Forum Discussion
need help with script
Hello all
I am trying to mimic the behavior of a dynamic group. This is for on-prem AD. This is what i have to do.
#1 check two OU's
Skipster311-1 I would do it like this. It looks complex, but you need to take into account that you want to identify users to be removed as well. So we first gather all group members and expect them all to be removed. Then we check both OUs and if a user in those OUs is present in the group, set their action to do nothing, and if a user is not present yet, it's obviously a new user so should be added. This then leaves all the rest set to be removed. At the end we then do the actual action.
This was quick and dirty, not optimized, and may contain mistakes 😉 It could be optimized to do the OU checks in a function etc to avoid code duplication.
$GroupMembers = @{} ForEach ($User in Get-ADGroupMember -Identity Example1) { $GroupMembers.Add($User.DistinguishedName, @{"DN"=$User.DistinguishedName;"Action"="Remove"}) } ForEach ($User in Get-ADUser -SearchBase "OU=Consultants,DC=Test,DC=local" -Filter *) { if (!$GroupMembers[$User.DistinguishedName]) { # User found in OU, but not in group yet --> Add user $GroupMembers.Add($User.DistinguishedName, @{"DN"=$User.DistinguishedName;"Action"="Add"}) } else { # User found in OU, and also present in group --> Do Nothing $GroupMembers[$User.DistinguishedName].Action = "Nothing" } } ForEach ($User in Get-ADUser -SearchBase "OU=FM Users,DC=Test,DC=local" -Filter *) { if (!$GroupMembers[$User.DistinguishedName]) { # User found in OU, but not in group yet --> Add user $GroupMembers.Add($User.DistinguishedName, @{"DN"=$User.DistinguishedName;"Action"="Add"}) } else { # User found in OU, and also present in group --> Do Nothing $GroupMembers[$User.DistinguishedName].Action = "Nothing" } } ForEach ($User in $GroupMembers.Values) { if ($User.Action -eq "Add") { Write-Host "Adding $($User.DN) to group" Add-ADGroupMember -Identity Example1 -Members $User.DN } if ($User.Action -eq "Remove") { Write-Host "Removing $($User.DN) from group" Remove-ADGroupMember -Identity Example1 -Members $User.DN -Confirm:$false } }
- farismalaebSteel Contributor
$x=Get-ADUser -SearchBase 'DC=Test,DC=local' -Filter * foreach($s in $x){ if (($s.distinguishedName -like "*OU=Consultants,DC=Test,DC=local") -or ($s.distinguishedName -like "*OU=FM Users,DC=Test,DC=local")){Write-Host "He is OK"} else{ $s.distinguishedName Remove-ADGroupMember -Identity Example1 -Members $s -Confirm:$false } }
If this works, please mark the question as the best respone.
Thanks
- Skipster311-1Iron ContributorI want to thank you for responding to my post. Alot of people dont take the time to do that. I was able to get what i needed from pvanberlo suggestion. Thank you again for your help
- pvanberloSteel Contributor
Skipster311-1 I would do it like this. It looks complex, but you need to take into account that you want to identify users to be removed as well. So we first gather all group members and expect them all to be removed. Then we check both OUs and if a user in those OUs is present in the group, set their action to do nothing, and if a user is not present yet, it's obviously a new user so should be added. This then leaves all the rest set to be removed. At the end we then do the actual action.
This was quick and dirty, not optimized, and may contain mistakes 😉 It could be optimized to do the OU checks in a function etc to avoid code duplication.
$GroupMembers = @{} ForEach ($User in Get-ADGroupMember -Identity Example1) { $GroupMembers.Add($User.DistinguishedName, @{"DN"=$User.DistinguishedName;"Action"="Remove"}) } ForEach ($User in Get-ADUser -SearchBase "OU=Consultants,DC=Test,DC=local" -Filter *) { if (!$GroupMembers[$User.DistinguishedName]) { # User found in OU, but not in group yet --> Add user $GroupMembers.Add($User.DistinguishedName, @{"DN"=$User.DistinguishedName;"Action"="Add"}) } else { # User found in OU, and also present in group --> Do Nothing $GroupMembers[$User.DistinguishedName].Action = "Nothing" } } ForEach ($User in Get-ADUser -SearchBase "OU=FM Users,DC=Test,DC=local" -Filter *) { if (!$GroupMembers[$User.DistinguishedName]) { # User found in OU, but not in group yet --> Add user $GroupMembers.Add($User.DistinguishedName, @{"DN"=$User.DistinguishedName;"Action"="Add"}) } else { # User found in OU, and also present in group --> Do Nothing $GroupMembers[$User.DistinguishedName].Action = "Nothing" } } ForEach ($User in $GroupMembers.Values) { if ($User.Action -eq "Add") { Write-Host "Adding $($User.DN) to group" Add-ADGroupMember -Identity Example1 -Members $User.DN } if ($User.Action -eq "Remove") { Write-Host "Removing $($User.DN) from group" Remove-ADGroupMember -Identity Example1 -Members $User.DN -Confirm:$false } }
- Skipster311-1Iron Contributoryour script was absolutely fantastic! Thank you again
- pvanberloSteel ContributorYou're very welcome! Just drop me a note if there's anything else I can help with 🙂