Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Update AD users depending on group membership

Posted on 2013-01-17
9
Medium Priority
?
706 Views
Last Modified: 2013-01-17
I have this setup:

Some hundred users
All users are member of  a group that reflects the department in which they recide.
The groups names are also the short version of the department name
The groups 'Description' are the long name of the department

I would like to update all users that are in these groups, so that extensionAttribute15 are updated with the description of the group they are member of.

The department field allready have the short version and we need to put the long version in extensionAttribute15.

If I do like this:
$Groups = Get-ADGroup -Filter * -SearchBase 'OU=Employees,OU=Organization,DC=domain,DC=local' -properties name, description | where {$_.Description.Length -gt 1 -and $_.Name.Length -lt 5}

Open in new window

i get the groups needed. But that's as far as I can get.

So my question is, how do I accomplish the task above?

Regards
Kasper
0
Comment
Question by:Kasper Katzmann
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 5

Expert Comment

by:coraxal
ID: 38786631
Don't have a machine to test, but here's a thought:

1. Get all the groups that have a value in the Description attribute in a collection
2. Iterate through group collection, and get members for each group that type User
3. Iterate through the group members, and set the user's extensionAttribute15 attribute equal to the group's description attribute

note: script not tested...
$Groups = Get-ADGroup -filter { description -like "*" } `
					  -SearchBase 'OU=Employees,OU=Organization,DC=domain,DC=local' `
					  -properties name, description `
					  -ResultSetSize $null
					  
$Groups | % {

	$GroupDescription = $_.Description

	$GroupMembers = Get-QADGroupMember $_.DistinguishedName | ? {$_.type -eq "user"}
	
	$GroupMembers | % {
	
		[void](Set-ADUser $_.distinguishedName -Add @{extensionAttribute15=$GroupDescription})
	
	}

}

Open in new window

0
 

Author Comment

by:Kasper Katzmann
ID: 38786697
I looks good, but it gives me this error:

Set-ADUser : Cannot validate argument on parameter 'Identity'. The argument is null. Supply a non-null argument and try
 the command again.
At D:\scripts\powershell\scripts\Opdatering af AD\updateExtensionAttribute15AccordingToGroupMembership.ps1:12 char:20
+         [void](Set-ADUser <<<<  $_.distinguishedName -Add @{extensionAttribute15=$GroupDescription})
    + CategoryInfo          : InvalidData: (:) [Set-ADUser], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.SetADUser
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38787185
If this command gives you all the groups which you required to modify members then..
$Groups = Get-ADGroup -Filter * -SearchBase 'OU=Employees,OU=Organization,DC=domain,DC=local' -properties name, description | where {$_.Description.Length -gt 1 -and $_.Name.Length -lt 5}

Open in new window

Try this script..
$Groups = Get-ADGroup -Filter * -SearchBase 'OU=Employees,OU=Organization,DC=domain,DC=local' -properties name, description | where {$_.Description.Length -gt 1 -and $_.Name.Length -lt 5}
ForEach ($Group in $Groups){
Get-ADGroupMember $Group.Name | ? {$_.objectClass -eq "User"} | Set-ADUser -add @{"extensionattribute15" = $group.Description}
}

Open in new window

0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 

Author Comment

by:Kasper Katzmann
ID: 38787289
Just came aware of the fact that, for some users, extensionAttribute15 are allready set. So if I'm not much wrong this would be the solution (I've added -remove to the end of the script?
$Groups = Get-ADGroup -Filter * -SearchBase 'OU=Employees,OU=Organization,DC=domain,DC=local' -properties name, description, extensionAttribute15 | where {$_.Description.Length -gt 1 -and $_.Name.Length -lt 5}

ForEach ($Group in $Groups){
Get-ADGroupMember $Group.Name | ? {$_.objectClass -eq "User"} | Set-ADUser -add @{"extensionattribute15" = $group.Description} -Remove @{extensionAttribute15=$Group.extensionAttribute15}
}

Open in new window

0
 
LVL 40

Expert Comment

by:Subsun
ID: 38787320
Do you want to exclude the users who already has extensionAttribute15 value?
0
 

Author Comment

by:Kasper Katzmann
ID: 38787332
No, they must also be updated
0
 
LVL 40

Accepted Solution

by:
Subsun earned 2000 total points
ID: 38787401
Then change -add to -replace
$Groups = Get-ADGroup -Filter * -SearchBase 'OU=Employees,OU=Organization,DC=domain,DC=local' -properties name, description | where {$_.Description.Length -gt 1 -and $_.Name.Length -lt 5}
ForEach ($Group in $Groups){
Get-ADGroupMember $Group.Name | ? {$_.objectClass -eq "User"} | Set-ADUser -replace @{"extensionattribute15" = $group.Description}
}

Open in new window

0
 

Author Comment

by:Kasper Katzmann
ID: 38787425
I works! Thank you :-)
Beers on me :-)
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38787438
You are welcome!!
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question