Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Using AD Powershell to update user group membership

Posted on 2014-04-28
7
Medium Priority
?
1,391 Views
Last Modified: 2014-10-25
I am trying to use AD Powershell to update the group members of a specific AD Group. I have a CSV file with the users that should be in the group that I import. I want to script to see who is currently in the group, remove them if they are not in the new list and add them if they are not in AD but are in the new list. Basically AD should be exactly what the new list says, no more/no less. This is the script I am using.

$CorrectUsers = Import-Csv c:\correctusers.csv | Where-Object {$_.room -eq "RoomA"} | Sort "ID" -Unique | Select-Object "ID"
$ADRoomA = Get-ADGroupMember -Identity "RoomA" | Sort "SamAccountName" -Unique | Select-Object SamAccountName
$ADRoomA > c:\test.txt



$ModAD = Compare-Object -ReferenceObject $ADRoomA -DifferenceObject $CorrectUsers
$ModAD > c:\ty.txt 
$m = $ModAD.InputItem | Format-Table -HideTableHeaders
$m > c:\m.txt

$ModAD | foreach {
    if ($_.sideindicator -eq '<='){

    
    'Remove-ADGroupMember -Identity "RoomA" -Members ' + $User > c:\items.txt
     
    }

}

Open in new window


I have it output to a file to make sure the command is correct for now and this is what I get:

Remove-ADGroupMember -Identity "RoomA" -Members @{SamAccountName=user1}

Open in new window


How do I get the variable $User to just be "user1" and NOT "@{SamAccountName=user1}"

I guess I could probably just take the Middle charcters of the string starting at stringlength-17 ending at stringlength-1 but that seems a little laborious, I was hoping there was an easy way to pull just the user out of the array.


Thanks
0
Comment
Question by:bbayachek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 6

Expert Comment

by:ButlerTechnology
ID: 40027880
This might be  a cheap method.  Does it matter if you just clear out the membership of the group and then add the new members?  I am assuming that only individuals in the list should be a member.  The only downside is if the process fails after removing the membership.

Tom
0
 
LVL 1

Author Comment

by:bbayachek
ID: 40027894
Yea, I was actually going to just do that to begin with but I was hoping to be a bit more elegant with it. I don't have that many users for that group but I figured for the future it would be better that I know the good way to do it.
0
 
LVL 29

Expert Comment

by:becraig
ID: 40027905
I  am guessing a simple approach would have been
1) get list of valid users already in your csv
2) do a get-adgroup call piped into a for loop
4)  nest a loop based on your file and compare users
5) Use if logic (if member -eq user from loop -do nothing if member -ne user from loop remove member)


Something along the above lines.
0
 
LVL 41

Accepted Solution

by:
footech earned 2000 total points
ID: 40027914
Your compare isn't going to be correct with the above.  Your arrays being compared are arrays of objects.  If the objects had the same properties, then you could specify the property name in the Compare-Object command.  Without specifying a property name, another way it could be done is to just reduce the arrays to arrays of strings.  To do so, change the first two lines like this:
$CorrectUsers = Import-Csv c:\correctusers.csv | Where-Object {$_.room -eq "RoomA"} | Sort "ID" -Unique | Select-Object -expand "ID"
$ADRoomA = Get-ADGroupMember -Identity "RoomA" | Sort "SamAccountName" -Unique | Select-Object -expand SamAccountName

Open in new window


Then I think the following would work (remove the -whatif parameter to run for real):
$ModAD | foreach {
    if ($_.sideindicator -eq '<='){
        Remove-ADGroupMember -Identity "RoomA" -Members $_ -WhatIf
    }
    ElseIf ($_.sideindicator -eq '=>'){
        Add-ADGroupMember -Identity "RoomA" -Members $_ -WhatIf
    }
}

Open in new window

EDIT: Corrected order of conditions to match reference and difference object of the compare.
0
 
LVL 1

Author Comment

by:bbayachek
ID: 40277187
Sorry for the late response. I get tied up with a million things and then forget the task at hand. I think that would actually work Footech. I will test it out and let you know.


THanks
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Originally, this post was published on Monitis Blog, you can check it here . In business circles, we sometimes hear that today is the “age of the customer.” And so it is. Thanks to the enormous advances over the past few years in consumer techno…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question