I am new to Azure and I am trying to create a dynamic Azure Ad group through PowerShell by following below cmdlet:
New-AzureADMSGroup -DisplayName "GroupName" -Description "Des" -MailEnabled $False -MailNickname "Mail" -SecurityEnabled $True -GroupTypes "Dynamic"
But I am getting the below error:
New-AzureADMSGroup : Error occurred while executing NewMSGroup
Code: Request_BadRequest
Message: Invalid value specified for property 'groupTypes' of resource 'Group'.
InnerError:
RequestId: 419e641b-a15a-4417-840c-ce30a3541d8d
DateTimeStamp: Wed, 15 Jun 2022 05:25:33 GMT
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At line:1 char:1
+ New-AzureADMSGroup -DisplayName "Testgroup1" -Description "Group assi ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureADMSGroup], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.MSGraphBeta.Client.ApiException,Microsoft.Open.MSGraphBeta.PowerShell.NewMSGroup
I am following this Microsoft Document:
New-AzureADMSGroup (AzureAD) | Microsoft Docs
I tried to modify the command like below:
New-AzureADMSGroup -DisplayName "GroupName" -Description "Des" -MailEnabled $False -MailNickname "Mail" -SecurityEnabled $True -GroupTypes "DynamicGroup"
But it did not work. I am still getting the same error.
How to create dynamic Azure Ad group? Did anyone face the same issue?
I tried to reproduce the same in my environment and I am able to create dynamic group successfully like below:
To create Dynamic group, make use of below PowerShell script:
New-AzureADMSGroup -DisplayName "RukminiGroup" -Description "Dynamic group" -MailEnabled $False -MailNickName "Ruk" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(user.department -contains ""IT"")" -MembershipRuleProcessingState "On"
By executing the above script, the Dynamic group created successfully like below:
Reference:
Azure AD Group Membership PowerShell - Azure Lessons by Bijay Kumar.
Could you please confirm if you have the AzureADPreview module installed?
-GroupTypes
Specifies that the group is a unified or dynamic group.
Notes:
This parameter currently cannot be used to create dynamic groups. To create a dynamic group in PowerShell, you must use the Azure AD Preview module.
The correct commandlet is as below.
New-AzureADMSGroup -DisplayName "Dynamic Group 01" -Description "Dynamic group created from PS" -MailEnabled $False -MailNickname "group" -SecurityEnabled $True -GroupTypes "DynamicMembership" -MembershipRule "(user.department -contains ""Marketing"")" -MembershipRuleProcessingState "On"
Related
When running the following on one of our Windows machine
$name = "My task"
Stop-ScheduledTask -TaskName $name -ErrorAction SilentlyContinue
I get this error:
Stop-ScheduledTask : Cannot connect to CIM server. The system cannot find the file specified.
+ Stop-ScheduledTask -TaskName $name -ErrorAction SilentlyContinue
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (PS_ScheduledTask:String) [Stop-ScheduledTask], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Stop-ScheduledTask
It does not look like a permission issus since it would look more like
Stop-ScheduledTask : Access is denied.
+ [void](Stop-ScheduledTask -TaskName $name -ErrorAction SilentlyContinue)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (PS_ScheduledTask:Root/Microsoft/...p_ScheduledTask) [Stop-Schedul
edTask], CimException
+ FullyQualifiedErrorId : HRESULT 0x80070005,Stop-ScheduledTask
A couple of facts to help:
I'm not running this remotely
Get-ScheduledTask will throw the same CimJob_BrokenCimSession error
Are you an administrator on the system? The error says permission denied (Misread OP)
When troubleshooting, it generally helps if you don't have -erroraction silentlycontinue if you actually want to see what's erroring. Obviously, you don't have it in a try/catch block, so you can see the error, but having the option to suppress errors doesn't make sense here.
More suggestions:
Are you running this command remotely? If you're running it against many servers, check your server list.
What happens if you get all the tasks, e.g. $tasks = get-scheduledtask, then reference the one you want with $tasks | where taskname -like "whatever" | stop-scheduledtask (or its index number in the array, e.g. $tasks[5]).
I didn't get any errors when I ran the preceding command against tasks that weren't running, but perhaps it does return an error in some cases if the task isn't in the running state.
I am trying to automate windows server update instllation for multiple servers. I have installed the module on all servers and also added the hostnames in winrm trust hosts.
All server hostnames are stored in txt file and are looped trought for each loop with different commands from teh PSwindowswupdate module.
$Hostname = Get-Content -Path "C:\TEMP\powershell_patching_script\module\hostnamesallwsus.txt"
Import-Module PSWindowsUpdate
foreach ($i in $Hostname) {
write-host $i
Get-WUHistory -ComputerName $i -last 3
}
Issue is that randomly the loop is failing for some hostnames, with error :
BGxxxxxxx01 #this is the hostname
Get-WUHistory : BGxxxxxxx01: Unknown failure.
