SOLVED

need help with script

Iron Contributor

Hello all

 

I am trying to mimic the behavior of a dynamic group. This is for on-prem AD.  This is what i have to do.

 

#1 check two OU's 

If user live in the Corp\Consultants\* or Corp\FM Users\Cognizant\* OU locations, then add the users to group "Example1"
 
#2 if users are not found in Corp\Consultants\* or Corp\FM Users\Cognizant\* OU locations, then remove the users that are not found from the "Example1" group
 
Any help is greatly appreciated
6 Replies

@Skipster311-1 

$x=Get-ADUser -SearchBase 'DC=Test,DC=local' -Filter * 
foreach($s in $x){
if (($s.distinguishedName -like "*OU=Consultants,DC=Test,DC=local") -or ($s.distinguishedName -like "*OU=FM Users,DC=Test,DC=local")){Write-Host "He is OK"}
else{
$s.distinguishedName
Remove-ADGroupMember -Identity Example1 -Members $s -Confirm:$false
}
}

 

If this works, please mark the question as the best respone.

Thanks

 

best response confirmed by Skipster311-1 (Iron Contributor)
Solution

@Skipster311-1 I would do it like this. It looks complex, but you need to take into account that you want to identify users to be removed as well. So we first gather all group members and expect them all to be removed. Then we check both OUs and if a user in those OUs is present in the group, set their action to do nothing, and if a user is not present yet, it's obviously a new user so should be added. This then leaves all the rest set to be removed. At the end we then do the actual action.

 

This was quick and dirty, not optimized, and may contain mistakes ;) It could be optimized to do the OU checks in a function etc to avoid code duplication.

 

$GroupMembers = @{}
ForEach ($User in Get-ADGroupMember -Identity Example1) {
    $GroupMembers.Add($User.DistinguishedName, @{"DN"=$User.DistinguishedName;"Action"="Remove"})
}

ForEach ($User in Get-ADUser -SearchBase "OU=Consultants,DC=Test,DC=local" -Filter *) {
    if (!$GroupMembers[$User.DistinguishedName]) {
        # User found in OU, but not in group yet --> Add user
        $GroupMembers.Add($User.DistinguishedName, @{"DN"=$User.DistinguishedName;"Action"="Add"})
    } else {
        # User found in OU, and also present in group --> Do Nothing
        $GroupMembers[$User.DistinguishedName].Action = "Nothing"
    }
}

ForEach ($User in Get-ADUser -SearchBase "OU=FM Users,DC=Test,DC=local" -Filter *) {
    if (!$GroupMembers[$User.DistinguishedName]) {
        # User found in OU, but not in group yet --> Add user
        $GroupMembers.Add($User.DistinguishedName, @{"DN"=$User.DistinguishedName;"Action"="Add"})
    } else {
        # User found in OU, and also present in group --> Do Nothing
        $GroupMembers[$User.DistinguishedName].Action = "Nothing"
    }
}

ForEach ($User in $GroupMembers.Values) {
    if ($User.Action -eq "Add") {
        Write-Host "Adding $($User.DN) to group"
        Add-ADGroupMember -Identity Example1 -Members $User.DN
    }
    if ($User.Action -eq "Remove") {
        Write-Host "Removing $($User.DN) from group"
        Remove-ADGroupMember -Identity Example1 -Members $User.DN -Confirm:$false
    }
}

 

your script was absolutely fantastic! Thank you again
I want to thank you for responding to my post. Alot of people dont take the time to do that. I was able to get what i needed from @pvanberlo suggestion. Thank you again for your help
You're very welcome! Just drop me a note if there's anything else I can help with :)
Thank you
1 best response

Accepted Solutions
best response confirmed by Skipster311-1 (Iron Contributor)
Solution

@Skipster311-1 I would do it like this. It looks complex, but you need to take into account that you want to identify users to be removed as well. So we first gather all group members and expect them all to be removed. Then we check both OUs and if a user in those OUs is present in the group, set their action to do nothing, and if a user is not present yet, it's obviously a new user so should be added. This then leaves all the rest set to be removed. At the end we then do the actual action.

 

This was quick and dirty, not optimized, and may contain mistakes ;) It could be optimized to do the OU checks in a function etc to avoid code duplication.

 

$GroupMembers = @{}
ForEach ($User in Get-ADGroupMember -Identity Example1) {
    $GroupMembers.Add($User.DistinguishedName, @{"DN"=$User.DistinguishedName;"Action"="Remove"})
}

ForEach ($User in Get-ADUser -SearchBase "OU=Consultants,DC=Test,DC=local" -Filter *) {
    if (!$GroupMembers[$User.DistinguishedName]) {
        # User found in OU, but not in group yet --> Add user
        $GroupMembers.Add($User.DistinguishedName, @{"DN"=$User.DistinguishedName;"Action"="Add"})
    } else {
        # User found in OU, and also present in group --> Do Nothing
        $GroupMembers[$User.DistinguishedName].Action = "Nothing"
    }
}

ForEach ($User in Get-ADUser -SearchBase "OU=FM Users,DC=Test,DC=local" -Filter *) {
    if (!$GroupMembers[$User.DistinguishedName]) {
        # User found in OU, but not in group yet --> Add user
        $GroupMembers.Add($User.DistinguishedName, @{"DN"=$User.DistinguishedName;"Action"="Add"})
    } else {
        # User found in OU, and also present in group --> Do Nothing
        $GroupMembers[$User.DistinguishedName].Action = "Nothing"
    }
}

ForEach ($User in $GroupMembers.Values) {
    if ($User.Action -eq "Add") {
        Write-Host "Adding $($User.DN) to group"
        Add-ADGroupMember -Identity Example1 -Members $User.DN
    }
    if ($User.Action -eq "Remove") {
        Write-Host "Removing $($User.DN) from group"
        Remove-ADGroupMember -Identity Example1 -Members $User.DN -Confirm:$false
    }
}

 

View solution in original post