Add User to Group in AD
Hi,
I want to add a user to multiple security groups based on Title & Department.
The logic would be
1. User Department
2. User Title
I have already the Department in the user attribute in AD, I want the user to have a prompt to mention user's sam account & then the script query AD to check for Department.
Based on Department & Title the user should be added to Security Groups.
I tried this so far, but it fails to pass Department in variable:
--------------------------
Import-Module ActiveDirectory
$user = Read-Host -Prompt "Enter Kürzel"
$Department = Get-ADUser -identity $user -Properties * | select Department
$Title = Get-ADUser -Identity $user -Properties * | select Title
if ($Department -eq 'Team Z' -eq "Director") { "w","w1" | Add-ADGroupMember -Members $user}
elseif ($Department -eq "Team Z" -and $Title -eq "Manager") { "w3","w4" | Add-ADGroupMember -Members $user }
--------------------------
$Department.gettype()
returns
IsPublic IsSerial Name BaseType
-------- -------- ---- --------
True False PSCustomObject System.Object
Same goes for $Title
Thanks in advance!
I want to add a user to multiple security groups based on Title & Department.
The logic would be
1. User Department
2. User Title
I have already the Department in the user attribute in AD, I want the user to have a prompt to mention user's sam account & then the script query AD to check for Department.
Based on Department & Title the user should be added to Security Groups.
I tried this so far, but it fails to pass Department in variable:
--------------------------
Import-Module ActiveDirectory
$user = Read-Host -Prompt "Enter Kürzel"
$Department = Get-ADUser -identity $user -Properties * | select Department
$Title = Get-ADUser -Identity $user -Properties * | select Title
if ($Department -eq 'Team Z' -eq "Director") { "w","w1" | Add-ADGroupMember -Members $user}
elseif ($Department -eq "Team Z" -and $Title -eq "Manager") { "w3","w4" | Add-ADGroupMember -Members $user }
--------------------------
$Department.gettype()
returns
IsPublic IsSerial Name BaseType
-------- -------- ---- --------
True False PSCustomObject System.Object
Same goes for $Title
Thanks in advance!
ASKER
Looks Great, Thanks
Let me test & will come back!
Let me test & will come back!
ASKER
it seems that if there is an existing group the user is already member of the script fails.
1. Is there a way to remove all the groups from user was previously member of & then add him to the groups mentioned?
2. There is also a condition where the user has no Title, I mean it will be like if he is neither manager or director?
One more thing would be cool if at the end the script displays what groups the user has been added, just for control...
Thanks!
1. Is there a way to remove all the groups from user was previously member of & then add him to the groups mentioned?
2. There is also a condition where the user has no Title, I mean it will be like if he is neither manager or director?
One more thing would be cool if at the end the script displays what groups the user has been added, just for control...
Thanks!
ASKER
ok, the 2nd part I could figure out.
Try this:
Import-Module ActiveDirectory
$user = Read-Host -Prompt "Enter Kürzel"
If ($ADUser = Get-ADUser -Identity $user -Properties Department, MemberOf, Title) {
$Groups = $null
If (($ADUser.Department -eq 'Team Z') -and ($ADUser.Title -eq "Director")) {
$Groups = "w", "w1"
} ElseIf (($ADUser.Department -eq "Team Z") -and ($ADUser.Title -eq "Manager")) {
$Groups = "w3", "w4"
} Else {
Write-Host "User does not meet the requirements of this script." -ForegroundColor Yellow
}
If ($Groups) {
$ADuser.memberOf | ForEach-Object {
Write-Host "[$($ADUser.SamAccountName)] Removing from $($_ -replace '\ACN=(.+?),(CN|DC)=.*', '$1') ..." -ForegroundColor White
Remove-ADGroupMember -Identity $_ -Members $ADUser.SamAccountName
}
$Groups | ForEach-Object {
Write-Host "[$($ADUser.SamAccountName)] Adding to $($_) ..." -ForegroundColor White -NoNewline
Try {
Add-ADGroupMember -Identity $_ -Members $ADUser.SamAccountName -ErrorAction Stop
Write-Host " OK" -ForegroundColor Green
} Catch {
Write-Host $_.Exception.Message -ForegroundColor Yellow
}
}
}
}ASKER
Sorry to have another request...
There are set of users which are not Department specific, meaning irrespective of Department they have to be added to Groups.
How would the condition be for them?
There are set of users which are not Department specific, meaning irrespective of Department they have to be added to Groups.
How would the condition be for them?
ASKER
These users Title is either Praktikant or Praktikantin
So the condition would be
ElseIf (($ADUser.Title -eq "Praktikant") -or ($ADUser.Title -eq "Praktikantin"))
Is this correct?
Also would this also be correct:
ElseIf (($ADUser.Department -eq "Team Z") -and ($ADUser.Title -eq "Praktikant")-or ($ADUser.Title -eq "Praktikantin"))
So the condition would be
ElseIf (($ADUser.Title -eq "Praktikant") -or ($ADUser.Title -eq "Praktikantin"))
Is this correct?
Also would this also be correct:
ElseIf (($ADUser.Department -eq "Team Z") -and ($ADUser.Title -eq "Praktikant")-or ($ADUser.Title -eq "Praktikantin"))
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Looks Great!!
Let me check on Monday & then will mark answered, but as of now it's Awesome!
Let me check on Monday & then will mark answered, but as of now it's Awesome!
ASKER
Hi,
Thanks, it works fine.
I have a leading question, please tell if can be answered in this or shall I open a new question?
We have Office 365 for emails & want to create same for adding user in Distribution Lists, in the same way...
Thanks, it works fine.
I have a leading question, please tell if can be answered in this or shall I open a new question?
We have Office 365 for emails & want to create same for adding user in Distribution Lists, in the same way...
That should be its own question.
ASKER
Thanks!
ASKER
Awesome!
Just noticed that a "?" was lost in the last/accepted script (doesn't create functional problems, just displays the OU name incorrectly).
Line 18 should be (an additional '?' directly after the "+" in "-replace '\ACN=(.+":
Line 18 should be (an additional '?' directly after the "+" in "-replace '\ACN=(.+":
Write-Host "[$($ADUser.SamAccountName)] Removing from $($_ -replace '\ACN=(.+?),(CN|DC)=.*', '$1') ..." -ForegroundColor WhiteASKER
Thanks!
ASKER
Just a follow up for understanding:
would this also be correct:
ElseIf (($ADUser.Department -eq "Team Z") -and ($ADUser.Title -eq "Praktikant")-or ($ADUser.Title -eq "Consultant"))
What I want to achieve is 1 And 2 Or's
would this also be correct:
ElseIf (($ADUser.Department -eq "Team Z") -and ($ADUser.Title -eq "Praktikant")-or ($ADUser.Title -eq "Consultant"))
What I want to achieve is 1 And 2 Or's
No. "-and" has a higher precedence than "-or".
Just try it:
Just try it:
(1 -eq 2) -and (2 -eq 2) -or (3 -eq 3)(($ADUser.Department -eq "Team Z") -and (($ADUser.Title -eq "Praktikant") -or ($ADUser.Title -eq "Consultant")))(($ADUser.Department -eq "Team Z") -and ("Consultant", "Praktikant", "Praktikantin" -contains $ADUser.Title))ASKER
Thanks a Million!
I will post the other question & request you for attention...
I will post the other question & request you for attention...
But you shouldn't retrieve the same user twice, including all properties, just to then only use one single property.
Try it like this:
Open in new window