asked on Powershell Automation - Set a Scheduled Task to Run PS each night to update a List of Members For a Security Group
I have created a Powershell Script that will search for all Account Managers in our company and then adds then to particular Security Group.
How can i then add a line of code to this script that will go out and search ALL account managers who are no longer Active and remove them from the group "Powerbi_All_AM"?
Maybe doing something like this...
Would that work? And is spaces between both lines of code ok or do they all need to be under each other?
Get-ADUser -Filter {description -eq 'ACCTMGR - Account Manager' -and Enabled -eq $True} | export-csv c:\active_account_managers.csv
Import-CSV c:\active_account_managers.csv -Header SamAccountName | ForEach-Object {Add-AdGroupMember -Identity "Powerbi_All_AM" -members $_.SamAccountName}
How can i then add a line of code to this script that will go out and search ALL account managers who are no longer Active and remove them from the group "Powerbi_All_AM"?
Maybe doing something like this...
#This will both add users who are newly onboarded account managers and remove any that have been offboarded i think
Get-ADUser -Filter {description -eq 'ACCTMGR - Account Manager' -and Enabled -eq $True} | export-csv c:\active_AMs.csv
Import-CSV c:\active_AMs.csv -Header SamAccountName | ForEach-Object {Add-AdGroupMember -Identity "Powerbi_All_DM" -members $_.SamAccountName}
Get-ADUser -Filter {description -eq 'ACCTMGR - Account Manager' -and Enabled -eq $False} | export-csv c:\offboarded_account_managers.csv
Import-CSV C:\offboarded_account_managers.csv -Header SamAccountName | ForEach-Object {Remove-AdGroupMember -Identity "Powerbi_All_AM" -members $_.SamAccountName}
Would that work? And is spaces between both lines of code ok or do they all need to be under each other?
PowershellIT Administration
Last Comment
Isaias Perez
ASKER
Perfect! Thank you so much. So if i run this on a daily basis, it should both add any new Account Managers that have been on-boarded in AD and Remove any Account Managers who have been disabled correct?
Super thanks for your help.
$NewAcctMgrs = Get-ADUser -Filter {description -eq 'ACCTMGR - Account Manager' -and Enabled -eq $True}
ForEach ($NewAcctMgr in $NewAcctMgrs) {Add-AdGroupMember -Identity "Powerbi_All_AM" -members $NewAcctMgr.SamAccountName}
$FomerAcctMgrs = Get-ADUser -Filter {description -eq 'ACCTMGR - Account Manager' -and Enabled -eq $False}
ForEach ($FomerMgr in $FormerAcctMgrs) {Remove-AdGroupMember -Identity "Powerbi_All_AM" -members $FomerMgr.SamAccountName}
Super thanks for your help.
In your script above, you have "Powerbi_All_DM" as group to add to, and Powerbi_All_AM as group to remove from; is that on purpose?
Anyway, to remove members of a group unattended, you need to add "-Confirm:$false" to Remove-ADGroupMember.
And in principle, instead of running two queries against AD, and then adding/removing each user individually from the group, you should first collect the members to add/remove in an array, then pass that array to the cmdlet.
In this case, you probably won't have hundreds of changes per day, so it's not critical, but in general, you should consider the impact on AD, especially with scheduled operations like these.
Anyway, to remove members of a group unattended, you need to add "-Confirm:$false" to Remove-ADGroupMember.
And in principle, instead of running two queries against AD, and then adding/removing each user individually from the group, you should first collect the members to add/remove in an array, then pass that array to the cmdlet.
In this case, you probably won't have hundreds of changes per day, so it's not critical, but in general, you should consider the impact on AD, especially with scheduled operations like these.
$group = 'Powerbi_All_AM'
$add = @()
$remove = @()
Get-ADUser -Filter {description -eq 'ACCTMGR - Account Manager'} | ForEach-Object {
If ($_.Enabled) {
$add += $_
} Else {
$remove += $_
}
}
If ($add) {
Add-AdGroupMember -Identity $group -Members $add
## Uncomment the following line to export the currently active members to csv
# $add | Export-Csv -NoTypeInformation -Path 'C:\active_account_managers.csv'
}
If ($remove) {
Remove-AdGroupMember -Identity $group -Members $remove -Confirm:$false
## Uncomment the following line to export the offboarded members to csv
# $remove | Export-Csv -NoTypeInformation -Path 'C:\offboarded_account_managers.csv'
}
ASKER
@ODBA Thank you very much for re-writing that for me. I must have mistyped the DM and AM information. I have one more request if possible. Using Darrel's script above i was able to put the following code together. The logic behind this is to put District Managers, Area Managers (different than the first script which was only account managers) and all Directors of Operation all in a group called zDM_ALL_Security. is this code OK for automation (running via task scheduler) or can it be rewritten like your code above?
#Script created by Isaias Perez to automate the zDM_All_Security Group. This will run as a scheduled task daily and update any
#newly on-boarded Area Manager, District Managers or Director of Operations Members to the security group and remove any off-boarded #members. 1/9/2020
Start-Transcript -Path C:\temp\zDM_sync.log
$NewAcctMgrs1 = Get-ADUser -Filter {description -eq 'DISTMGR - District Manager' -and Enabled -eq $True}
ForEach ($NewAcctMgr1 in $NewAcctMgrs1) {Add-AdGroupMember -Identity "zDM_All_Security" -members $NewAcctMgr1.SamAccountName}
$FomerAcctMgrs1 = Get-ADUser -Filter {description -eq 'DISTMGR - District Manager' -and Enabled -eq $False}
ForEach ($FomerMgr1 in $FormerAcctMgrs1) {Remove-AdGroupMember -Identity "zDM_All_Security" -members $FomerMgr1.SamAccountName}
$NewAcctMgrs2 = Get-ADUser -Filter {description -eq 'AREAMGR - Area Manager' -and Enabled -eq $True}
ForEach ($NewAcctMgr2 in $NewAcctMgrs2) {Add-AdGroupMember -Identity "zDM_All_Security" -members $NewAcctMgr2.SamAccountName}
$FomerAcctMgrs2 = Get-ADUser -Filter {description -eq 'AREAMGR - Area Manager' -and Enabled -eq $False}
ForEach ($FomerMgr2 in $FormerAcctMgrs2) {Remove-AdGroupMember -Identity "zDM_All_Security" -members $FomerMgr2.SamAccountName}
$NewAcctMgrs3 = Get-ADUser -Filter {description -eq 'DOPS - Director of Operations' -and Enabled -eq $True}
ForEach ($NewAcctMgr3 in $NewAcctMgrs3) {Add-AdGroupMember -Identity "zDM_All_Security" -members $NewAcctMgr3.SamAccountName}
$FomerAcctMgrs3 = Get-ADUser -Filter {description -eq 'DOPS - Director of Operations' -and Enabled -eq $False}
ForEach ($FomerMgr3 in $FormerAcctMgrs3) {Remove-AdGroupMember -Identity "zDM_All_Security" -members $FomerMgr3.SamAccountName}
Stop-Transcript
#This code below will generate a csv file with the current District Managers, Area Managers, Director of Operations in our environment
#Get-ADGroupMember -Identity zDM_All_Security | Export-Csv c:\zDM_All_Security1.csv
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Perfection as always oBdA, thank you!
Open in new window
You may need to add the -NoTypeInformation parameter to your Export-CSV command though I am unclear as to the reason you feel you need to dump this to a file first.You can instead create this construct:
Open in new window
You can technically do all the work in a single line but this makes the code more readable and maintainable while removing the need for the interim CSV file creation.