Solved

Update AD users depending on group membership

Posted on 2013-01-17
9
699 Views
Last Modified: 2013-01-17
I have this setup:

Some hundred users
All users are member of  a group that reflects the department in which they recide.
The groups names are also the short version of the department name
The groups 'Description' are the long name of the department

I would like to update all users that are in these groups, so that extensionAttribute15 are updated with the description of the group they are member of.

The department field allready have the short version and we need to put the long version in extensionAttribute15.

If I do like this:
$Groups = Get-ADGroup -Filter * -SearchBase 'OU=Employees,OU=Organization,DC=domain,DC=local' -properties name, description | where {$_.Description.Length -gt 1 -and $_.Name.Length -lt 5}

Open in new window

i get the groups needed. But that's as far as I can get.

So my question is, how do I accomplish the task above?

Regards
Kasper
0
Comment
Question by:Kasper Katzmann
  • 4
  • 4
9 Comments
 
LVL 5

Expert Comment

by:coraxal
ID: 38786631
Don't have a machine to test, but here's a thought:

1. Get all the groups that have a value in the Description attribute in a collection
2. Iterate through group collection, and get members for each group that type User
3. Iterate through the group members, and set the user's extensionAttribute15 attribute equal to the group's description attribute

note: script not tested...
$Groups = Get-ADGroup -filter { description -like "*" } `
					  -SearchBase 'OU=Employees,OU=Organization,DC=domain,DC=local' `
					  -properties name, description `
					  -ResultSetSize $null
					  
$Groups | % {

	$GroupDescription = $_.Description

	$GroupMembers = Get-QADGroupMember $_.DistinguishedName | ? {$_.type -eq "user"}
	
	$GroupMembers | % {
	
		[void](Set-ADUser $_.distinguishedName -Add @{extensionAttribute15=$GroupDescription})
	
	}

}

Open in new window

0
 

Author Comment

by:Kasper Katzmann
ID: 38786697
I looks good, but it gives me this error:

Set-ADUser : Cannot validate argument on parameter 'Identity'. The argument is null. Supply a non-null argument and try
 the command again.
At D:\scripts\powershell\scripts\Opdatering af AD\updateExtensionAttribute15AccordingToGroupMembership.ps1:12 char:20
+         [void](Set-ADUser <<<<  $_.distinguishedName -Add @{extensionAttribute15=$GroupDescription})
    + CategoryInfo          : InvalidData: (:) [Set-ADUser], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.SetADUser
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38787185
If this command gives you all the groups which you required to modify members then..
$Groups = Get-ADGroup -Filter * -SearchBase 'OU=Employees,OU=Organization,DC=domain,DC=local' -properties name, description | where {$_.Description.Length -gt 1 -and $_.Name.Length -lt 5}

Open in new window

Try this script..
$Groups = Get-ADGroup -Filter * -SearchBase 'OU=Employees,OU=Organization,DC=domain,DC=local' -properties name, description | where {$_.Description.Length -gt 1 -and $_.Name.Length -lt 5}
ForEach ($Group in $Groups){
Get-ADGroupMember $Group.Name | ? {$_.objectClass -eq "User"} | Set-ADUser -add @{"extensionattribute15" = $group.Description}
}

Open in new window

0
 

Author Comment

by:Kasper Katzmann
ID: 38787289
Just came aware of the fact that, for some users, extensionAttribute15 are allready set. So if I'm not much wrong this would be the solution (I've added -remove to the end of the script?
$Groups = Get-ADGroup -Filter * -SearchBase 'OU=Employees,OU=Organization,DC=domain,DC=local' -properties name, description, extensionAttribute15 | where {$_.Description.Length -gt 1 -and $_.Name.Length -lt 5}

ForEach ($Group in $Groups){
Get-ADGroupMember $Group.Name | ? {$_.objectClass -eq "User"} | Set-ADUser -add @{"extensionattribute15" = $group.Description} -Remove @{extensionAttribute15=$Group.extensionAttribute15}
}

Open in new window

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 40

Expert Comment

by:Subsun
ID: 38787320
Do you want to exclude the users who already has extensionAttribute15 value?
0
 

Author Comment

by:Kasper Katzmann
ID: 38787332
No, they must also be updated
0
 
LVL 40

Accepted Solution

by:
Subsun earned 500 total points
ID: 38787401
Then change -add to -replace
$Groups = Get-ADGroup -Filter * -SearchBase 'OU=Employees,OU=Organization,DC=domain,DC=local' -properties name, description | where {$_.Description.Length -gt 1 -and $_.Name.Length -lt 5}
ForEach ($Group in $Groups){
Get-ADGroupMember $Group.Name | ? {$_.objectClass -eq "User"} | Set-ADUser -replace @{"extensionattribute15" = $group.Description}
}

Open in new window

0
 

Author Comment

by:Kasper Katzmann
ID: 38787425
I works! Thank you :-)
Beers on me :-)
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38787438
You are welcome!!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
Set OWA language and time zone in Exchange for individuals, all users or per database.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now