At C:\TEMP\powershell_patching_script\Module\History.ps1:10 char:1
+ Get-WUHistory -ComputerName $i -last 3
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (:) [Get-WUHistory], Exception
+ FullyQualifiedErrorId : Unknown,PSWindowsUpdate.GetWUHistory
If I run the command with the hostname instead of variable it is failing again with the same error.
If I run the same but with $ in front of the hostname (even if such varaiable is not defined) the command works!ly appriciated
Get-WUHistory -ComputerName $BGxxxxxxx01 -last 3
Localy executed the commands are also working.
This issue seams to occure on random bases for multiple hostnames form my list.
I am unable find anything helpful regarding this error.
Any help will be highly appriciated!
Thanks in advance!
I found that Invoke-command works.
Just need to put the command in the script block of Invoke-command.
I took an image from another Windows 10 PC and setup a new PC with this image.
Now I have the problem, that I change interface alias:
Rename-NetAdapter -InterfaceAlias "SwitchLan" -NewName "test"
and it says that the value "test" is already there.
Rename-NetAdapter : {Object Exists} An attempt was made to create an object and the object name already existed.
At line:1 char:1
+ Rename-NetAdapter -InterfaceAlias "SwitchLan" -NewName "test"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceExists: (MSFT_NetAdapter... "PC-Name"):ROOT/StandardCimv2/MSFT_NetAdapter) [
Rename-NetAdapter], CimException
+ FullyQualifiedErrorId : Windows System Error 698,Rename-NetAdapter
In the registry, I deleted the entry "test", but still, even when I change the entry "SwitchLAN" to "test", I can see in the Windows overview the interface "test", but when I put ipconfig in the commandlet I get the entry "SwitchLan", the same with PowerShell Get-NetAdapter.
Reboot didn't work.
Where can this value be stored, what happens here?
Also, when I want to change "test" to "test2" it says that there is no "test" interface, but when I want to change "SwitchLan" to "test" it says "test" is already there.
On the previous Image, there was an interface with the name "test".
In the Device-Manager -> show hidden devices -> then uninstall all adapters which aren't connected to the system anymore.
Try to rename the already existing, but hidden, network adapter from your image, named "test" using something like this:
Get-NetAdapter -IncludeHidden -Name "test" | Rename-NetAdapter -NewName "Obsolete"
Then you can give the name "test" to your new network adapter.
We're using Windows 2012 Server R2.
We're trying to automate the creation of LetsEncrypt certificates. We're using LetsEncrypt-Win-Simple (https://github.com/Lone-Coder/letsencrypt-win-simple).
Once the cert is created (via LetsEncrypt.exe) we have a .bat script that gets called (using the --script and --scriptparameters flags). This runs powershell.exe and tries to create the necessary IIS binding. The line in the .bat file is:
powershell.exe -file c:\temp\SSLIISBinding.ps1 %1 %2 %3 %4
The %1-4 are args passed in by LetsEncrypt. In the powershell script, the command we're trying to run is:
$iis_host_name = $args[0]
$iis_site_name = $args[1]
$certificate_hash = $args[2]
$certificate_store = $args[3]
"IIS Host Name: " + $iis_host_name
"IIS Site Name: " + $iis_site_name
"Certificate Hash: " + $certificate_hash
"Certificate Store: " + $certificate_store
$guid = [guid]::NewGuid().ToString("B")
netsh http add sslcert hostnameport="${iis_host_name}:443" certhash=$certificate_hash certstorename=$certificate_store appid="$guid"
New-WebBinding -name $iis_site_name -Protocol https -HostHeader $iis_host_name -Port 443 -SslFlags 1
The args are passed into the .bat fine, as we output them and they are showing correctly.
If we run the .bat file on its own, it works perfectly. If it gets called by LetsEncrypt.exe it fails, reporting the following issue:
New-WebBinding : Cannot retrieve the dynamic parameters for the cmdlet.
Retrieving the COM class factory for component with CLSID
{688EEEE5-6A7E-422F-B2E1-6AF00DC944A6} failed due to the following error:
80040154 Class not registered (Exception from HRESULT: 0x80040154
(REGDB_E_CLASSNOTREG)).
At C:\temp\SSLIISBinding.ps1:13 char:1
+ New-WebBinding -name $iis_site_name -Protocol https -HostHeader
$iis_host_name ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~
+ CategoryInfo : InvalidArgument: (:) [New-WebBinding], Parameter
BindingException
+ FullyQualifiedErrorId : GetDynamicParametersException,Microsoft.IIs.Powe
rShell.Provider.NewWebBindingCommand
I've googled, some mentioning something about 32bit vs 64bit powershell, but I've tried using all the different powershell.exe available.
Anyone hit this issue, or know to resolve.
If we call .bat directly from command line it works fine, just as part of being called via LetsEncrypt.exe. A permission problem? Wrong powershell.exe?
