Forum Discussion

Skipster311-1's avatar
Skipster311-1
Iron Contributor
Aug 18, 2021

need help with script

Hello all

 

I am trying to mimic the behavior of a dynamic group. This is for on-prem AD.  This is what i have to do.

 

#1 check two OU's 

If user live in the Corp\Consultants\* or Corp\FM Users\Cognizant\* OU locations, then add the users to group "Example1"
 
#2 if users are not found in Corp\Consultants\* or Corp\FM Users\Cognizant\* OU locations, then remove the users that are not found from the "Example1" group
 
Any help is greatly appreciated
  • Skipster311-1 I would do it like this. It looks complex, but you need to take into account that you want to identify users to be removed as well. So we first gather all group members and expect them all to be removed. Then we check both OUs and if a user in those OUs is present in the group, set their action to do nothing, and if a user is not present yet, it's obviously a new user so should be added. This then leaves all the rest set to be removed. At the end we then do the actual action.

     

    This was quick and dirty, not optimized, and may contain mistakes 😉 It could be optimized to do the OU checks in a function etc to avoid code duplication.

     

    $GroupMembers = @{}
    ForEach ($User in Get-ADGroupMember -Identity Example1) {
        $GroupMembers.Add($User.DistinguishedName, @{"DN"=$User.DistinguishedName;"Action"="Remove"})
    }
    
    ForEach ($User in Get-ADUser -SearchBase "OU=Consultants,DC=Test,DC=local" -Filter *) {
        if (!$GroupMembers[$User.DistinguishedName]) {
            # User found in OU, but not in group yet --> Add user
            $GroupMembers.Add($User.DistinguishedName, @{"DN"=$User.DistinguishedName;"Action"="Add"})
        } else {
            # User found in OU, and also present in group --> Do Nothing
            $GroupMembers[$User.DistinguishedName].Action = "Nothing"
        }
    }
    
    ForEach ($User in Get-ADUser -SearchBase "OU=FM Users,DC=Test,DC=local" -Filter *) {
        if (!$GroupMembers[$User.DistinguishedName]) {
            # User found in OU, but not in group yet --> Add user
            $GroupMembers.Add($User.DistinguishedName, @{"DN"=$User.DistinguishedName;"Action"="Add"})
        } else {
            # User found in OU, and also present in group --> Do Nothing
            $GroupMembers[$User.DistinguishedName].Action = "Nothing"
        }
    }
    
    ForEach ($User in $GroupMembers.Values) {
        if ($User.Action -eq "Add") {
            Write-Host "Adding $($User.DN) to group"
            Add-ADGroupMember -Identity Example1 -Members $User.DN
        }
        if ($User.Action -eq "Remove") {
            Write-Host "Removing $($User.DN) from group"
            Remove-ADGroupMember -Identity Example1 -Members $User.DN -Confirm:$false
        }
    }

     

  • farismalaeb's avatar
    farismalaeb
    Steel Contributor

    Skipster311-1 

    $x=Get-ADUser -SearchBase 'DC=Test,DC=local' -Filter * 
    foreach($s in $x){
    if (($s.distinguishedName -like "*OU=Consultants,DC=Test,DC=local") -or ($s.distinguishedName -like "*OU=FM Users,DC=Test,DC=local")){Write-Host "He is OK"}
    else{
    $s.distinguishedName
    Remove-ADGroupMember -Identity Example1 -Members $s -Confirm:$false
    }
    }

     

    If this works, please mark the question as the best respone.

    Thanks

     

    • Skipster311-1's avatar
      Skipster311-1
      Iron Contributor
      I want to thank you for responding to my post. Alot of people dont take the time to do that. I was able to get what i needed from pvanberlo suggestion. Thank you again for your help
  • pvanberlo's avatar
    pvanberlo
    Steel Contributor

    Skipster311-1 I would do it like this. It looks complex, but you need to take into account that you want to identify users to be removed as well. So we first gather all group members and expect them all to be removed. Then we check both OUs and if a user in those OUs is present in the group, set their action to do nothing, and if a user is not present yet, it's obviously a new user so should be added. This then leaves all the rest set to be removed. At the end we then do the actual action.

     

    This was quick and dirty, not optimized, and may contain mistakes 😉 It could be optimized to do the OU checks in a function etc to avoid code duplication.

     

    $GroupMembers = @{}
    ForEach ($User in Get-ADGroupMember -Identity Example1) {
        $GroupMembers.Add($User.DistinguishedName, @{"DN"=$User.DistinguishedName;"Action"="Remove"})
    }
    
    ForEach ($User in Get-ADUser -SearchBase "OU=Consultants,DC=Test,DC=local" -Filter *) {
        if (!$GroupMembers[$User.DistinguishedName]) {
            # User found in OU, but not in group yet --> Add user
            $GroupMembers.Add($User.DistinguishedName, @{"DN"=$User.DistinguishedName;"Action"="Add"})
        } else {
            # User found in OU, and also present in group --> Do Nothing
            $GroupMembers[$User.DistinguishedName].Action = "Nothing"
        }
    }
    
    ForEach ($User in Get-ADUser -SearchBase "OU=FM Users,DC=Test,DC=local" -Filter *) {
        if (!$GroupMembers[$User.DistinguishedName]) {
            # User found in OU, but not in group yet --> Add user
            $GroupMembers.Add($User.DistinguishedName, @{"DN"=$User.DistinguishedName;"Action"="Add"})
        } else {
            # User found in OU, and also present in group --> Do Nothing
            $GroupMembers[$User.DistinguishedName].Action = "Nothing"
        }
    }
    
    ForEach ($User in $GroupMembers.Values) {
        if ($User.Action -eq "Add") {
            Write-Host "Adding $($User.DN) to group"
            Add-ADGroupMember -Identity Example1 -Members $User.DN
        }
        if ($User.Action -eq "Remove") {
            Write-Host "Removing $($User.DN) from group"
            Remove-ADGroupMember -Identity Example1 -Members $User.DN -Confirm:$false
        }
    }

     

      • pvanberlo's avatar
        pvanberlo
        Steel Contributor
        You're very welcome! Just drop me a note if there's anything else I can help with 🙂

Resources