Active Directory - Scripting the adding/removal of users to group

anthonyh

@r3dpand4 I apologize if my OP wasn't clear. I'm looking to match based on a pattern in the E-mail attribute of an account. Not matching based on username. Basically, if the email address in the E-mail attribute field is a specific domain (*@domain.org as an example), I want to add the users to a specific security group. If that changes in the future (we have instances where users float between organizations), I want to remove them from the group.

anthonyh

@jrc I re-read my OP a few times to make sure I didn't misspeak. I don't think you missed anything. Unless I'm missing something...

R3dPand4

@anthonyh You're fine I'm also half dead from a head cold/sinus infection, I just reread the post. Query the groups you're wanting, run a foreach loop against the results, then an if/else statement with the -like switch against whatever the domain is you're wanting to filter to specify your action.

jrc

@r3dpand4 said in Active Directory - Scripting the adding/removal of users to group:

@anthonyh You're fine I'm also half dead from a head cold/sinus infection, I just reread the post. Query the groups you're wanting, run a foreach loop against the results, then an if/else statement with the -like switch against whatever the domain is you're wanting to filter to specify your action.

I suspect that the OP is wanting some code examples. At least that's what I'd be after if I were him.

Anthony:
https://technet.microsoft.com/en-us/library/ee617193.aspx?f=255&MSPPError=-2147217396 is a place to start, it'll help you write the bit that get's group members.
https://gallery.technet.microsoft.com/scriptcenter/Getting-Users-ALL-7417b71d - May have some useable snippets to get the info you need from the user.

dafyre

Check get-aduser... You could try something like this from one of your DCs:

get-aduser -properties DisplayName,sAMAccountName,EmailAddress -Filter "EmailAddress -like '*@domain.org'"

That will give you the list of users and their associated email.

anthonyh

It's not completely finished yet, but the framework is more-or-less there.

I couldn't figure out how to cleanly paste it directly into this post, so here is a pastebin link:

https://pastebin.com/0JvUrzQU

dafyre

@anthonyh Is this code you are currently testing, or are you still working on it?

It looks like it should work.

anthonyh

@dafyre said in Active Directory - Scripting the adding/removal of users to group:

@anthonyh Is this code you are currently testing, or are you still working on it?

It looks like it should work.

I've tested everything but the actual "remove-adgroupmember" and "add-adgroupmember" bits.

I'm going to do that this morning.

dafyre

@anthonyh said in Active Directory - Scripting the adding/removal of users to group:

@dafyre said in Active Directory - Scripting the adding/removal of users to group:

@anthonyh Is this code you are currently testing, or are you still working on it?

It looks like it should work.

I've tested everything but the actual "remove-adgroupmember" and "add-adgroupmember" bits.

I'm going to do that this morning.

*hides under nearest desk*

anthonyh

@dafyre said in Active Directory - Scripting the adding/removal of users to group:

@anthonyh said in Active Directory - Scripting the adding/removal of users to group:

@dafyre said in Active Directory - Scripting the adding/removal of users to group:

@anthonyh Is this code you are currently testing, or are you still working on it?

It looks like it should work.

I've tested everything but the actual "remove-adgroupmember" and "add-adgroupmember" bits.

I'm going to do that this morning.

*hides under nearest desk*

lolz

anthonyh

Welp, as near as I can tell my cluster of a script does exactly what I'm looking for. I've updated the Pastebin link for those who are curious (https://pastebin.com/0JvUrzQU).

It will analyze existing group memberships and remove users if they do not meet all of the following requirements:

• The account no longer matches the specified $fileString
• The account is disabled
• The account does not reside within the $searchBase

Next, it will pull all accounts from the system, excludes existing members, and adds the remaining users to the group if they meet all of the following requirements:

• The account is enabled
• The account matches the specified $fileString
• The account resides within the $searchBase
• The sAMAccountName does not contain a 1 (something we use internally)
• The Display Name does not contain the string 'test' (we do not have any users who have 'test' in their name yet :-D)

After the above is done, it writes the changes to a log file (which is overwritten each time the script runs) and if emails it off to a specified email address.