?
Solved

Update AD users depending on group membership

Posted on 2013-01-17
9
Medium Priority
?
705 Views
Last Modified: 2013-01-17
I have this setup:

Some hundred users
All users are member of  a group that reflects the department in which they recide.
The groups names are also the short version of the department name
The groups 'Description' are the long name of the department

I would like to update all users that are in these groups, so that extensionAttribute15 are updated with the description of the group they are member of.

The department field allready have the short version and we need to put the long version in extensionAttribute15.

If I do like this:
$Groups = Get-ADGroup -Filter * -SearchBase 'OU=Employees,OU=Organization,DC=domain,DC=local' -properties name, description | where {$_.Description.Length -gt 1 -and $_.Name.Length -lt 5}

Open in new window

i get the groups needed. But that's as far as I can get.

So my question is, how do I accomplish the task above?

Regards
Kasper
0
Comment
Question by:Kasper Katzmann
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 5

Expert Comment

by:coraxal
ID: 38786631
Don't have a machine to test, but here's a thought:

1. Get all the groups that have a value in the Description attribute in a collection
2. Iterate through group collection, and get members for each group that type User
3. Iterate through the group members, and set the user's extensionAttribute15 attribute equal to the group's description attribute

note: script not tested...
$Groups = Get-ADGroup -filter { description -like "*" } `
					  -SearchBase 'OU=Employees,OU=Organization,DC=domain,DC=local' `
					  -properties name, description `
					  -ResultSetSize $null
					  
$Groups | % {

	$GroupDescription = $_.Description

	$GroupMembers = Get-QADGroupMember $_.DistinguishedName | ? {$_.type -eq "user"}
	
	$GroupMembers | % {
	
		[void](Set-ADUser $_.distinguishedName -Add @{extensionAttribute15=$GroupDescription})
	
	}

}

Open in new window

0
 

Author Comment

by:Kasper Katzmann
ID: 38786697
I looks good, but it gives me this error:

Set-ADUser : Cannot validate argument on parameter 'Identity'. The argument is null. Supply a non-null argument and try
 the command again.
At D:\scripts\powershell\scripts\Opdatering af AD\updateExtensionAttribute15AccordingToGroupMembership.ps1:12 char:20
+         [void](Set-ADUser <<<<  $_.distinguishedName -Add @{extensionAttribute15=$GroupDescription})
    + CategoryInfo          : InvalidData: (:) [Set-ADUser], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.SetADUser
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38787185
If this command gives you all the groups which you required to modify members then..
$Groups = Get-ADGroup -Filter * -SearchBase 'OU=Employees,OU=Organization,DC=domain,DC=local' -properties name, description | where {$_.Description.Length -gt 1 -and $_.Name.Length -lt 5}

Open in new window

Try this script..
$Groups = Get-ADGroup -Filter * -SearchBase 'OU=Employees,OU=Organization,DC=domain,DC=local' -properties name, description | where {$_.Description.Length -gt 1 -and $_.Name.Length -lt 5}
ForEach ($Group in $Groups){
Get-ADGroupMember $Group.Name | ? {$_.objectClass -eq "User"} | Set-ADUser -add @{"extensionattribute15" = $group.Description}
}

Open in new window

0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:Kasper Katzmann
ID: 38787289
Just came aware of the fact that, for some users, extensionAttribute15 are allready set. So if I'm not much wrong this would be the solution (I've added -remove to the end of the script?
$Groups = Get-ADGroup -Filter * -SearchBase 'OU=Employees,OU=Organization,DC=domain,DC=local' -properties name, description, extensionAttribute15 | where {$_.Description.Length -gt 1 -and $_.Name.Length -lt 5}

ForEach ($Group in $Groups){
Get-ADGroupMember $Group.Name | ? {$_.objectClass -eq "User"} | Set-ADUser -add @{"extensionattribute15" = $group.Description} -Remove @{extensionAttribute15=$Group.extensionAttribute15}
}

Open in new window

0
 
LVL 40

Expert Comment

by:Subsun
ID: 38787320
Do you want to exclude the users who already has extensionAttribute15 value?
0
 

Author Comment

by:Kasper Katzmann
ID: 38787332
No, they must also be updated
0
 
LVL 40

Accepted Solution

by:
Subsun earned 2000 total points
ID: 38787401
Then change -add to -replace
$Groups = Get-ADGroup -Filter * -SearchBase 'OU=Employees,OU=Organization,DC=domain,DC=local' -properties name, description | where {$_.Description.Length -gt 1 -and $_.Name.Length -lt 5}
ForEach ($Group in $Groups){
Get-ADGroupMember $Group.Name | ? {$_.objectClass -eq "User"} | Set-ADUser -replace @{"extensionattribute15" = $group.Description}
}

Open in new window

0
 

Author Comment

by:Kasper Katzmann
ID: 38787425
I works! Thank you :-)
Beers on me :-)
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38787438
You are welcome!!
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
My attempt to use PowerShell and other great resources found online to simplify the deployment of Office 365 ProPlus client components to any workstation that needs it, regardless of existing Office components that may be needing attention.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question