Powershell Automation - Set a Scheduled Task to Run PS each night to update a List of Members For a Security Group

Isaias Perez
Isaias Perez used Ask the Experts™
on
I have created a Powershell Script that will search for all Account Managers in our company and then adds then to particular Security Group.

Get-ADUser -Filter {description -eq 'ACCTMGR - Account Manager' -and Enabled -eq $True} | export-csv c:\active_account_managers.csv
Import-CSV c:\active_account_managers.csv -Header SamAccountName | ForEach-Object {Add-AdGroupMember -Identity "Powerbi_All_AM" -members $_.SamAccountName}

Open in new window


How can i then add a line of code to this script that will go out and search ALL account managers who are no longer Active and remove them from the group "Powerbi_All_AM"?

Maybe doing something like this...

#This will both add users who are newly onboarded account managers and remove any that have been offboarded i think
Get-ADUser -Filter {description -eq 'ACCTMGR - Account Manager' -and Enabled -eq $True} | export-csv c:\active_AMs.csv
Import-CSV c:\active_AMs.csv -Header SamAccountName | ForEach-Object {Add-AdGroupMember -Identity "Powerbi_All_DM" -members $_.SamAccountName}

Get-ADUser -Filter {description -eq 'ACCTMGR - Account Manager' -and Enabled -eq $False} | export-csv c:\offboarded_account_managers.csv
Import-CSV C:\offboarded_account_managers.csv -Header SamAccountName | ForEach-Object {Remove-AdGroupMember -Identity "Powerbi_All_AM" -members $_.SamAccountName}

Open in new window


Would that work? And is spaces between both lines of code ok or do they all need to be under each other?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Darrell PorterEnterprise Business Process Architect

Commented:
White space is perfectly acceptable within Powershell to help break up the code to make it more readable.
Get-ADUser -Filter {description -eq 'ACCTMGR - Account Manager' -and Enabled -eq $False} | export-csv c:\offboarded_account_managers.csv -NoTypeInformation

Open in new window

You may need to add the -NoTypeInformation parameter to your Export-CSV command though I am unclear as to the reason you feel you need to dump this to a file first.
You can instead create this construct:
$FormerAcctMgrs = Get-ADUser -Filter {description -eq 'ACCTMGR - Account Manager' -and Enabled -eq $False}
ForEach ($AcctMgr in $FormerAcctMgrs) {Remove-AdGroupMember -Identity "Powerbi_All_AM" -members $AcctMgr.SamAccountName}

Open in new window

You can technically do all the work in a single line but this makes the code more readable and maintainable while removing the need for the interim CSV file creation.
Isaias PerezIT Operations Manager

Author

Commented:
Perfect! Thank you so much. So if i run this on a daily basis, it should both add any new Account Managers that have been on-boarded in AD and Remove any Account Managers who have been disabled correct?

$NewAcctMgrs = Get-ADUser -Filter {description -eq 'ACCTMGR - Account Manager' -and Enabled -eq $True}
ForEach ($NewAcctMgr in $NewAcctMgrs) {Add-AdGroupMember -Identity "Powerbi_All_AM" -members $NewAcctMgr.SamAccountName}

$FomerAcctMgrs = Get-ADUser -Filter {description -eq 'ACCTMGR - Account Manager' -and Enabled -eq $False}
ForEach ($FomerMgr in $FormerAcctMgrs) {Remove-AdGroupMember -Identity "Powerbi_All_AM" -members $FomerMgr.SamAccountName}

Open in new window


Super thanks for your help.
Most Valuable Expert 2018
Distinguished Expert 2018

Commented:
In your script above, you have "Powerbi_All_DM" as group to add to, and Powerbi_All_AM as group to remove from; is that on purpose?
Anyway, to remove members of a group unattended, you need to add "-Confirm:$false" to Remove-ADGroupMember.
And in principle,  instead of running two queries against AD, and then adding/removing each user individually from the group, you should first collect the members to add/remove in an array, then pass that array to the cmdlet.
In this case, you probably won't have hundreds of changes per day, so it's not critical, but in general, you should consider the impact on AD, especially with scheduled operations like these.
$group = 'Powerbi_All_AM'
$add = @()
$remove = @()
Get-ADUser -Filter {description -eq 'ACCTMGR - Account Manager'} | ForEach-Object {
	If ($_.Enabled) {
		$add += $_
	} Else {
		$remove += $_
	}
}
If ($add) {
	Add-AdGroupMember -Identity $group -Members $add
	## Uncomment the following line to export the currently active members to csv
	# $add | Export-Csv -NoTypeInformation -Path 'C:\active_account_managers.csv'
}
If ($remove) {
	Remove-AdGroupMember -Identity $group -Members $remove -Confirm:$false
	## Uncomment the following line to export the offboarded members to csv
	# $remove | Export-Csv -NoTypeInformation -Path 'C:\offboarded_account_managers.csv'
}