That part of your question:
I've googled, some mentioning something about 32bit vs 64bit powershell
is already half of an answer. Some commands do not run properly if bitness of PowerShell process does not match bitness of operation system. So, you need to run powershell.exe, which located in this %windir%\System32\WindowsPowerShell\v1.0\ directory. But there is a little problem described in this documentation topic:
In most cases, whenever a 32-bit application attempts to access %windir%\System32, the access is redirected to %windir%\SysWOW64.
Thus, if 32-bit program on 64-bit OS invoke %windir%\System32\WindowsPowerShell\v1.0\powershell.exe, it will actually invoke 32-bit version of PowerShell from here %windir%\SysWOW64\WindowsPowerShell\v1.0\ instead of 64-bit one. To actually invoke 64-bit PowerShell from 32-bit application you need to use this trick:
32-bit applications can access the native system directory by substituting %windir%\Sysnative for %windir%\System32. WOW64 recognizes Sysnative as a special alias used to indicate that the file system should not redirect the access.
I've got the same error when running the following cmdlet:
PS> Remove-WebAppPool -Name 'Test'
Remove-WebAppPool : Cannot retrieve the dynamic parameters for the cmdlet. Retrieving the COM class factory for
component with CLSID {688EEEE5-6A7E-422F-B2E1-6AF00DC944A6} failed due to the following error: 80040154 Class not
registered (Exception from HRESULT: 0x80040154 (REGDB_E_CLASSNOTREG)).
At line:1 char:1
+ Remove-WebAppPool -Name 'Test'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Remove-WebAppPool], ParameterBindingException
+ FullyQualifiedErrorId : GetDynamicParametersException,Microsoft.IIs.PowerShell.Provider.RemoveAppPoolCommand
The reason was because I ran it using Windows PowerShell (x86) on my Windows 10 x64 machine.
When I tried the same but using Windows PowerShell, which is 64 bit version, it worked just fine.
I think your $guid is the issue. The GUID needs to be the GUID of the program to bind the cert to. For your example port 443 is only bound to a random GUID, and not your program's GUID. IIS and other apps have a static GUID that you will want to use. If the GUID for a powershell script then Get-host is the powershell host executing code so that's the GUID you need. It changes for every powershell session and the netsh binding needs to as well.
$appid = "appid={"+(get-host).InstanceId.guid+"}"
$certhash = ls Cert:\LocalMachine\my | where {$.EnhancedKeyUsageList -Match 'Server' -and $.subject -match (hostname)}|sort-object $_.NotAfter|select -expand Thumbprint -last 1
$cmdline='netsh http add sslcert ipport=0.0.0.0:443 certhash=' + $certhash + ' "' + $appid + '"'
netsh http delete sslcert ipport=0.0.0.0:443
Invoke-Expression $cmdline
A google search for "Cannot retrieve the dynamic parameters for the cmdlet" brought me here but my issue was using powershell from the command line, and the answer was to escape the double quotes on the command...
I've got a problem with the same error. This happens when i'm trying to Add-WebBinding to my IIS site remotely, using Invoke-Command from different agent machines at time.
It's worked for me, maybe it helps someone too:
$Mutex = New-Object -TypeName System.Threading.Mutex($false, "Global\Mutex")
if ($Mutex.WaitOne(300000)) {
#For example
#$Command = {
#New-WebBinding -name $iis_site_name -Protocol https -HostHeader
#$iis_host_name -Port 443 -SslFlags 1
#}
#Invoke-Command -Command $Command
} else {
Write-Warning "Timed out acquiring mutex!"
}
$Mutex.Dispose()
The service (Jenkins) is running on a server as a different user account with additional permissions. It then calls a powershell script during a build to use those permissions (access to some folders on another server) but it doesn't work. In the script i've got the following code:
New-PSDrive -Name Y -PSProvider filesystem -Root '\\XXX\ctv$'
Get-Childitem -Path 'Y:\'
The result is:
Get-ChildItem : Access to the path '\\XXX\ctv$' is denied.
At D:\XXX\copy.ps1:2 char:14
+ get-childitem <<<< -Path 'Y:\'
+ CategoryInfo : PermissionDenied: (\\XXX\ctv$\:String
) [Get-ChildItem], UnauthorizedAccessException
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.
Commands.GetChildItemCommand
Trying to access the folder directly returns a similar error, that the path was not found:
Get-ChildItem -Path '\\XXX\ctv$\X\X'
I've also checked as which user the script is running as with
[Security.Principal.WindowsIdentity]::GetCurrent()
and it returned this
AuthenticationType : Negotiate
ImpersonationLevel : None
IsAuthenticated : True
IsGuest : False
IsSystem : True
IsAnonymous : False
Name : NT AUTHORITY\SYSTEM
Owner : S-1-5-32-544
User : S-1-5-18
Groups : {S-1-5-32-544, S-1-1-0, S-1-5-11}
Token : 1072
which isn't the user Jenkins is running as.
So my question is how do i pass my script the same user that Jenkins is running as? Last resort would be to directly pass the username+password as credentials to the script but i would prefer if there is another way.