?
Solved

Update AD users depending on group membership

Posted on 2013-01-17
9
Medium Priority
?
708 Views
Last Modified: 2013-01-17
I have this setup:

Some hundred users
All users are member of  a group that reflects the department in which they recide.
The groups names are also the short version of the department name
The groups 'Description' are the long name of the department

I would like to update all users that are in these groups, so that extensionAttribute15 are updated with the description of the group they are member of.

The department field allready have the short version and we need to put the long version in extensionAttribute15.

If I do like this:
$Groups = Get-ADGroup -Filter * -SearchBase 'OU=Employees,OU=Organization,DC=domain,DC=local' -properties name, description | where {$_.Description.Length -gt 1 -and $_.Name.Length -lt 5}

Open in new window

i get the groups needed. But that's as far as I can get.

So my question is, how do I accomplish the task above?

Regards
Kasper
0
Comment
Question by:Kasper Katzmann
  • 4
  • 4
9 Comments
 
LVL 5

Expert Comment

by:coraxal
ID: 38786631
Don't have a machine to test, but here's a thought:

1. Get all the groups that have a value in the Description attribute in a collection
2. Iterate through group collection, and get members for each group that type User
3. Iterate through the group members, and set the user's extensionAttribute15 attribute equal to the group's description attribute

note: script not tested...
$Groups = Get-ADGroup -filter { description -like "*" } `
					  -SearchBase 'OU=Employees,OU=Organization,DC=domain,DC=local' `
					  -properties name, description `
					  -ResultSetSize $null
					  
$Groups | % {

	$GroupDescription = $_.Description

	$GroupMembers = Get-QADGroupMember $_.DistinguishedName | ? {$_.type -eq "user"}
	
	$GroupMembers | % {
	
		[void](Set-ADUser $_.distinguishedName -Add @{extensionAttribute15=$GroupDescription})
	
	}

}

Open in new window

0
 

Author Comment

by:Kasper Katzmann
ID: 38786697
I looks good, but it gives me this error:

Set-ADUser : Cannot validate argument on parameter 'Identity'. The argument is null. Supply a non-null argument and try
 the command again.
At D:\scripts\powershell\scripts\Opdatering af AD\updateExtensionAttribute15AccordingToGroupMembership.ps1:12 char:20
+         [void](Set-ADUser <<<<  $_.distinguishedName -Add @{extensionAttribute15=$GroupDescription})
    + CategoryInfo          : InvalidData: (:) [Set-ADUser], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.SetADUser
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38787185
If this command gives you all the groups which you required to modify members then..
$Groups = Get-ADGroup -Filter * -SearchBase 'OU=Employees,OU=Organization,DC=domain,DC=local' -properties name, description | where {$_.Description.Length -gt 1 -and $_.Name.Length -lt 5}

Open in new window

Try this script..
$Groups = Get-ADGroup -Filter * -SearchBase 'OU=Employees,OU=Organization,DC=domain,DC=local' -properties name, description | where {$_.Description.Length -gt 1 -and $_.Name.Length -lt 5}
ForEach ($Group in $Groups){
Get-ADGroupMember $Group.Name | ? {$_.objectClass -eq "User"} | Set-ADUser -add @{"extensionattribute15" = $group.Description}
}

Open in new window

0
Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

 

Author Comment

by:Kasper Katzmann
ID: 38787289
Just came aware of the fact that, for some users, extensionAttribute15 are allready set. So if I'm not much wrong this would be the solution (I've added -remove to the end of the script?
$Groups = Get-ADGroup -Filter * -SearchBase 'OU=Employees,OU=Organization,DC=domain,DC=local' -properties name, description, extensionAttribute15 | where {$_.Description.Length -gt 1 -and $_.Name.Length -lt 5}

ForEach ($Group in $Groups){
Get-ADGroupMember $Group.Name | ? {$_.objectClass -eq "User"} | Set-ADUser -add @{"extensionattribute15" = $group.Description} -Remove @{extensionAttribute15=$Group.extensionAttribute15}
}

Open in new window

0
 
LVL 40

Expert Comment

by:Subsun
ID: 38787320
Do you want to exclude the users who already has extensionAttribute15 value?
0
 

Author Comment

by:Kasper Katzmann
ID: 38787332
No, they must also be updated
0
 
LVL 40

Accepted Solution

by:
Subsun earned 2000 total points
ID: 38787401
Then change -add to -replace
$Groups = Get-ADGroup -Filter * -SearchBase 'OU=Employees,OU=Organization,DC=domain,DC=local' -properties name, description | where {$_.Description.Length -gt 1 -and $_.Name.Length -lt 5}
ForEach ($Group in $Groups){
Get-ADGroupMember $Group.Name | ? {$_.objectClass -eq "User"} | Set-ADUser -replace @{"extensionattribute15" = $group.Description}
}

Open in new window

0
 

Author Comment

by:Kasper Katzmann
ID: 38787425
I works! Thank you :-)
Beers on me :-)
0
 
LVL 40

Expert Comment

by:Subsun
ID: 38787438
You are welcome!!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Screencast - Getting to Know the Pipeline

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question