We have a few groups that we are playing with. We'll call it Group1 Group2 Group3. We then have a custom AD Attribute called "team". We need to take all the users of Group1 and change their AD Attribute to "Group1" etc etc. I've looked at a few ways to do this but am drawing up a blank. Any suggestion is greatly appreciated.
There are a few functions to work with here, and this will require that you have the AD module installed for PowerShell.
First, you'll need to get all of the members of the group, and you likely want to do it recursively. So that's:
Get-ADGroupMember -Identity "Group A" -Recursive
Running that on its own should give you all the members. But now you want to do something with what you got back from that function, so you want to loop over them
Get-ADGroupMember | ForEach-Object {
# You'll do something with each member here.
}
And what you want to do it set the AD attribute, which you can do with Set-ADUser. While most attributes can be set easily as they're all properties of the function, yours appears to be custom so you need to use -replace. That looks like this:
Get-ADGroupMember | ForEach-Object {
Set-ADUser -Identity $_ -Replace #{"Team"="Group A"} -WhatIf
}
The -WhatIf on the end makes the function tell you what it would do, but it doesn't actually do it. I've left it there so you don't accidentally run the code without testing it out first. When you want this to actually do something, remove that text.
You should try this on a small group with one or two people to make sure it works the way you want, and then when you're ready, hit the larger group
Related
I've seen multiple examples on adding a user to a group after creation, but not at the time of creation. Is that possible? Currently, I have something like this: (most attributes removed for simplicity)
$user = New-ADUser -Name "person" -Path "OU=test,OU=myorg" -Office "home" -samAccountName "snuffy.john" -PassThru
if ($user){
Add-ADGroupMember -Identity mygroup -Members $user.samAccountName
}
This causes two calls to the ldap server for each user added and I'm trying to prevent that as I have many thousands of users and the script takes a long time to run. I've checked MS docs but didn't see anything. If it's not possible, it is what it is. Thought I'd try asking at least. I also just started using powershell last week.
You may turn your thinking. with thousands of users I would do it like this.
First create all users.
Then get them by Get-ADUser -Filter * -SearchBase "OU=test,OU=myorg" (or maybe Filter the CreatedDate Attribute to get all new users)
After getting the users try to filter them for the groups you want to put them into and use the Add-ADGroupMember cmdlet, which accepts an array of ADPrincipals for parameter "-members".
This will speed up your code.
I found this MS script to extract admin users from AD. It gets the roles with $AzureADRoles = #(Get-AzureADDirectoryRole -ErrorAction Stop), iterates over them, and gets the users using $RoleMembers = #(Get-AzureADDirectoryRoleMember -ObjectId $AzureADRole.ObjectId).
It works great, only I need to access the description field on these users. Unfortunately, the $RoleMembers don't have a description attribute, even though the $AzureADRoles do!
Is there some way I can get the description field for the users, perhaps with a similar command? I see some commands that would do the trick if I wanted to traverse group members, but I'm looking for something role-based.
Thanks!!!
I found the answer here. I just had to add $Admin = Get-ADUser -Identity $RoleMember.DisplayName -Properties Description before constructing $ObjectProperties in a try/catch block, then get the description from $Admin and grab everything else just like before.
I am building a report on our active directory groups and am having a hard time when it comes to different forests.
We have groups from forestA with users inside from forestB. I was able to pull those groups using Quest AD:
$GroupUsers = Get-QADGroupMember $GroupName -Type 'user' -Indirect
The only problem is that even though the users inside are from forest B, they come up showing they are from forestA. They do exist in both forests, don't know if that's a problem.
Any clue on why this happens?
Thanks in advance.
There is -Server parameter of Get-ADGroupMember cmdlet where you may specify domain controller from another domain/forest. Something like:
Get-ADGroupMember -Identity $GroupName -Server DC.AnotherDomain.com
you can query forest for domains or all global catalogs: get-adforest (properties GlobalCatalogs,Domains) - I often did something like this:
I pulled the list of all SIDs in the group then checked which one belongs to my domain/forest, the rest was searched in external forest.
So I have an interesting script I am trying to figure out, basically I need to change a custom attribute value to a new one. The problem is its for both users and computers and not specific to the groups. So for instance the value might be Billing1 for several users in an OU and this need to be Billing2. So I need to find any instance of the Value of Billing1 and change it to Billing2 not knowing the user or computer object. I can successfully change one at a time if I know who the user is by using Set-ADUser, Set-ADComputer and even with Set-AdObject but I need to figure out a Find and replace function.
I have searched for this and I have found examples of where I can use CSV for users and computers but again I don't know who has what since the value in the attribute can vary and also changes if a reorg happens.
got the correct script...
Get-ADComputer -Properties enterattributename -Filter {enterattributename -like "value to search" } |Set-ADComputer –replace #{ enterattributename =”value to change”}
this also can be applied to Get-ADUser and Get-ADObject
I'm looking to build a script which would show Active Directory group hierarchy.
Unfortunately simple Get-ADGroupMember $group -Recursive lists only members, not groups.
Example:
Group1 is main group - it has 3 subgroups named GroupA,B,C. So GroupA,B,C is MemberOf Group1.
GroupA has no subgroups
GroupB has 2 subgroups named subGroup1,2
GroupC has 1 subgroup named subGroup3
subGroup1,2,3 has no subgroups
Ideally would be great to have output something like this:
Level1 Level2 Level3 Level4
Group1 GroupA
GroupB subGroup1
subGroup2
GroupC subGroup3
Of course I have Googled it for, I found two Web-Sites:
http://powershell.com/cs/forums/p/9588/15894.aspx
http://www.experts-exchange.com/Programming/Languages/Scripting/Powershell/Q_27346526.html
It's little over my scope to understand them, in first link there is simple script.
function Get-GroupHierarchy ($searchGroup)
{
import-module activedirectory
$groupMember = get-adgroupmember $searchGroup | sort-object objectClass -descending
foreach ($member in $groupMember)
{Write-Host $member.objectclass,":", $member.name;
if ($member.ObjectClass -eq "group")
{Get-GroupHierarchy $member.name}}
}
I put $searchGroup = "Administrators" before the script, but script doesn't show any results. It has 3 sub-groups if I do Get-ADGroupMember. Probably I don't know how to work with functions.
How to make those scripts to work or make something similar?
To directly answer your question of how to make that script work, you call the function as such:
Get-GroupHierarchy "Administrators"
But if you read further in the forum post somebody does note an issue with the function... circular references. Given this:
Group1 -GroupA -GroupX
-GroupB -GroupY
-Group1
The function would never finish. It would get the members of Group1, then GroupA, then GroupX. After GroupX it wouldn't have any more nested groups so it would move down to GroupB, and then GroupY, and would then Group1, where it would start on GroupA again. It would cycle over, and over. I've never tried it, so I don't know if it can be done with AD groups, but if you can nest groups within groups that are nested within themselves then this will give you problems.