN=ProductInternalInstallProductOnNextLogin,OU=Product,DC=int,DC=Domain,DC=de")}
write-host $Result

which produces the correct output:

the following command was run manually from the commandline of the PowerShellISE
CN=ProductInternalInstallProductOnNextLogin,OU=Product,DC=int,DC=Domain,DC=de

In my struggling I tried also

try {get-adgroups [...]} catch {new-adgroup[...]}

but that didn't work out either.

TylerH
  • 20,799
  • 66
  • 75
  • 101
user1458620
  • 205
  • 1
  • 4
  • 12
  • How are you running the powershell.exe? There are a few differences between running a script from powershell.exe against a file vs ISE, and I have been annoyed by this from a few times... See this [StackOverflow post](https://stackoverflow.com/questions/2894641/powershell-2-0-running-scripts-for-the-command-line-call-vs-from-the-ise?rq=1). – lingo_journey Dec 13 '12 at 16:12
  • Well the script is run in the PowerShell ISE while the manual parts were done in the command-line part of the PowerShell ISE at the bottom. But vidrines suggestion helped (and I still don't understand why)! – user1458620 Dec 14 '12 at 07:18
  • I don't have access to a computer right now, does the original without the round brackets give you the correct result? In my limited understanding, you were passing in the result of the Boolean expression in "original", rather than the expression as a code block. – lingo_journey Dec 16 '12 at 12:34

1 Answers1

2

Have you tried pulling the string concatenation for your target group outside the Get-ADGroup command? I was actually able to replicate your issue from my PowerShell ISE session. When I updated the 'filter' it cleared things up and I was able to retrieve the information successfully.

Original:

$Group  = "ProductInternalInstallProductOnNextLogin"
$BaseDN = "OU=Product,DC=int,DC=Domain,DC=de"
$Result = get-adgroup -Filter {(DistinguishedName -eq "CN=$Group,$BaseDN")}

Modified:

$Group  = "ProductInternalInstallProductOnNextLogin"
$BaseDN = "OU=Product,DC=int,DC=Domain,DC=de"
$Target = "CN=" + $Group + "," + $BaseDN
$Result = get-adgroup -Filter {DistinguishedName -eq $Target}
vidrine
  • 96
  • 1
  • 5
  • vidrine, thank you so much for your help! That modification worked. But I still don't understand the difference. On the contrary, from what I (think I) understand of how interpreting code works internally I would have bet large sums that there cannot be a difference. This drives me mad. The fact that you even tried this makes me believe you have a better understanding what the interpreter (PowerShell) does to the code. Can you explain this? – user1458620 Dec 14 '12 at 07:12
  • Sadly, I can't give a technical reason on the processing. That will work in other places. I've just ran into issues when trying to do string concatenation within the filter property before. – vidrine Dec 14 '12 at 20:28