Solved

Update AD users depending on group membership

Posted on 2013-01-17
9
700 Views
Last Modified: 2013-01-17
I have this setup:

Some hundred users
All users are member of  a group that reflects the department in which they recide.
The groups names are also the short version of the department name
The groups 'Description' are the long name of the department

I would like to update all users that are in these groups, so that extensionAttribute15 are updated with the description of the group they are member of.

The department field allready have the short version and we need to put the long version in extensionAttribute15.

If I do like this:
$Groups = Get-ADGroup -Filter * -SearchBase 'OU=Employees,OU=Organization,DC=domain,DC=local' -properties name, description | where {$_.Description.Length -gt 1 -and $_.Name.Length -lt 5}

Open in new window

i get the groups needed. But that's as far as I can get.

So my question is, how do I accomplish the task above?

Regards
Kasper
0
Comment
Question by:Kasper Katzmann
  • 4
  • 4
9 Comments
 
LVL 5

Expert Comment

by:coraxal
ID: 38786631
Don't have a machine to test, but here's a thought:

1. Get all the groups that have a value in the Description attribute in a collection
2. Iterate through group collection, and get members for each group that type User
3. Iterate through the group members, and set the user's extensionAttribute15 attribute equal to the group's description attribute

note: script not tested...
$Groups = Get-ADGroup -filter { description -like "*" } `
					  -SearchBase 'OU=Employees,OU=Organization,DC=domain,DC=local' `
					  -properties name, description `
					  -ResultSetSize $null
					  
$Groups | % {

	$GroupDescription = $_.Description

	$GroupMembers = Get-QADGroupMember $_.DistinguishedName | ? {$_.type -eq "user"}
	
	$GroupMembers | % {
	
		[void](Set-ADUser $_.distinguishedName -Add @{extensionAttribute15=$GroupDescription})
	
	}

}

Open in new window

0
 

Author Comment

by:Kasper Katzmann
ID: 38786697
I looks good, but it gives me this error:

Set-ADUser : Cannot validate argument on parameter 'Identity'. The argument is null. Supply a non-null argument and try
 the command again.
At D:\scripts\powershell\scripts\Opdatering af AD\updateExtensionAttribute15AccordingToGroupMembership.ps1:12 char:20
+         [void](Set-ADUser <<<<  $_.distinguishedName -Add @{extensionAttribute15=$GroupDescription})
    + CategoryInfo          : InvalidData: (:) [Set-ADUser], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.SetADUser
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38787185
If this command gives you all the groups which you required to modify members then..
$Groups = Get-ADGroup -Filter * -SearchBase 'OU=Employees,OU=Organization,DC=domain,DC=local' -properties name, description | where {$_.Description.Length -gt 1 -and $_.Name.Length -lt 5}

Open in new window

Try this script..
$Groups = Get-ADGroup -Filter * -SearchBase 'OU=Employees,OU=Organization,DC=domain,DC=local' -properties name, description | where {$_.Description.Length -gt 1 -and $_.Name.Length -lt 5}
ForEach ($Group in $Groups){
Get-ADGroupMember $Group.Name | ? {$_.objectClass -eq "User"} | Set-ADUser -add @{"extensionattribute15" = $group.Description}
}

Open in new window

0
 

Author Comment

by:Kasper Katzmann
ID: 38787289
Just came aware of the fact that, for some users, extensionAttribute15 are allready set. So if I'm not much wrong this would be the solution (I've added -remove to the end of the script?
$Groups = Get-ADGroup -Filter * -SearchBase 'OU=Employees,OU=Organization,DC=domain,DC=local' -properties name, description, extensionAttribute15 | where {$_.Description.Length -gt 1 -and $_.Name.Length -lt 5}

ForEach ($Group in $Groups){
Get-ADGroupMember $Group.Name | ? {$_.objectClass -eq "User"} | Set-ADUser -add @{"extensionattribute15" = $group.Description} -Remove @{extensionAttribute15=$Group.extensionAttribute15}
}

Open in new window

0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 40

Expert Comment

by:Subsun
ID: 38787320
Do you want to exclude the users who already has extensionAttribute15 value?
0
 

Author Comment

by:Kasper Katzmann
ID: 38787332
No, they must also be updated
0
 
LVL 40

Accepted Solution

by:
Subsun earned 500 total points
ID: 38787401
Then change -add to -replace
$Groups = Get-ADGroup -Filter * -SearchBase 'OU=Employees,OU=Organization,DC=domain,DC=local' -properties name, description | where {$_.Description.Length -gt 1 -and $_.Name.Length -lt 5}
ForEach ($Group in $Groups){
Get-ADGroupMember $Group.Name | ? {$_.objectClass -eq "User"} | Set-ADUser -replace @{"extensionattribute15" = $group.Description}
}

Open in new window

0
 

Author Comment

by:Kasper Katzmann
ID: 38787425
I works! Thank you :-)
Beers on me :-)
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38787438
You are welcome!!
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Synchronize a new Active Directory domain with an existing Office 365 tenant
This article will help you understand what HashTables are and how to use them in PowerShell.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now