I have below script that add users to o365 group at start of their work as below:
$DateMaxTime = (Get-date).AddDays(0)
$DateMaxTimeNew = (Get-date).AddDays(-30)
$usersRO = Get-ADUser -Filter * -Properties * -SearchBase "OU=Users,OU=Resources,OU=Romania,OU=DataManagement,DC=USA"|where {$_.Description -like "*TEMP*" -or $_.Description -like "*PERM*" } |select samaccountname,description,name
$groupsRO = '#O365-EXTERNALACCESS'
$FinalResultRO = New-object System.Collections.ArrayList
ForEach($groupRO in $groupsRO){
$membersRO = Get-ADGroupMember -Identity $groupRO -Recursive | Select -ExpandProperty samaccountname
Foreach ($userRO in $usersRO){
$AcountNameRO = $userRO.samaccountname
$DatePartRONew = get-aduser -identity $AcountNameRO -Properties * | Select-Object whenCreated
$DatePartSubsRONew = $DatePartRONew.whenCreated
$DataPartROdesc=$userRO.description
$expressionRO = ([regex]'(\d{2}/\d{2}/\d{4})').Match($DataPartROdesc).Groups[0].Value
$DatePartRO= $expressionRO
$FinalDateRO = [datetime]::ParseExact($DatePartRO,'dd/MM/yyyy',$null)
If ($DatePartSubsRONew -lt $DateMaxTimeNew){
Write-Host "$AcountNameRO ouf of date scope"}
else {Write-Host "$AcountNameRO in scope"
If ((get-date $FinalDateRO.Date) -eq (get-date $DateMaxTime.Date)){
Write-Host "$AcountNameRO is a today Starter"
If ($membersRO -notcontains $AcountNameRO ) {
Write-Host "Adding external group $groupRO for: $AcountNameRO"
Add-ADGroupMember -Identity "#O365-EXTERNALACCESS" -Members $AcountNameRO
$FinalResultRO.Add((New-Object psobject -Property #{User=$AcountNameRO}))
}
Else {Write-Host "$AcountNameRO exists in group $groupRO"}
}Else {Write-Host "$AcountNameRO is not a Starter"}
}
}
}
$listRO = [array]$FinalResultRO |Select User |Out-String
$listRO.gettype()
if [string]::IsNullOrEmpty($listRO){
Write-Host "nothing to send"
}
Else {
Write-Host "Mail sent"
Send-MailMessage -From "mail1#donut.com" -To "mail2#donut.com" -Subject "Following users have been granted external access rights" -smtpServer "donut" -body "$($listRO)"
}
I run this script daily in task scheduler with higest privilage .
For some reasons, sometimes when script is executing , telling me that users has been added to group but its not changing in Active DIrectory . Only when I run the script second time its working (manually on powershell , not using task scheduler).
What can be a reason for this ?
I would check this line
Add-ADGroupMember -Identity "#O365-EXTERNALACCESS" -Members $AcountNameRO
Your code runs even if it hits some error for whatever reason. I would add a try catch statement to figure out what went wrong (could be DNS, Network, some problem with $AcountNameRO variable ...).
try {Add-ADGroupMember -Identity "#O365-EXTERNALACCESS" -Members $AcountNameRO}
catch{
write-host "something went wrong in Add-ADGroupMember"
Send-MailMessage -From "mail1#donut.com" -To "mail2#donut.com" -
Subject "please check Add-ADGroupMember"
write-host $_
}
Of course, write-host is a bad idea when running a scheduled task because you do not see the output. So I would dump the output in a file or the eventlog or write an email. Bill wrote a nice summary of what you could do concerning the logging.
https://adamtheautomator.com/powershell-logging/
Related
Okay so i have the following code. It works but it returns failed for each user. The first 2 users are supposed to fail but the last one should be success but it should only show all the failed attempts and then place it in a text file. This is what I have so far besides the output to a text file.
Import-Module ActiveDirectory
#$sam = read-host "Enter username"
#$user = Get-ADUser -filter {SamAccountName -eq $sam}
$user = #("user2","user3","olduser2")
foreach($sam in $user){
if(Get-Aduser $sam){
$Name = (Get-ADUser $sam -Properties cn).name
$path = "OU=Term,OU=test,DC=patel,DC=COM"
Get-ADUser $Name | Move-ADObject -TargetPath $path
}
if(!$sam){
Write-Host "$sam failed"
}
It would return
user2 failed
with a an error message because it cant be found
user3 failed
with a an error message because it cant be found
olduser2 failed
without error message.
The iterator variable ($sam) in the ForEach goes out of scope when the ForEach loop exits. At that point, $sam -eq $null is true (equivalent to !$sam), and therefore you will get the failure message. Try
$user = #("user2","user3","olduser2")
foreach($sam in $user){
if(Get-Aduser $sam){
$Name = (Get-ADUser $sam -Properties cn).name
$path = "OU=Term,OU=test,DC=patel,DC=COM"
Get-ADUser $Name | Move-ADObject -TargetPath $path
} else {
Write-Host "$sam failed"
}
}
and see if that gives you the results you want - and if you can understand why it does. There are other improvements you can make in the script, as well - but you should get it working first, then think about optimization.
