Add User to Group in AD

Hi,
I want to add a user to multiple security groups based on Title & Department.

The logic would be
1. User Department
2. User Title

I have already the Department in the user attribute in AD, I want the user to have a prompt to mention user's sam account & then the script query AD to check for Department.
Based on Department & Title the user should be added to Security Groups.

I tried this so far, but it fails to pass Department in variable:
----------------------------------
Import-Module ActiveDirectory
$user = Read-Host -Prompt "Enter Kürzel"
$Department = Get-ADUser -identity $user  -Properties * | select Department
$Title = Get-ADUser -Identity $user -Properties * | select Title

if ($Department -eq 'Team Z' -eq "Director") { "w","w1" | Add-ADGroupMember -Members $user}
elseif ($Department -eq "Team Z" -and $Title -eq "Manager") { "w3","w4" | Add-ADGroupMember -Members $user }
------------------------------

$Department.gettype()
returns

IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     False    PSCustomObject                           System.Object

Same goes for $Title

Thanks in advance!
LVL 11
AcklesAsked:
Who is Participating?
 
oBdAConnect With a Mentor Commented:
Import-Module ActiveDirectory
$user = Read-Host -Prompt "Enter Kürzel"
If ($ADUser = Get-ADUser -Identity $user -Properties Department, MemberOf, Title) {
	$Groups = @($null
	If (($ADUser.Department -eq 'Team Z') -and ($ADUser.Title -eq "Director")) {
		$Groups = "w", "w1"
	} ElseIf (($ADUser.Department -eq "Team Z") -and ($ADUser.Title -eq "Manager")) {
		$Groups = "w3", "w4"
	} ElseIf (($ADUser.Department -eq "Team Z") -and ($ADUser.Title -like "Praktikant*")) {
		$Groups = "w5", "w6"
	} ElseIf (($ADUser.Title -like "Praktikant*") {
		$Groups = "w7", "w8"
	} Else {
		Write-Host "User does not meet the requirements of this script." -ForegroundColor Yellow
	}
	If ($Groups) {
		$ADuser.memberOf | ForEach-Object {
			Write-Host "[$($ADUser.SamAccountName)] Removing from $($_ -replace '\ACN=(.+),(CN|DC)=.*', '$1') ..." -ForegroundColor White
			Remove-ADGroupMember -Identity $_ -Members $ADUser.SamAccountName
		}
		$Groups | ForEach-Object {
			Write-Host "[$($ADUser.SamAccountName)] Adding to $($_) ..." -ForegroundColor White -NoNewline
			Try {
				Add-ADGroupMember -Identity $_ -Members $ADUser.SamAccountName -ErrorAction Stop
				Write-Host " OK" -ForegroundColor Green
			} Catch {
				Write-Host $_.Exception.Message -ForegroundColor Yellow
			}
		}
	}
}

Open in new window

0
 
oBdACommented:
You'd need a "Select-Object -ExpandProperty", otherwise you'll get an object with one single property.
But you shouldn't retrieve the same user twice, including all properties, just to then only use one single property.
Try it like this:
Import-Module ActiveDirectory
$user = Read-Host -Prompt "Enter Kürzel"
If ($ADUser = Get-ADUser -Identity $user -Properties Department, Title) {
	$Groups = $null
	If (($ADUser.Department -eq 'Team Z') -and ($ADUser.Title -eq "Director")) {
		$Groups = "w", "w1"
	} ElseIf (($ADUser.Department -eq "Team Z") -and ($ADUser.Title -eq "Manager")) {
		$Groups = "w3", "w4"
	}
	If ($Groups) {
		$Groups | Add-ADGroupMember -Members $user
	}
}

Open in new window

0
 
AcklesAuthor Commented:
Looks Great, Thanks
Let me test & will come back!
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
AcklesAuthor Commented:
it seems that if there is an existing group the user is already member of the script fails.
1. Is there a way to remove all the groups from user was previously member of & then add him to the groups mentioned?
2. There is also a condition where the user has no Title, I mean it will be like if he is neither manager or director?

One more thing would be cool if at the end the script displays what groups the user has been added, just for control...

