Solved

Using AD Powershell to update user group membership

Posted on 2014-04-28
7
1,152 Views
Last Modified: 2014-10-25
I am trying to use AD Powershell to update the group members of a specific AD Group. I have a CSV file with the users that should be in the group that I import. I want to script to see who is currently in the group, remove them if they are not in the new list and add them if they are not in AD but are in the new list. Basically AD should be exactly what the new list says, no more/no less. This is the script I am using.

$CorrectUsers = Import-Csv c:\correctusers.csv | Where-Object {$_.room -eq "RoomA"} | Sort "ID" -Unique | Select-Object "ID"
$ADRoomA = Get-ADGroupMember -Identity "RoomA" | Sort "SamAccountName" -Unique | Select-Object SamAccountName
$ADRoomA > c:\test.txt



$ModAD = Compare-Object -ReferenceObject $ADRoomA -DifferenceObject $CorrectUsers
$ModAD > c:\ty.txt 
$m = $ModAD.InputItem | Format-Table -HideTableHeaders
$m > c:\m.txt

$ModAD | foreach {
    if ($_.sideindicator -eq '<='){

    
    'Remove-ADGroupMember -Identity "RoomA" -Members ' + $User > c:\items.txt
     
    }

}

Open in new window


I have it output to a file to make sure the command is correct for now and this is what I get:

Remove-ADGroupMember -Identity "RoomA" -Members @{SamAccountName=user1}

Open in new window


How do I get the variable $User to just be "user1" and NOT "@{SamAccountName=user1}"

I guess I could probably just take the Middle charcters of the string starting at stringlength-17 ending at stringlength-1 but that seems a little laborious, I was hoping there was an easy way to pull just the user out of the array.


Thanks
0
Comment
Question by:bbayachek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 6

Expert Comment

by:ButlerTechnology
ID: 40027880
This might be  a cheap method.  Does it matter if you just clear out the membership of the group and then add the new members?  I am assuming that only individuals in the list should be a member.  The only downside is if the process fails after removing the membership.

Tom
0
 
LVL 1

Author Comment

by:bbayachek
ID: 40027894
Yea, I was actually going to just do that to begin with but I was hoping to be a bit more elegant with it. I don't have that many users for that group but I figured for the future it would be better that I know the good way to do it.
0
 
LVL 29

Expert Comment

by:becraig
ID: 40027905
I  am guessing a simple approach would have been
1) get list of valid users already in your csv
2) do a get-adgroup call piped into a for loop
4)  nest a loop based on your file and compare users
5) Use if logic (if member -eq user from loop -do nothing if member -ne user from loop remove member)


Something along the above lines.
0
 
LVL 40

Accepted Solution

by:
footech earned 500 total points
ID: 40027914
Your compare isn't going to be correct with the above.  Your arrays being compared are arrays of objects.  If the objects had the same properties, then you could specify the property name in the Compare-Object command.  Without specifying a property name, another way it could be done is to just reduce the arrays to arrays of strings.  To do so, change the first two lines like this:
$CorrectUsers = Import-Csv c:\correctusers.csv | Where-Object {$_.room -eq "RoomA"} | Sort "ID" -Unique | Select-Object -expand "ID"
$ADRoomA = Get-ADGroupMember -Identity "RoomA" | Sort "SamAccountName" -Unique | Select-Object -expand SamAccountName

Open in new window


Then I think the following would work (remove the -whatif parameter to run for real):
$ModAD | foreach {
    if ($_.sideindicator -eq '<='){
        Remove-ADGroupMember -Identity "RoomA" -Members $_ -WhatIf
    }
    ElseIf ($_.sideindicator -eq '=>'){
        Add-ADGroupMember -Identity "RoomA" -Members $_ -WhatIf
    }
}

Open in new window

EDIT: Corrected order of conditions to match reference and difference object of the compare.
0
 
LVL 1

Author Comment

by:bbayachek
ID: 40277187
Sorry for the late response. I get tied up with a million things and then forget the task at hand. I think that would actually work Footech. I will test it out and let you know.


THanks
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
The viewer will learn how to dynamically set the form action using jQuery.
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question