As Jeff Zeitlin mentioned in the comments of the answer. This would be better to do error checking in a try catch loop.
$user = #("user2","user3","olduser2")
foreach($sam in $user) {
try {
$path = "OU=Term,OU=test,DC=patel,DC=COM"
Get-ADUser $sam -ErrorAction Stop | Move-ADObject -TargetPath $path -ErrorAction Stop
}
catch {
Write-Host "$sam failed"
}
}
I am writing a powershell script to disable users due to the fact that we get a list of them everyday and it is monotonous. I paste the list from the ticket into a csv formatted as Lastname, Firstname then run my script with imports the list, serches ad and ask if you want to disable if it finds them. Here is the code...
# Set variables
$Import = "C:\Scripts\Support Files\Users_To_Disable.csv"
$Export = "C:\Scripts\Support Files\Disabled_Users_Output.txt"
# Import user list
$Users = Import-CSV $Import
foreach ($User in $Users)
{
# Set user variables
$LastName = $User.("Surname")
$FirstName = $User.("GivenName")
# Use user variables from list to search ad
$UserName = (Get-ADUser -Filter "GivenName -like '$FirstName*' -and Surname -like '$LastName*'").SamAccountName
# What to do if it finds nothing
If ($UserName -eq $Null)
{
Write-Host $LastName, $FirstName NA -ForegroundColor Yellow
Write-Output "$LastName, $FirstName NA" | Out-File $Export -Append
}
# What to do if it finds a user
Else
{
# Ask for user input
Write-Host $LastName, $FirstName Found -ForegroundColor Green
Write-Host UserName = $UserName -ForegroundColor Green
DO {
$Disable = Read-Host "Do you want to disable user? (Y/N)"
If($Disable -eq "Y")
{
# Disable the user
Disable-ADAccount -Identity $UserName
# Move the user
Get-ADUser $UserName | Move-ADObject -TargetPath "OU=Disabled - Retention,DC=intranet,DC=sw"
# Add Disabled Users group
Add-ADGroupMember "Disabled Users" -Members "$UserName"
# Set Disable Users as primary group
$Group = Get-ADGroup "Disabled Users" -Properties #("PrimaryGroupToken")
Get-ADUser "$UserName" | Set-ADUser -Replace #{PrimaryGroupID=$Group.PrimaryGroupToken}
# Remove all other groups
$User = Get-ADUser "$UserName" -Properties MemberOf
$Groups = $User.MemberOf |ForEach-Object { Get-ADGroup $_ }
$Groups | ForEach-Object { Remove-ADGroupMember -Identity $_ -Members $User -Confirm:$false }
# Output
Write-Host $LastName, $FirstName Disabled -ForegroundColor Red
Write-Output "$LastName, $FirstName Disabled" | Out-File $Export -Append
Break
}
}
Until ($Disable -eq "N")
}
}
Invoke-Item $Export
All of that works, what is scary is that if there are blank cells above a user then it returns all of the users in ad and asks if you want to disable all of them. In other words if the csv looks like this...
Surname GivenName
User Test
Everything works fine, but if it looks like this...
Surname GivenName
User Test
Pandemonium, well not really but it does ask if you want to initiate a resume generating event, which I don't so how can I build in some safety that would stop it from returning all of ad when there are blanks in the csv before users?
You can eliminate the blank lines by filtering out Null values on your import, which should resolve the problem.
$Users = Import-CSV $Import | Where-Object {$_.Surname}
I am trying to write a PowerShell script to check if an AD-User has direct reports (meaning, if that AD-User is a manager), with following code but no go, Any help?
Import-Module ActiveDirectory
Set-Location AD:
$SamAccountName = "Mansings"
$test = Get-Aduser -identity $SamAccountName -Properties directreports | %{$_.directreports}
Write-Host $test
if ($test -eq $null)
{
Write-Host "He is a Manager"
}
else
{
Write-Host "He is not a manager"
}
Got the working script now
Import-Module ActiveDirectory
Set-Location AD:
$SamAccountName = "Mansings"
$test = Get-Aduser -identity $SamAccountName -Properties directreports | %{$_.directreports}
Write-Host $test
if (!$test)
{
Write-Host "He is an employee"
}
else
{
Write-Host "He is a Lead"
}
it's working. Thank you.
