2

I have a script that ends up creating a variable for each user in AD ($variableResult), iterating through each user. I have tested everything outputting to a log file - all fine. The last stage is to get it to write changes ($variableResult) to AD Attribute (POBox). It compares the 2 and if they are different it will overwrite.

This is the issue that I have:

Set-ADUser: Cannot bind parameter 'Identity'. Cannot convert value "CN=xxx,OU=Windows 10,OU=UserAccounts,OU=xxx,OU=xxx,DC=xxx,DC=xxx" to type "Microsoft.ActiveDirectory.Management.ADUser". Error: "Cannot convert the "CN=xxx,OU=Windows 10,OU=UserAccounts,OU=xxx,OU=xxx,DC=xxx,DC=net" value of type "Deserialized.Microsoft.ActiveDirectory.Management.ADUser" to type "Microsoft.ActiveDirectory.Management.ADUser"."

Here is what is stored in the variable:

PS > $variableResult                    
HQCSHOFF

I have modified the script to only search for my user name, set the POBox incorrectly in AD, so that the script should correct but instead i get this error:

if( $user.POBox -ne $variableResult ) {
    set-aduser $user -Replace @{POBox="$variableResult"}
}
mklement0
  • 382,024
  • 64
  • 607
  • 775
Bash
  • 67
  • 4
  • 1
    try changing from `Set-ADUser $user` to `Set-ADUser $user.DistinguishedName`. Error implies that the `$user` object is coming from a remote session – Santiago Squarzon Jul 13 '23 at 15:33
  • 1
    @mklement0 I was expecting feedback from OP actually, not sure, that seems to be the issue, cmdlet not being able to coerce the deserialized instance but was waiting for confirmation that was actually the problem – Santiago Squarzon Jul 13 '23 at 16:05
  • Perfect. I’ve left work but will try in the morning. Now as for coming from a remote session, I am. I’m not on the DC and was coming in over VPN – Bash Jul 13 '23 at 16:42

1 Answers1

4

The error implies that $user is an object coming from a remote session (Deserialized.Microsoft.ActiveDirectory.Management.ADUser) and what the error is stating is that this object cannot be coerced into an ADUser instance (the parameter type of -Identity):

Get-ADUser [-Identity] <ADUser> ...

After testing this myself, this is indeed the case:

$user = Start-Job { Get-ADUser $env:USERNAME } |
    Receive-Job -Wait -AutoRemoveJob

# Get-ADUser: Cannot bind parameter 'Identity'. Cannot convert value "CN=...
Get-ADUser $user
# InvalidArgument: Cannot bind parameter 'Identity'. Cannot convert value "CN=...
[Microsoft.ActiveDirectory.Management.ADUser] $user

The simple workaround is to use one of the properties from the deserialized object that can be used to construct an ADUser instance:

  • A distinguished name
  • A GUID (objectGUID)
  • A security identifier (objectSid)
  • A SAM account name (sAMAccountName)

In summary, this should solve the problem:

if ($user.POBox -ne $variableResult) {
    Set-ADUser $user.DistinguishedName -Replace @{ POBox = $variableResult }
}

See Deserialized objects for more details.

Santiago Squarzon
  • 41,465
  • 5
  • 14
  • 37