Thanks!
0
 
AcklesAuthor Commented:
ok, the 2nd part I could figure out.
0
 
oBdACommented:
Try this:
Import-Module ActiveDirectory
$user = Read-Host -Prompt "Enter Kürzel"
If ($ADUser = Get-ADUser -Identity $user -Properties Department, MemberOf, Title) {
	$Groups = $null
	If (($ADUser.Department -eq 'Team Z') -and ($ADUser.Title -eq "Director")) {
		$Groups = "w", "w1"
	} ElseIf (($ADUser.Department -eq "Team Z") -and ($ADUser.Title -eq "Manager")) {
		$Groups = "w3", "w4"
	} Else {
		Write-Host "User does not meet the requirements of this script." -ForegroundColor Yellow
	}
	If ($Groups) {
		$ADuser.memberOf | ForEach-Object {
			Write-Host "[$($ADUser.SamAccountName)] Removing from $($_ -replace '\ACN=(.+?),(CN|DC)=.*', '$1') ..." -ForegroundColor White
			Remove-ADGroupMember -Identity $_ -Members $ADUser.SamAccountName
		}
		$Groups | ForEach-Object {
			Write-Host "[$($ADUser.SamAccountName)] Adding to $($_) ..." -ForegroundColor White -NoNewline
			Try {
				Add-ADGroupMember -Identity $_ -Members $ADUser.SamAccountName -ErrorAction Stop
				Write-Host " OK" -ForegroundColor Green
			} Catch {
				Write-Host $_.Exception.Message -ForegroundColor Yellow
			}
		}
	}
}

Open in new window

0
 
AcklesAuthor Commented:
Sorry to have another request...
There are set of users which are not Department specific, meaning irrespective of Department they have to be added to Groups.
How would the condition be for them?
0
 
AcklesAuthor Commented:
These users Title is either Praktikant or Praktikantin

So the condition would be

ElseIf (($ADUser.Title -eq "Praktikant") -or ($ADUser.Title -eq "Praktikantin"))

Is this correct?
Also would this also be correct:
ElseIf (($ADUser.Department -eq "Team Z") -and ($ADUser.Title -eq "Praktikant")-or ($ADUser.Title -eq "Praktikantin"))
0
 
AcklesAuthor Commented:
Looks Great!!
Let me check on Monday  & then will mark answered, but as of now it's Awesome!
0
 
AcklesAuthor Commented:
Hi,
Thanks, it works fine.
I have a leading question, please tell if can be answered in this or shall I open a new question?
We have Office 365 for emails & want to create same for adding user in Distribution Lists, in the same way...
0
 
oBdACommented:
That should be its own question.
0
 
AcklesAuthor Commented:
Thanks!
0
 
AcklesAuthor Commented:
Awesome!
0
 
oBdACommented:
Just noticed that a "?" was lost in the last/accepted script (doesn't create functional problems, just displays the OU name incorrectly).
Line 18 should be (an additional '?' directly after the "+" in "-replace '\ACN=(.+":
			Write-Host "[$($ADUser.SamAccountName)] Removing from $($_ -replace '\ACN=(.+?),(CN|DC)=.*', '$1') ..." -ForegroundColor White

Open in new window

1
 
AcklesAuthor Commented:
Thanks!
0
 
AcklesAuthor Commented:
Just a follow up for understanding:
would this also be correct:
ElseIf (($ADUser.Department -eq "Team Z") -and ($ADUser.Title -eq "Praktikant")-or ($ADUser.Title -eq "Consultant"))

What I want to achieve is 1 And 2 Or's
0
 
oBdACommented:
No. "-and" has a higher precedence than "-or".
Just try it:
(1 -eq 2) -and (2 -eq 2) -or (3 -eq 3)

Open in new window

It would need to be
(($ADUser.Department -eq "Team Z") -and (($ADUser.Title -eq "Praktikant") -or ($ADUser.Title -eq "Consultant")))

Open in new window

But that's not easy to read. Use an array instead and check for membership in the array:
(($ADUser.Department -eq "Team Z") -and ("Consultant", "Praktikant", "Praktikantin" -contains $ADUser.Title))

Open in new window

1
 
AcklesAuthor Commented:
Thanks a Million!
I will post the other question & request you for attention...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.