Open in new window

Isaias PerezIT Operations Manager

Author

Commented:
@ODBA Thank you very much for re-writing that for me. I must have mistyped the DM and AM information. I have one more request if possible. Using Darrel's script above i was able to put the following code together. The logic behind this is to put District Managers, Area Managers (different than the first script which was only account managers) and all Directors of Operation all in a group called zDM_ALL_Security. is this code OK for automation (running via task scheduler) or can it be rewritten like your code above?

#Script created by Isaias Perez to automate the zDM_All_Security Group. This will run as a scheduled task daily and update any 
#newly on-boarded Area Manager, District Managers or Director of Operations Members to the security group and remove any off-boarded #members. 1/9/2020

Start-Transcript -Path C:\temp\zDM_sync.log

$NewAcctMgrs1 = Get-ADUser -Filter {description -eq 'DISTMGR - District Manager' -and Enabled -eq $True}
ForEach ($NewAcctMgr1 in $NewAcctMgrs1) {Add-AdGroupMember -Identity "zDM_All_Security" -members $NewAcctMgr1.SamAccountName}

$FomerAcctMgrs1 = Get-ADUser -Filter {description -eq 'DISTMGR - District Manager' -and Enabled -eq $False}
ForEach ($FomerMgr1 in $FormerAcctMgrs1) {Remove-AdGroupMember -Identity "zDM_All_Security" -members $FomerMgr1.SamAccountName}

$NewAcctMgrs2 = Get-ADUser -Filter {description -eq 'AREAMGR - Area Manager' -and Enabled -eq $True}
ForEach ($NewAcctMgr2 in $NewAcctMgrs2) {Add-AdGroupMember -Identity "zDM_All_Security" -members $NewAcctMgr2.SamAccountName}

$FomerAcctMgrs2 = Get-ADUser -Filter {description -eq 'AREAMGR - Area Manager' -and Enabled -eq $False}
ForEach ($FomerMgr2 in $FormerAcctMgrs2) {Remove-AdGroupMember -Identity "zDM_All_Security" -members $FomerMgr2.SamAccountName}

$NewAcctMgrs3 = Get-ADUser -Filter {description -eq 'DOPS - Director of Operations' -and Enabled -eq $True}
ForEach ($NewAcctMgr3 in $NewAcctMgrs3) {Add-AdGroupMember -Identity "zDM_All_Security" -members $NewAcctMgr3.SamAccountName}

$FomerAcctMgrs3 = Get-ADUser -Filter {description -eq 'DOPS - Director of Operations' -and Enabled -eq $False}
ForEach ($FomerMgr3 in $FormerAcctMgrs3) {Remove-AdGroupMember -Identity "zDM_All_Security" -members $FomerMgr3.SamAccountName}

Stop-Transcript




#This code below will generate a csv file with the current District Managers, Area Managers, Director of Operations in our environment
#Get-ADGroupMember -Identity zDM_All_Security | Export-Csv c:\zDM_All_Security1.csv

Open in new window

Most Valuable Expert 2018
Distinguished Expert 2018
Commented:
Basically the same, you just need to adjust the group name and the filter:
Start-Transcript -Path C:\temp\zDM_sync.log
$group = 'zDM_All_Security'
$add = @()
$remove = @()
Get-ADUser -Filter {(description -eq 'DISTMGR - District Manager') -or (description -eq 'AREAMGR - Area Manager') -or (description -eq 'DOPS - Director of Operations')} | ForEach-Object {
	If ($_.Enabled) {
		$add += $_
	} Else {
		$remove += $_
	}
}
If ($add) {
	Add-AdGroupMember -Identity $group -Members $add
}
If ($remove) {
	Remove-AdGroupMember -Identity $group -Members $remove -Confirm:$false
}
#This code below will generate a csv file with the current District Managers, Area Managers, Director of Operations in our environment
#Get-ADGroupMember -Identity zDM_All_Security | Export-Csv -NoTypeInformation -Path C:\zDM_All_Security1.csv
Stop-Transcript

Open in new window

Isaias PerezIT Operations Manager

Author

Commented:
Perfection as always oBdA, thank you!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial