Active Directory - Scripting the adding/removal of users to group
-
Hey All,
I would like to write a script to dynamically handle adding/removing users to a security group in Active Directory.
Basically, if a user's E-mail attribute matches a certain pattern (*@domain.org), I want to add them as a member of a group (Group X). If it doesn't match, I want to remove them from the group if they are a member.
So I'm thinking the script (or possibly two separate scripts) would need to work as follows:
Grab a list of current members of the group. Check each member for pattern that makes them eligible for said group. If no match, remove them from the group.
Grab a list of users that aren't a member of the group. Check each user for pattern that makes them eligible for said group. If matched, add them to the group.
I haven't had the privilege of scripting anything related to Active Directory. I'm assuming PowerShell will be the way to go. However, I'm still learning/researching beyond that. Any tips/tricks/suggestions would be greatly appreciated.
Thanks!
EDIT: A link to what I've come up with: https://pastebin.com/0JvUrzQU
-
@anthonyh When you say their username matches a certain pattern what do you mean? Whatever the qualifier is it'd have to be perfectly consistent so you can build a RegEx around it for filtering, but it's definitely doable.
-
@r3dpand4 said in Active Directory - Scripting the adding/removal of users to group:
@anthonyh When you say their username matches a certain pattern what do you mean? Whatever the qualifier is it'd have to be perfectly consistent so you can build a RegEx around it for filtering, but it's definitely doable.
Where does OP say username? He wants to match based on some AD attribute, and in his example he mentioned email domain from the email field. Or did I miss something?
-
@r3dpand4 I apologize if my OP wasn't clear. I'm looking to match based on a pattern in the E-mail attribute of an account. Not matching based on username. Basically, if the email address in the E-mail attribute field is a specific domain (*@domain.org as an example), I want to add the users to a specific security group. If that changes in the future (we have instances where users float between organizations), I want to remove them from the group.
-
@jrc I re-read my OP a few times to make sure I didn't misspeak. I don't think you missed anything. Unless I'm missing something...
-
@anthonyh You're fine I'm also half dead from a head cold/sinus infection, I just reread the post. Query the groups you're wanting, run a foreach loop against the results, then an if/else statement with the -like switch against whatever the domain is you're wanting to filter to specify your action.
-
@r3dpand4 said in Active Directory - Scripting the adding/removal of users to group:
@anthonyh You're fine I'm also half dead from a head cold/sinus infection, I just reread the post. Query the groups you're wanting, run a foreach loop against the results, then an if/else statement with the -like switch against whatever the domain is you're wanting to filter to specify your action.
I suspect that the OP is wanting some code examples. At least that's what I'd be after if I were him.
Anthony:
https://technet.microsoft.com/en-us/library/ee617193.aspx?f=255&MSPPError=-2147217396 is a place to start, it'll help you write the bit that get's group members.
https://gallery.technet.microsoft.com/scriptcenter/Getting-Users-ALL-7417b71d - May have some useable snippets to get the info you need from the user. -
Check get-aduser... You could try something like this from one of your DCs:
get-aduser -properties DisplayName,sAMAccountName,EmailAddress -Filter "EmailAddress -like '*@domain.org'"That will give you the list of users and their associated email.
-
It's not completely finished yet, but the framework is more-or-less there.
I couldn't figure out how to cleanly paste it directly into this post, so here is a pastebin link:
-
@anthonyh Is this code you are currently testing, or are you still working on it?
It looks like it should work.
-
@dafyre said in Active Directory - Scripting the adding/removal of users to group:
@anthonyh Is this code you are currently testing, or are you still working on it?
It looks like it should work.
I've tested everything but the actual "remove-adgroupmember" and "add-adgroupmember" bits.
I'm going to do that this morning.
-
@anthonyh said in Active Directory - Scripting the adding/removal of users to group:
@dafyre said in Active Directory - Scripting the adding/removal of users to group:
@anthonyh Is this code you are currently testing, or are you still working on it?
It looks like it should work.
I've tested everything but the actual "remove-adgroupmember" and "add-adgroupmember" bits.
I'm going to do that this morning.
*hides under nearest desk*
-
@dafyre said in Active Directory - Scripting the adding/removal of users to group:
@anthonyh said in Active Directory - Scripting the adding/removal of users to group:
@dafyre said in Active Directory - Scripting the adding/removal of users to group:
@anthonyh Is this code you are currently testing, or are you still working on it?
It looks like it should work.
I've tested everything but the actual "remove-adgroupmember" and "add-adgroupmember" bits.
I'm going to do that this morning.
*hides under nearest desk*
lolz
-
Welp, as near as I can tell my cluster of a script does exactly what I'm looking for. I've updated the Pastebin link for those who are curious (https://pastebin.com/0JvUrzQU).
It will analyze existing group memberships and remove users if they do not meet all of the following requirements:
- The account no longer matches the specified $fileString
- The account is disabled
- The account does not reside within the $searchBase
Next, it will pull all accounts from the system, excludes existing members, and adds the remaining users to the group if they meet all of the following requirements:
- The account is enabled
- The account matches the specified $fileString
- The account resides within the $searchBase
- The sAMAccountName does not contain a 1 (something we use internally)
- The Display Name does not contain the string 'test' (we do not have any users who have 'test' in their name yet :-D)
After the above is done, it writes the changes to a log file (which is overwritten each time the script runs) and if emails it off to a specified email address.
