|
Replies:
10
-
Pages:
1
-
Last Post:
May 14, 2008 2:28 AM
by: Dmitry Sotnikov
|
|
|
Posts:
6
Registered:
4/11/08
|
|
|
|
Group Mangement Function
Posted:
Apr 11, 2008 9:13 AM
|
|
|
I want to use the Quest AD Cmdlets to do something for me.
I'd like to have a function which would take this input:
set of users (1 to n) group (just 1).
Goal: I'd like the script to make the set of users members of the group AND remove all other members of the group.
Qualifications: I don't want to remove all, then add back the members. I want it to only make chancges necessary (removed improper entries and adding people who are not already in the group, but should be).
Bonus Points:
I'd love for it to return a list of changes made to the group, if any.
Thanks,
Matthew
|
|
|
Posts:
1,151
Registered:
12/1/06
|
|
|
|
Re: Group Mangement Function
Posted:
Apr 11, 2008 10:26 AM
in response to: matthewg
|
|
|
Matthew, let's make sure I understand your task right.
So you have a group, and a list of users who needs to be in the group (CSV with their logon names?).
1. You want to take everyone who is not in the list out of the group.
2. Add those who are in the list, but not yet in the group, to the group.
3. Report all the changes.
4. Do this for a set of groups.
Is that correct?
|
|
|
Posts:
6
Registered:
4/11/08
|
|
|
|
Re: Group Mangement Function
Posted:
Apr 11, 2008 1:34 PM
in response to: Dmitry Sotnikov
|
|
|
Dmitry,
Thanks for the response.
Yes, assume I have an attribute (perhaps logon name) which can uniquely identify each user.
1. Yes, remove all people not in the list from the group.
2. Yes, add folks not already in it.
3. Yes, Report Changes.
4. I could call the function multiple times, so doing it for one group at a time would be fine.
|
|
|
Posts:
6
Registered:
4/11/08
|
|
|
|
Re: Group Mangement Function
Posted:
Apr 18, 2008 1:07 PM
in response to: Dmitry Sotnikov
|
|
|
Hey. Dmitry. Did you foresee any sample code to solve that problem being available?
|
|
|
Posts:
1,151
Registered:
12/1/06
|
|
|
|
Re: Group Mangement Function
Posted:
Apr 21, 2008 2:24 PM
in response to: matthewg
|
|
|
Matthew,
See if this sample helps:
$groupname = "Accounting"
# this is a text file, one samAccountName per line
$users = get-Content c:\user_logon_names.txt
Get-QADGroupMember $groupname | ForEach-Object {
If ( $users -contains $_.samAccountName ) {
"Yes, user $_ is already in the file"
} else {
"Removing user $_ from the group"
Remove-QADGroupMember $groupname $_
}
}
$members = @()
Get-QADGroupMember $groupname | ForEach-Object { $members += $_.samAccountName }
$users | ForEach-Object {
If ( $members -contains $_ ) {
"Yes, user $_ is already in the file"
} else {
"Adding user $_ to the group"
Get-QADUser $_ | Add-QADGroupMember -Identity $groupname
}
}
Dmitry
See also: Dmitry's PowerBlog at http://dmitrysotnikov.wordpress.com
|
|
|
Posts:
1,151
Registered:
12/1/06
|
|
|
Posts:
6
Registered:
4/11/08
|
|
|
|
Re: Group Mangement Function
Posted:
Apr 22, 2008 8:44 PM
in response to: Dmitry Sotnikov
|
|
|
Dmitry.
That's great. I've been testing this evening and it works great. only error I could generate (other than bad data) was if the group was empty the compare-object statement failed. That'll be easy enough to overcome by checking if $Member.Count is equal 0, then add all the users, otherwise run the compare-object | ForEach group.
Now, I just need to build a more detailed processes and expectations, then i could be ready for a pilot!
Thanks,
Matthew
Update:
I just found another tweak. The get-qaduser statement needs to have the parameter -samAccountName inserted.
get-qaduser -samAccountName $_.INputOjbect
Otherwise...
that cmdlet will return more than intended.
This update needs to happen on the Add and remove lines in the script.
Message was edited by: matthewg
Message was edited by: matthewg
|
|
|
Posts:
6
Registered:
4/11/08
|
|
|
|
Re: Group Mangement Function
Posted:
Apr 22, 2008 8:47 PM
in response to: Dmitry Sotnikov
|
|
|
And thanks very much. I appreciate it.
|
|
|
Posts:
1,151
Registered:
12/1/06
|
|
|
Posts:
22
Registered:
1/30/08
|
|
|
|
Re: Group Mangement Function
Posted:
May 13, 2008 7:51 PM
in response to: Dmitry Sotnikov
|
|
|
Dmitry,
I stepped away from this for a while and am changing it to pull the data from a database. I ran across times when compare-object wouldn't give the correct results. It would output for records in each arrach twice. It would say for example that JSmith was only in $Users, then it would say JSmith was only in $members. After much consternation, I found that adding -syncWindow 100000 would give me the desired output. I think this is b/c the array values aren't in the same order.
just FYI.
Thanks,
Matthew
PS. Actually, I just followed the comment from Arnoud Jansveld at http://keithhill.spaces.live.com/blog/cns!5A8D2641E0963A97!6159.entry. Sounds like a better answer to sort the arrays rather than use -syncwindow.
Message was edited by: MatthewG
|
|
|
Posts:
1,151
Registered:
12/1/06
|
|
|
|
Re: Group Mangement Function
Posted:
May 14, 2008 2:28 AM
in response to: MatthewG
|
|
|
Matthew,
Yep, it's the -SyncWindow - I myself found this parameter just recently (shame on me). Either increase it or sort the collections - whichever gives you better performance.
Dmitry
|
|
|
|
Legend
|
|
MVP: 2501
+
pts
|
|
Guru: 2001
- 2500
pts
|
|
Expert: 751
- 2000
pts
|
|
Enthusiast: 31
- 750
pts
|
|
Novice: 0
- 30
pts
|
|
Moderators
|
|
Helpful answer
(5 pts)
|
|
Answered
(10 pts)
|
|
