Link to home
Start Free TrialLog in
Avatar of Isaias Perez
Isaias PerezFlag for United States of America

asked on

Powershell Automation - Set a Scheduled Task to Run PS each night to update a List of Members For a Security Group

I have created a Powershell Script that will search for all Account Managers in our company and then adds then to particular Security Group. 

Get-ADUser -Filter {description -eq 'ACCTMGR - Account Manager' -and Enabled -eq $True} | export-csv c:\active_account_managers.csv
Import-CSV c:\active_account_managers.csv -Header SamAccountName | ForEach-Object {Add-AdGroupMember -Identity "Powerbi_All_AM" -members $_.SamAccountName}

Open in new window


How can i then add a line of code to this script that will go out and search ALL account managers who are no longer Active and remove them from the group "Powerbi_All_AM"?

Maybe doing something like this...

#This will both add users who are newly onboarded account managers and remove any that have been offboarded i think
Get-ADUser -Filter {description -eq 'ACCTMGR - Account Manager' -and Enabled -eq $True} | export-csv c:\active_AMs.csv
Import-CSV c:\active_AMs.csv -Header SamAccountName | ForEach-Object {Add-AdGroupMember -Identity "Powerbi_All_DM" -members $_.SamAccountName}

Get-ADUser -Filter {description -eq 'ACCTMGR - Account Manager' -and Enabled -eq $False} | export-csv c:\offboarded_account_managers.csv
Import-CSV C:\offboarded_account_managers.csv -Header SamAccountName | ForEach-Object {Remove-AdGroupMember -Identity "Powerbi_All_AM" -members $_.SamAccountName}

Open in new window


Would that work? And is spaces between both lines of code ok or do they all need to be under each other?
Avatar of Darrell Porter
Darrell Porter
Flag of United States of America image
White space is perfectly acceptable within Powershell to help break up the code to make it more readable.
Get-ADUser -Filter {description -eq 'ACCTMGR - Account Manager' -and Enabled -eq $False} | export-csv c:\offboarded_account_managers.csv -NoTypeInformation

Open in new window

You may need to add the -NoTypeInformation parameter to your Export-CSV command though I am unclear as to the reason you feel you need to dump this to a file first.
You can instead create this construct:
$FormerAcctMgrs = Get-ADUser -Filter {description -eq 'ACCTMGR - Account Manager' -and Enabled -eq $False}
ForEach ($AcctMgr in $FormerAcctMgrs) {Remove-AdGroupMember -Identity "Powerbi_All_AM" -members $AcctMgr.SamAccountName}

Open in new window

You can technically do all the work in a single line but this makes the code more readable and maintainable while removing the need for the interim CSV file creation.
Avatar of Isaias Perez
Isaias Perez
Flag of United States of America image

ASKER

Perfect! Thank you so much. So if i run this on a daily basis, it should both add any new Account Managers that have been on-boarded in AD and Remove any Account Managers who have been disabled correct?

$NewAcctMgrs = Get-ADUser -Filter {description -eq 'ACCTMGR - Account Manager' -and Enabled -eq $True}
ForEach ($NewAcctMgr in $NewAcctMgrs) {Add-AdGroupMember -Identity "Powerbi_All_AM" -members $NewAcctMgr.SamAccountName}

$FomerAcctMgrs = Get-ADUser -Filter {description -eq 'ACCTMGR - Account Manager' -and Enabled -eq $False}
ForEach ($FomerMgr in $FormerAcctMgrs) {Remove-AdGroupMember -Identity "Powerbi_All_AM" -members $FomerMgr.SamAccountName}

