Add User to Group in AD

2/19/2018

2/16/2018

You'd need a "Select-Object -ExpandProperty", otherwise you'll get an object with one single property.
But you shouldn't retrieve the same user twice, including all properties, just to then only use one single property.
Try it like this:

Import-Module ActiveDirectory
$user = Read-Host -Prompt "Enter Kürzel"
If ($ADUser = Get-ADUser -Identity $user -Properties Department, Title) {
	$Groups = $null
	If (($ADUser.Department -eq 'Team Z') -and ($ADUser.Title -eq "Director")) {
		$Groups = "w", "w1"
	} ElseIf (($ADUser.Department -eq "Team Z") -and ($ADUser.Title -eq "Manager")) {
		$Groups = "w3", "w4"
	}
	If ($Groups) {
		$Groups | Add-ADGroupMember -Members $user
	}
}

2/16/2018

ASKER

Looks Great, Thanks
Let me test & will come back!

2/16/2018

ASKER

it seems that if there is an existing group the user is already member of the script fails.
1. Is there a way to remove all the groups from user was previously member of & then add him to the groups mentioned?
2. There is also a condition where the user has no Title, I mean it will be like if he is neither manager or director?

One more thing would be cool if at the end the script displays what groups the user has been added, just for control...

Thanks!

2/16/2018

ASKER

ok, the 2nd part I could figure out.

2/16/2018

Try this:

Import-Module ActiveDirectory
$user = Read-Host -Prompt "Enter Kürzel"
If ($ADUser = Get-ADUser -Identity $user -Properties Department, MemberOf, Title) {
	$Groups = $null
	If (($ADUser.Department -eq 'Team Z') -and ($ADUser.Title -eq "Director")) {
		$Groups = "w", "w1"
	} ElseIf (($ADUser.Department -eq "Team Z") -and ($ADUser.Title -eq "Manager")) {
		$Groups = "w3", "w4"
	} Else {
		Write-Host "User does not meet the requirements of this script." -ForegroundColor Yellow
	}
	If ($Groups) {
		$ADuser.memberOf | ForEach-Object {
			Write-Host "[$($ADUser.SamAccountName)] Removing from $($_ -replace '\ACN=(.+?),(CN|DC)=.*', '$1') ..." -ForegroundColor White
			Remove-ADGroupMember -Identity $_ -Members $ADUser.SamAccountName
		}
		$Groups | ForEach-Object {
			Write-Host "[$($ADUser.SamAccountName)] Adding to $($_) ..." -ForegroundColor White -NoNewline
			Try {
				Add-ADGroupMember -Identity $_ -Members $ADUser.SamAccountName -ErrorAction Stop
				Write-Host " OK" -ForegroundColor Green
			} Catch {
				Write-Host $_.Exception.Message -ForegroundColor Yellow
			}
		}
	}
}

2/16/2018

ASKER

Sorry to have another request...
There are set of users which are not Department specific, meaning irrespective of Department they have to be added to Groups.
How would the condition be for them?

2/16/2018

ASKER

These users Title is either Praktikant or Praktikantin

So the condition would be

ElseIf (($ADUser.Title -eq "Praktikant") -or ($ADUser.Title -eq "Praktikantin"))

Is this correct?
Also would this also be correct:
ElseIf (($ADUser.Department -eq "Team Z") -and ($ADUser.Title -eq "Praktikant")-or ($ADUser.Title -eq "Praktikantin"))

ASKER CERTIFIED SOLUTION

2/16/2018

THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.

View this solution by signing up for a free trial.

Members can start a 7-Day free trial and enjoy unlimited access to the platform.

See Pricing Options

Start Free Trial

2/16/2018

ASKER

Looks Great!!
Let me check on Monday & then will mark answered, but as of now it's Awesome!

2/19/2018

ASKER

Hi,
Thanks, it works fine.
I have a leading question, please tell if can be answered in this or shall I open a new question?
We have Office 365 for emails & want to create same for adding user in Distribution Lists, in the same way...

2/19/2018

That should be its own question.

2/19/2018

ASKER

Thanks!

2/19/2018

ASKER

Awesome!

2/19/2018

Just noticed that a "?" was lost in the last/accepted script (doesn't create functional problems, just displays the OU name incorrectly).
Line 18 should be (an additional '?' directly after the "+" in "-replace '\ACN=(.+":

			Write-Host "[$($ADUser.SamAccountName)] Removing from $($_ -replace '\ACN=(.+?),(CN|DC)=.*', '$1') ..." -ForegroundColor White

2/19/2018

ASKER

Thanks!

2/19/2018

ASKER

Just a follow up for understanding:
would this also be correct:
ElseIf (($ADUser.Department -eq "Team Z") -and ($ADUser.Title -eq "Praktikant")-or ($ADUser.Title -eq "Consultant"))

What I want to achieve is 1 And 2 Or's

2/19/2018

No. "-and" has a higher precedence than "-or".
Just try it:

(1 -eq 2) -and (2 -eq 2) -or (3 -eq 3)

It would need to be

(($ADUser.Department -eq "Team Z") -and (($ADUser.Title -eq "Praktikant") -or ($ADUser.Title -eq "Consultant")))

But that's not easy to read. Use an array instead and check for membership in the array:

(($ADUser.Department -eq "Team Z") -and ("Consultant", "Praktikant", "Praktikantin" -contains $ADUser.Title))