Solved

Using AD Powershell to update user group membership

Posted on 2014-04-28
7
1,022 Views
Last Modified: 2014-10-25
I am trying to use AD Powershell to update the group members of a specific AD Group. I have a CSV file with the users that should be in the group that I import. I want to script to see who is currently in the group, remove them if they are not in the new list and add them if they are not in AD but are in the new list. Basically AD should be exactly what the new list says, no more/no less. This is the script I am using.

$CorrectUsers = Import-Csv c:\correctusers.csv | Where-Object {$_.room -eq "RoomA"} | Sort "ID" -Unique | Select-Object "ID"
$ADRoomA = Get-ADGroupMember -Identity "RoomA" | Sort "SamAccountName" -Unique | Select-Object SamAccountName
$ADRoomA > c:\test.txt



$ModAD = Compare-Object -ReferenceObject $ADRoomA -DifferenceObject $CorrectUsers
$ModAD > c:\ty.txt 
$m = $ModAD.InputItem | Format-Table -HideTableHeaders
$m > c:\m.txt

$ModAD | foreach {
    if ($_.sideindicator -eq '<='){

    
    'Remove-ADGroupMember -Identity "RoomA" -Members ' + $User > c:\items.txt
     
    }

}

Open in new window


I have it output to a file to make sure the command is correct for now and this is what I get:

Remove-ADGroupMember -Identity "RoomA" -Members @{SamAccountName=user1}

Open in new window


How do I get the variable $User to just be "user1" and NOT "@{SamAccountName=user1}"

I guess I could probably just take the Middle charcters of the string starting at stringlength-17 ending at stringlength-1 but that seems a little laborious, I was hoping there was an easy way to pull just the user out of the array.


Thanks
0
Comment
Question by:bbayachek
7 Comments
 
LVL 6

Expert Comment

by:ButlerTechnology
ID: 40027880
This might be  a cheap method.  Does it matter if you just clear out the membership of the group and then add the new members?  I am assuming that only individuals in the list should be a member.  The only downside is if the process fails after removing the membership.

Tom
0
 
LVL 1

Author Comment

by:bbayachek
ID: 40027894
Yea, I was actually going to just do that to begin with but I was hoping to be a bit more elegant with it. I don't have that many users for that group but I figured for the future it would be better that I know the good way to do it.
0
 
LVL 28

Expert Comment

by:becraig
ID: 40027905
I  am guessing a simple approach would have been
1) get list of valid users already in your csv
2) do a get-adgroup call piped into a for loop
4)  nest a loop based on your file and compare users
5) Use if logic (if member -eq user from loop -do nothing if member -ne user from loop remove member)


Something along the above lines.
0
 
LVL 39

Accepted Solution

by:
footech earned 500 total points
ID: 40027914
Your compare isn't going to be correct with the above.  Your arrays being compared are arrays of objects.  If the objects had the same properties, then you could specify the property name in the Compare-Object command.  Without specifying a property name, another way it could be done is to just reduce the arrays to arrays of strings.  To do so, change the first two lines like this:
$CorrectUsers = Import-Csv c:\correctusers.csv | Where-Object {$_.room -eq "RoomA"} | Sort "ID" -Unique | Select-Object -expand "ID"
$ADRoomA = Get-ADGroupMember -Identity "RoomA" | Sort "SamAccountName" -Unique | Select-Object -expand SamAccountName

Open in new window


Then I think the following would work (remove the -whatif parameter to run for real):
$ModAD | foreach {
    if ($_.sideindicator -eq '<='){
        Remove-ADGroupMember -Identity "RoomA" -Members $_ -WhatIf
    }
    ElseIf ($_.sideindicator -eq '=>'){
        Add-ADGroupMember -Identity "RoomA" -Members $_ -WhatIf
    }
}

Open in new window

EDIT: Corrected order of conditions to match reference and difference object of the compare.
0
 
LVL 1

Author Comment

by:bbayachek
ID: 40277187
Sorry for the late response. I get tied up with a million things and then forget the task at hand. I think that would actually work Footech. I will test it out and let you know.


THanks
0

Join & Write a Comment

Suggested Solutions

How to sign a powershell script so you can prevent tampering, and only allow users to run authorised Powershell scripts
"Migrate" an SMTP relay receive connector to a new server using info from an old server.
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now