Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.6k views
in Technique[技术] by (71.8m points)

powershell - Hiding Errors When Using Get-ADGroup

I'm working on a script that will build a new group if it doesn't exist. I'm using Get-ADGroup to make sure the group doesn't exist using the following command:

$group = get-adgroup $groupName -ErrorAction:SilentlyContinue -WarningAction:SilentlyContinue 

But when I do I get the following error (I removed any domain specific data from the error):

Get-ADGroup : Cannot find an object with identity: '*group name*' under: '*domain*'.
At U:ScriptsWindowsCreate-FolderAccessGroup.ps1:23 char:24
+ $group = get-adgroup <<<< $groupName -ErrorAction:SilentlyContinue -WarningAction:SilentlyContinue
    + CategoryInfo          : ObjectNotFound: (y:ADGroup) [Get-ADGroup], ADIdentityNot
   FoundException
    + FullyQualifiedErrorId : Cannot find an object with identity: '' under: ''.,Microsoft.ActiveDirectory.Management.Commands.GetADGroup

I assumed setting ErrorAction and WarningAction to SilentlyContinue would keep this error from being displayed but it hasn't.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

I find that this works best:

$Group = Get-ADGroup -Filter {SamAccountName -eq $GroupName}

If the filter returns no results, then $Group is simply set to $null and no error message is generated. Also, since a SAM account name must be unique in Active Directory, there is no risk of $Group being set to an array of more than one object.

I find that using -Filter to get the group rather than -Identity works really well when checking for the existence of groups (or users) in If statements. For example:

If (Get-ADGroup -Filter {SamAccountName -eq $GroupName})
{
    Add-ADGroupMember -Identity $GroupName -Members $ListOfUserSamAccountNames
}
Else
{
    Write-Warning "Users could not be added to $GroupName because $GroupName
    does not exist in Active Directory."
}

I find that is a lot easier to deal with logically (if the group exists, add the users; if not, display a message) than mjolinor's suggestion of try/catch with using the Get-ADGroup cmdlet with the -Identity parameter. Consider the try/catch method of doing the same as above, using the -Identity parameter:

Try
{
    Get-ADGroup -Identity $GroupName
    Add-ADGroupMember -Identity $GroupName -Members $ListOfUserSamAccountNames
}
Catch
{
    Write-Warning "Users could not be added to $GroupName because $GroupName
    does not exist in Active Directory."
}

You see if any of the commands in the try block throws a terminating error. If one does, it means the group doesn't exist and will move on and process the command(s) in the catch block. It will work, but I don't think try/catch here flows as well, logically, in comparison to if/else.

Don't get me wrong, mjolinor is a PowerShell genius. It's just that in this case I don't think his solution is the best one.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...