Solved

Optimize Powershell (Quest AD) script to populate AD group

Posted on 2011-09-14
3
878 Views
Last Modified: 2012-05-12
Hello,

I have a script that I'd like to use to maintain distribution groups in Active Directory current. I search for a keyword in the title AD attribute and then I add the member to the group. My script works, but it seems that it's taking a little while to complete. I've used the [void] types in an attempt to speed up the script but still slow especially when adding 1000+ users to the group. Another area where my script might be slow is in the fact that I "rebuild" the group every time....in other words, I clear it first and then add the members all over again.

I'm looking to see if someone out there can provide me with tips on how to speed up this script. Thanks.
# Params
$filter = "(title=*keyword*)"
$scope = 'dc=domain,dc=local'
$Group = Get-QADGroup -Identity "My-Group"

# Clear group
[void](Set-QADGroup -Identity $Group.DN -Member $NULL)

# Get all enabled Active Directory accounts
$Searcher = Get-QADUser -Enabled -SearchRoot $scope -IncludedProperties title -LdapFilter $filter  -SizeLimit 0

# Add each account to the specified group
$Searcher | ForEach-Object {
	[void](Add-QADGroupMember -Identity $Group.DN -Member $_.DN )
	}

Open in new window

0
Comment
Question by:bndit
  • 2
3 Comments
 
LVL 16

Accepted Solution

by:
Dale Harris earned 250 total points
ID: 36539680
I noticed you're not piping anything. This should speed things up a little.  Since the actual VOID of the group is pretty much instant, we won't save much time there.

$filter = "(title=*keyword*)"
$scope = 'dc=domain,dc=local'
$Group = Get-QADGroup -Identity "My-Group"

# Clear group
[void](Set-QADGroup -Identity $Group.DN -Member $NULL)

# Get all enabled Active Directory accounts and add them to the group
Get-QADUser -Enabled -SearchRoot $scope -IncludedProperties title -LdapFilter $filter  -SizeLimit 0 | %{Add-QADGroupMember -Identity $Group.DN -Member $_.DN}

It would help if you were able to reduce the amount of Users that come up via a smaller OU starting point.  The LDAPFilter still has to be applied to every single user found.  If you had only 300 users to search through instead of 5000, that would save the time.  Try to see if you can get as granular as possible without having to go through AD.   You have it pretty much figured out though.

HTH,
Dale Harris
0
 
LVL 2

Author Comment

by:bndit
ID: 36539815
Thanks Dale....unfortunately, I have to crawl the entire AD domain because OU are not in place at the time, but I totally agree with you. Once the OU structure is in place I'll tweak the script to target smaller user sets. I made the change and seems to be working Ok...not sure how much "faster" it is but I'll go with your suggestion.

Thanks again.
0
 
LVL 2

Author Closing Comment

by:bndit
ID: 37149378
thank you.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script checks a path to see if a folder exists. If the folder does exist you will get output "The folder has previously been created. No action taken" If not it will create the folder. Then adds one user modify permission to the folder. It …
Microsoft Windows Server Update Service (WSUS) is free for everyone, but it lacks of some desirable features like send an e-mail to the administrator with the status of all computers on the WSUS server. This article is based on my PowerShell script …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question