I've created a form to create new AD Accounts. Part of the script determines which groups the new user will be added to based on their role (Doctor, Nurse, Admin or Other) which is captured in the following code in the form of a drop down pick box:
Write-Host "Based on this information" $FFN "has been added to the following Active Directory Groups:"
Write-Host
$ADGroup01 = Get-ADGroup "_XA_App_XenApp" |select -expandproperty name -first 1
Write-Host $ADGroup01
$ADGroup02 = Get-ADGroup "Web Proxy Users" |select -expandproperty name -first 1
Write-Host $ADGroup02
if($RadioButton1.Checked -eq $true)
{
$ADGroup03 = Get-ADGroup "allrot" |select -expandproperty name -first 1
Write-Host $ADGroup03
}
Else
{
$ADGroup03 = Get-ADGroup "alltpo" |select -expandproperty name -first 1
Write-Host $ADGroup03
}
if ($Role -eq "Doctor" -Or $Role -eq "Nurse")
{
$ADGroup04 = Get-ADGroup "PACS Web Access" |select -expandproperty name -first 1
Write-Host $ADGroup04
}
if ($Role -eq "Doctor")
{
$ADGroup05 = Get-ADGroup "CH-MFD" |select -expandproperty name -first 1
Write-Host $ADGroup05
$ADGroup06 = Get-ADGroup "ED-MFP" |select -expandproperty name -first 1
Write-Host $ADGroup06
$ADGroup07 = Get-ADGroup "SU-MFD" |select -expandproperty name -first 1
Write-Host $ADGroup07
}
Write-Host
Further on in the script this piece of code is called during the actual account creation process:
Add-ADPrincipalGroupMembership -Identity $UN -memberof $ADGroup01, $ADGroup02, $ADGroup03, $ADGroup04, $ADGroup05, $ADGroup06, $ADGroup07
The issue I'm facing is that if the user selects Nurse, Admin or Other I get the following error:
"Add-ADPrincipalGroupMembership : Cannot validate argument on parameter 'MemberO
f'. The argument is null, empty, or an element of the argument collection conta
ins a null value. Supply a collection that does not contain any null values and
then try the command again."
I know this is because there are no values being captured in the last $ADGroup[x] and short of creating a bunch of if statements to check if each $ADGroup contains data I'm wondering if there is a more elegant solution.
As always, thank you for taking the time review and happy to provide more information if required.
UPDATE - As per #Martin's advice I've implemented the following code into my script
$UN = "zooz"
$Role = "Nurse"
$Department = "Surgical"
If ($Role -eq "Doctor" -and $Department -eq "Surgical")
{
$ADGroups = #(
"PACS Web Access"
"CH-MFD"
"ED-MFP"
"SU-MFD"
)
}
If ($Role -eq "Nurse" -and $Department -eq "Surgical")
{
$ADGroups = #(
"_XA_App_XenApp"
"Web Proxy Users"
"allrot"
)
}
for ($i=0; $i -lt $ADGroups.length; $i++) {
Add-ADPrincipalGroupMembership -Identity $UN -memberof $adgroups[$i]
}
Make an object $adgroups and add your desired groups to it.
$adgroups = #()
At the end use a foreach Loop:
$adgroups | Add-ADPrincipalGroupMembership -Identity $UN or (weather or not the cmdlet likes pipelined Input)
$adgroups | % { Add-ADPrincipalGroupMembership -Identity $UN -memberof $_ }
I have a script which loops through a list of users (samaccountname):
# Read usersfile to variable
$users = get-content ("users.txt")
# Get current time
$now = $(get-date -uformat "%H:%M %d/%m/%Y")
# Loop through list of users
foreach($user in $users) {
# Disable user
Disable-QADUser $user
# Set informative description
Set-QADuser $user -Description "Disabled $now"
# Delete all groupmemberships except "domain users"
Get-QADGroup -Containsmember $user | where-object { $_.name -ne 'domain users'} | Remove-QADGroupmember
# Move to "disabled users" group
move-QADObject $user -NewParentContainer 'contosoc.com/Disabled users'
# Hide from addresslist
Set-Mailbox -identity $user -HiddenFromAddressListsEnabled $true
# Moving mailbox to disabled users database
Move-Mailbox -Identity $user -TargetDatabase "myserver\mydb" -BadItemLimit 50 -Confirm:$False
}
I would like to:
Suppress output from the different cmdlets and only show "$user is OK!" if all is ok and log success to a logfile.txt
Display "Error!" and the command that failed if not ok. And output the complete error msgs to a separate logfile.
I've been thinking about doing a if(!cmdlettorun) { write-host "Error!" } But I'm thinking that there must be a better way.
How should I do error handling in a proper fashion so I minimize the displayed output but still let me see it if desirable?
For suppressing cmlet output you can pipe to out-null or precede the command with:
[void](.. your cmdlets..)
a good way for your goal is using a tray-catch-finally code like in this minimized code:
$a = $ErrorActionPreference
$ErrorActionPreference = "SilentlyContinue"
foreach($user in $users) {
try
{
... yours code ...
$JobStatus = "OK"
}
catch [exception]
{
$("Error catched: " + $_.Exception.GetType().FullName) | out-file c:\file.log
$("Error catched: " + $_.Exception.Message) | out-file c:\file.log -append
$JobStatus = "not OK"
continue;
}
finally
{
write-host "$user is $JobStatus!"
}
$ErrorActionPreference = $a
}
For some hint to use try-catch-finally read here