Open in new window


Super thanks for your help.
Avatar of oBdA
oBdA
In your script above, you have "Powerbi_All_DM" as group to add to, and Powerbi_All_AM as group to remove from; is that on purpose?
Anyway, to remove members of a group unattended, you need to add "-Confirm:$false" to Remove-ADGroupMember.
And in principle,  instead of running two queries against AD, and then adding/removing each user individually from the group, you should first collect the members to add/remove in an array, then pass that array to the cmdlet.
In this case, you probably won't have hundreds of changes per day, so it's not critical, but in general, you should consider the impact on AD, especially with scheduled operations like these.
$group = 'Powerbi_All_AM'
$add = @()
$remove = @()
Get-ADUser -Filter {description -eq 'ACCTMGR - Account Manager'} | ForEach-Object {
	If ($_.Enabled) {
		$add += $_
	} Else {
		$remove += $_
	}
}
If ($add) {
	Add-AdGroupMember -Identity $group -Members $add
	## Uncomment the following line to export the currently active members to csv
	# $add | Export-Csv -NoTypeInformation -Path 'C:\active_account_managers.csv'
}
If ($remove) {
	Remove-AdGroupMember -Identity $group -Members $remove -Confirm:$false
	## Uncomment the following line to export the offboarded members to csv
	# $remove | Export-Csv -NoTypeInformation -Path 'C:\offboarded_account_managers.csv'
}

Open in new window

Avatar of Isaias Perez
Isaias Perez
Flag of United States of America image

ASKER

@ODBA Thank you very much for re-writing that for me. I must have mistyped the DM and AM information. I have one more request if possible. Using Darrel's script above i was able to put the following code together. The logic behind this is to put District Managers, Area Managers (different than the first script which was only account managers) and all Directors of Operation all in a group called zDM_ALL_Security. is this code OK for automation (running via task scheduler) or can it be rewritten like your code above?

#Script created by Isaias Perez to automate the zDM_All_Security Group. This will run as a scheduled task daily and update any 
#newly on-boarded Area Manager, District Managers or Director of Operations Members to the security group and remove any off-boarded #members. 1/9/2020

Start-Transcript -Path C:\temp\zDM_sync.log

$NewAcctMgrs1 = Get-ADUser -Filter {description -eq 'DISTMGR - District Manager' -and Enabled -eq $True}
ForEach ($NewAcctMgr1 in $NewAcctMgrs1) {Add-AdGroupMember -Identity "zDM_All_Security" -members $NewAcctMgr1.SamAccountName}

$FomerAcctMgrs1 = Get-ADUser -Filter {description -eq 'DISTMGR - District Manager' -and Enabled -eq $False}
ForEach ($FomerMgr1 in $FormerAcctMgrs1) {Remove-AdGroupMember -Identity "zDM_All_Security" -members $FomerMgr1.SamAccountName}

$NewAcctMgrs2 = Get-ADUser -Filter {description -eq 'AREAMGR - Area Manager' -and Enabled -eq $True}
ForEach ($NewAcctMgr2 in $NewAcctMgrs2) {Add-AdGroupMember -Identity "zDM_All_Security" -members $NewAcctMgr2.SamAccountName}

$FomerAcctMgrs2 = Get-ADUser -Filter {description -eq 'AREAMGR - Area Manager' -and Enabled -eq $False}
ForEach ($FomerMgr2 in $FormerAcctMgrs2) {Remove-AdGroupMember -Identity "zDM_All_Security" -members $FomerMgr2.SamAccountName}

$NewAcctMgrs3 = Get-ADUser -Filter {description -eq 'DOPS - Director of Operations' -and Enabled -eq $True}
ForEach ($NewAcctMgr3 in $NewAcctMgrs3) {Add-AdGroupMember -Identity "zDM_All_Security" -members $NewAcctMgr3.SamAccountName}

$FomerAcctMgrs3 = Get-ADUser -Filter {description -eq 'DOPS - Director of Operations' -and Enabled -eq $False}
ForEach ($FomerMgr3 in $FormerAcctMgrs3) {Remove-AdGroupMember -Identity "zDM_All_Security" -members $FomerMgr3.SamAccountName}

Stop-Transcript




#This code below will generate a csv file with the current District Managers, Area Managers, Director of Operations in our environment
#Get-ADGroupMember -Identity zDM_All_Security | Export-Csv c:\zDM_All_Security1.csv

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of oBdA
oBdA
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Isaias Perez
Isaias Perez
Flag of United States of America image

ASKER

Perfection as always oBdA, thank you!