Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Powershell Script to compare Group Membership

Posted on 2013-05-29
10
Medium Priority
?
577 Views
Last Modified: 2013-06-04
I need to create a powershell script that pulls users from a csv or text file, checks to see if they are in group a or group b. If not then it checks to see if they have 1 of 3 titles in AD and if so, adds them to group a, if not it adds them to group b.

It would be nice to do it in Exchange PS, but can use Quest ActiveRoles module as well.

Any advice would be greatly appreciated.
0
Comment
Question by:dbright5813
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
10 Comments
 
LVL 40

Expert Comment

by:Subsun
ID: 39204964
If not then it checks to see if they have 1 of 3 titles in AD
I assume you are talking about the Title attribute here. If yes.. try this script..

GC User.txt | %{
$User = Get-QADUser $_
If (!($User.memberof | ?{(($_ -split ",")[0] -replace "CN=")  -eq "GroupA" -or (($_ -split ",")[0] -replace "CN=") -eq "GroupB"})){

	If ("TitleA","TitleB","TitleC" -contains $User.Title){
	Add-QADGroupMember -identity "GroupA" -member $User
	}
	Else
	{
	Add-QADGroupMember -identity "GroupB" -member $User
	}
  }
}

Open in new window

Input text file format..
UserA
UserB
UserC

Open in new window

0
 
LVL 41

Expert Comment

by:footech
ID: 39205170
BTW, to use the MS cmdlets instead of Quest, everything is exactly the same as posted in Subsun's script, just substitute Get-ADUser for Get-QADUser, and Add-ADGroupMember for Add-QADGroupMember.  At the beginning of the script you'd also want to have the line Import-Module ActiveDirectory.
0
 
LVL 4

Author Comment

by:dbright5813
ID: 39205677
Thank you - That definitely works better than anything I've tried to cobble together so far. But, one issue will be that there certain users who will be already be in Group A regardless of their title. Would there need to be a foreach user statement that checks their group membership and if they are in either of those groups, it skips the user regardless of their title attribute?

and
I had originally tried to build the list of users using the Exchange module because I only wanted users with mailboxes in only a few select OU's.
so I had a csv file with Name,OU and my script as
$FACOUs=Import-Csv csvfilename |%{$_.FACOU}
foreach($FACOU in $FACOUs){Get-Mailbox -OrganizationalUnit $FACOU | Select Alias} | Export-csv output

But I imagine I could probably roll this all into one prettier script using the ActiveRoles or AD module. maybe by checking if the primarySMTPaddress is not empty.
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 40

Expert Comment

by:Subsun
ID: 39205701
one issue will be that there certain users who will be already be in Group A regardless of their title. Would there need to be a foreach user statement that checks their group membership and if they are in either of those groups, it skips the user regardless of their title attribute?

As per the script logic if user is a member of GroupA or GroupB then it will skip the user, it wont check the title of the user again...

If the title is blank and user is member of GroupA, then do you want to remove the user from GroupA and add to GroupB?
0
 
LVL 41

Expert Comment

by:footech
ID: 39206022
One correction to my post above.  When using the MS AD cmdlets, line 2 would be
$User = Get-ADUser $_ -properties memberof

Open in new window

0
 
LVL 4

Author Comment

by:dbright5813
ID: 39209186
If the user is in either Group A or B already, then I want it to skip that user regardless of their title (even if it is blank)

Running it in my test environment it seemed to work at first with a few select users, but as I added more to it for testing, it began acting up. Now when I run it, it runs through the list of users, and then starts running through all AD users, not just the ones in the list and it added everyone to GroupB. It could have been a blank title or something else, I will see if I can narrow it down. thanks
0
 
LVL 40

Expert Comment

by:Subsun
ID: 39209243
I don't see any such issues with the script.. are you using the same script which is posted? or is there any modifications?
0
 
LVL 41

Assisted Solution

by:footech
footech earned 750 total points
ID: 39209512
Here's a rewrite using a slightly different approach (did it mainly as an exercise).  Not as slick as Subsun's, but it works as well.  Also includes a correction to my correction above (need to specify to retrieve the Title property as well), since apparently I wasn't paying close enough attention.  I also tested Subsun's, and didn't see the behavior you described, nor can I see how it could happen given the code.  If there was a problem with the title matching, a user could be added to the wrong group, but there's no way it could add users that weren't listed in the file.
Anyway, here's the other version.  Remove the -whatif parameter for both Add-ADgroupmember commands in order for it to do anything besides spit out console output.
$groupA = "engineering"
$groupB = "sales"
$titles = "president","vice president","pototo peeler"
Get-Content User.txt | ForEach `
{
    $member = $false
    $User = Get-ADUser $_ -properties memberof,title
    $User.memberof | ForEach `
    {
        $group = $_ -split ","[0] -replace "CN="
        If ($group -eq $groupA -or $group -eq $groupB)
        { $member = $true }
    }
    If ($member -eq $false)
    {
        "$($User.name) is not a member of either group"
        If ($titles -contains $User.Title)
        { Add-ADGroupMember -identity $GroupA -member $User -WhatIf }
	    Else
        { Add-ADGroupMember -identity $GroupB -member $User -WhatIf }
    }
    ElseIf ($member -eq $true)
    { "$($User.name) is a member of at least one of the groups" }
}

Open in new window

0
 
LVL 4

Author Comment

by:dbright5813
ID: 39211015
User error  - I had inadvertently put an extra enter at the end of the user.txt when filling it up, so it was processing the empty variable as a get all.  

Could some error catching be worked in to prevent that? I'm going to test a bit more and will dish out the points - thanks for your help
0
 
LVL 40

Accepted Solution

by:
Subsun earned 750 total points
ID: 39211873
You may try adding a if condition to skip the group addition if the $user is null. however Ideally it should give you an error when there is a trailing space in the input file or if the $User is null...

GC User.txt | %{
$User = Get-QADUser $_ -ea silentlycontinue
If ($User -and !($User.memberof | ?{(($_ -split ",")[0] -replace "CN=")  -eq "GroupA" -or (($_ -split ",")[0] -replace "CN=") -eq "GroupB"})){

	If ("TitleA","TitleB","TitleC" -contains $User.Title){
	Add-QADGroupMember -identity "GroupA" -member $User
	}
	Else
	{
	Add-QADGroupMember -identity "GroupB" -member $User
	}
  }
}

Open in new window

0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question