PS Get/Set-ADGroup issues accepting variable/object input

Question

I'm creating Distribution Lists, and trying to populate the AD Description field. Set-ADGroup appears to be the correct cmdlet for this task, however I'm having trouble using it inside a simple script, or using a variable to pass along the required parameters or objects.

This works:

Get-ADGroup -Identity "CN=My Group Name,OU=Distribution,OU=Groups,DC=subdomain,DC=domain,DC=tld"

But this doesn't:

$GroupDn = Get-Group -Identity "My Group Name" | Select-Object DistinguishedName
Get-ADGroup -Identity $GroupDn

And fails with this error:

get-adgroup : Cannot find an object with identity: '$GroupDn' under: 'DC=subdomain,DC=domain,DC=tld'. At line:1 char:1 + get-adgroup -Identity '$GroupDn' + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: ($GroupDn:ADGroup) [Get-ADGroup], ADIdentityNotFoundException + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Management.Commands.GetADGroup

$GroupDn is storing this object:

PS D:\Scripts> $groupdn

DistinguishedName
-----------------
CN=My Group Name,OU=Distribution,OU=Groups,DC=subdomain,DC=domain,DC=tld

I assumed this is because Get-ADGroup is expecting string input, but I also know this is Powershell and objects and all that is the magic, the secret sauce, but my roux appears to be lumpy and I'm missing some key point.

So, is string input what I should be handling here? If so, what's the right way to get that DN into a string?

Or what part of the object secret sauce am I missing?

Answer 1

I was also able to pipe like this:

Get-Group | % { Get-ADGroup -Identity $_.DistinguishedName }

It still seems not to play well with different domains though, but this would definitely work for groups in the same domain. The key as to why something like Get-Group | Select DistinguishedName or Get-Group | Get-ADGroup doesn't work is to use the Get-Member cmdlet. So running something like:

Get-Group | Get-Member
Get-Group | Select DistinguishedName | Get-Member

Should return something like this:

TypeName: Deserialized.Microsoft.Exchange.Data.Directory.Management.WindowsGroup
TypeName: Selected.System.Management.Automation.PSCustomObject

And as you can see from there, that is not what would be accepted from a pipeline into the Get-ADGroup cmdlet.

Answer 2

As requested.

The problem with your code is that it gets the distinghuished name as PSCustomObject with a property called 'DistinghuishedName', where you really want to get this property as String.

If you change that to (using Exchange Get-Group):

$GroupDn = Get-Group -Identity "My Group Name" | Select-Object -ExpandProperty DistinguishedName

or (using ActiveDirectory Get-ADGroup):

$GroupDn = Get-ADGroup -Identity "My Group Name" | Select-Object -ExpandProperty DistinguishedName

The variable $GroupDn will then contain just the DistinghuishedName of the group as string that can be used as -Identity parameter for other AD commands.

Get-ADGroup can also be used in another type of syntax, namely by passing an object through the pipeline. This object needs to have at least one of these properties: DistinguishedName, GUID, SID or SamAccountName.

$GroupObject = Get-Group -Identity "My Group Name"
$GroupObject | Get-ADGroup

Using this syntax, you do not need to set the Identity parameter.