Active Directory - Scripting the adding/removal of users to group

R3dPand4

@anthonyh When you say their username matches a certain pattern what do you mean? Whatever the qualifier is it'd have to be perfectly consistent so you can build a RegEx around it for filtering, but it's definitely doable.

jrc

@r3dpand4 said in Active Directory - Scripting the adding/removal of users to group:

@anthonyh When you say their username matches a certain pattern what do you mean? Whatever the qualifier is it'd have to be perfectly consistent so you can build a RegEx around it for filtering, but it's definitely doable.

Where does OP say username? He wants to match based on some AD attribute, and in his example he mentioned email domain from the email field. Or did I miss something?

anthonyh

@r3dpand4 I apologize if my OP wasn't clear. I'm looking to match based on a pattern in the E-mail attribute of an account. Not matching based on username. Basically, if the email address in the E-mail attribute field is a specific domain (*@domain.org as an example), I want to add the users to a specific security group. If that changes in the future (we have instances where users float between organizations), I want to remove them from the group.

anthonyh

@jrc I re-read my OP a few times to make sure I didn't misspeak. I don't think you missed anything. Unless I'm missing something...

R3dPand4

@anthonyh You're fine I'm also half dead from a head cold/sinus infection, I just reread the post. Query the groups you're wanting, run a foreach loop against the results, then an if/else statement with the -like switch against whatever the domain is you're wanting to filter to specify your action.

jrc

@r3dpand4 said in Active Directory - Scripting the adding/removal of users to group:

@anthonyh You're fine I'm also half dead from a head cold/sinus infection, I just reread the post. Query the groups you're wanting, run a foreach loop against the results, then an if/else statement with the -like switch against whatever the domain is you're wanting to filter to specify your action.

I suspect that the OP is wanting some code examples. At least that's what I'd be after if I were him.

Anthony:
https://technet.microsoft.com/en-us/library/ee617193.aspx?f=255&MSPPError=-2147217396 is a place to start, it'll help you write the bit that get's group members.
https://gallery.technet.microsoft.com/scriptcenter/Getting-Users-ALL-7417b71d - May have some useable snippets to get the info you need from the user.

dafyre

Check get-aduser... You could try something like this from one of your DCs:

get-aduser -properties DisplayName,sAMAccountName,EmailAddress -Filter "EmailAddress -like '*@domain.org'"

That will give you the list of users and their associated email.

anthonyh

It's not completely finished yet, but the framework is more-or-less there.

I couldn't figure out how to cleanly paste it directly into this post, so here is a pastebin link:

https://pastebin.com/0JvUrzQU

dafyre

@anthonyh Is this code you are currently testing, or are you still working on it?

It looks like it should work.

anthonyh

@dafyre said in Active Directory - Scripting the adding/removal of users to group:

@anthonyh Is this code you are currently testing, or are you still working on it?

It looks like it should work.

I've tested everything but the actual "remove-adgroupmember" and "add-adgroupmember" bits.

I'm going to do that this morning.

dafyre

@anthonyh said in Active Directory - Scripting the adding/removal of users to group:

@dafyre said in Active Directory - Scripting the adding/removal of users to group:

@anthonyh Is this code you are currently testing, or are you still working on it?

It looks like it should work.

I've tested everything but the actual "remove-adgroupmember" and "add-adgroupmember" bits.

I'm going to do that this morning.

*hides under nearest desk*

anthonyh

@dafyre said in Active Directory - Scripting the adding/removal of users to group:

@anthonyh said in Active Directory - Scripting the adding/removal of users to group:

@dafyre said in Active Directory - Scripting the adding/removal of users to group:

@anthonyh Is this code you are currently testing, or are you still working on it?

It looks like it should work.

I've tested everything but the actual "remove-adgroupmember" and "add-adgroupmember" bits.

I'm going to do that this morning.

*hides under nearest desk*

lolz

anthonyh

Welp, as near as I can tell my cluster of a script does exactly what I'm looking for. I've updated the Pastebin link for those who are curious (https://pastebin.com/0JvUrzQU).

It will analyze existing group memberships and remove users if they do not meet all of the following requirements:

• The account no longer matches the specified $fileString
• The account is disabled
• The account does not reside within the $searchBase

Next, it will pull all accounts from the system, excludes existing members, and adds the remaining users to the group if they meet all of the following requirements:

• The account is enabled
• The account matches the specified $fileString
• The account resides within the $searchBase
• The sAMAccountName does not contain a 1 (something we use internally)
• The Display Name does not contain the string 'test' (we do not have any users who have 'test' in their name yet :-D)

After the above is done, it writes the changes to a log file (which is overwritten each time the script runs) and if emails it off to a specified email address.