I would like to add an existing user to a list of groups (text or csv). Something like this but this doesn't work.
$groups = Import-csv ‘C:\temp\temp.csv‘
foreach ($group in $groups) {
Add-ADGroupMember $group -Members firstlast
}
Not sure why your code is not working; try the following:
$groups = Import-Csv "C:\temp\temp.csv"
$groups | ForEach-Object {Add-Adgroupmember -Identity $_ -members "firstlast"}
I am assuming your user's name is "firstlast"
Related
When somebody leaves my organization, we remove all AD group memberships apart from the PrimaryGroup which is Domain Users. We often process these in batches, so pull the affected usernames from a CSV file.
I have the following code, and while it does the job of deleting all group memberships, I get an error for each user:
The user cannot be removed from a group because the group is currently the user's primary group
Whilst it does the job, how can I "clean up" the process to avoid this message each time? Is there a way to exclude Domain Users from the groups it removes the user from, or should I do this another way?
$users = Import-Csv "c:\temp\leavers.csv"
foreach ($user in $users) {
Get-ADPrincipalGroupMembership -identity $user.username | foreach {Remove-ADGroupMember $_ -Members $user.username -Confirm:$false}
}
You can use Where-Object for filtering those groups that are not in an array of groups to exclude. In case you only want to filter for 1 specific group, you would use -NE instead of -NotIn in below example.
$groupToExclude = 'Domain Users', 'someOtherGroup'
$users = Import-Csv "c:\temp\leavers.csv"
foreach ($user in $users) {
try {
Get-ADPrincipalGroupMembership -Identity $user.username |
Where-Object Name -NotIn $groupToExclude |
Remove-ADGroupMember -Members $user.username -Confirm:$false
}
catch {
Write-Warning $_.Exception.Message
}
}
If you get the ADUser object before the ADGroup memberships, you can get the PrimaryGroup of the user and ensure that the list of groups to remove from are not its PrimaryGroup:
$users = Import-Csv "c:\temp\leavers.csv"
foreach ($user in $users) {
$primaryGroup = ( Get-ADUser $user.UserName -Properties PrimaryGroup ).PrimaryGroup
Get-ADPrincipalGroupMembership -Identity $user.UserName | Where-Object {
$_ -ne $primaryGroup
} | ForEach-Object {
Remove-ADGroupMember $_ -Members $user.username -Confirm:$False -WhatIf
}
}
Since this has the potential to be a very destructive command, I have included a safeguard in the example above. Remove the -WhatIf parameter from Remove-ADGroupMember to actually perform the removal.
I'd propose a slightly different approach - just drop Get-ADPrincipalGroupMembership altogether. For example:
$users = Import-Csv -Path c:\temp\leavers.csv
foreach ($user in $users) {
# Assuming DN is not in the csv...
$distinguishedName = (Get-ADUser -Identity $user.UserName).DistinguishedName
Get-ADGroup -LdapFilter "(member=$distinguishedName)"
# Alternatively, just pipe memberOf property to Get-ADGroup...
(Get-ADUser -Identity $user.UserName -Property MemberOf).MemberOf |
Get-ADGroup
}
That way you don't have to filter out something you insisted on getting (by using above mentioned cmdlet).
I have this doubt,
have to add every user in active directory to a group, but there are a few ones who dosen't have to be in this group,
I already know the information of this set of discriminated users..
so, there is a way to do a powershell command where i spicify this set of user and every user that dosen't match with this set would be added to the group?
i'm making a csv file whe is all the users by SamAccountName
Get-AdUser -Filter * | Select SamAccountName | Export-CSV c:\List.csv
, so i can add a second column with the name of the group, after that i was thinking to add a where clause in powershell to compare the SamAccountName with another csv with the set of discriminated users, but i don't know if that would work...
There is a simple way to do it?
I'd create a flat array with the exclusion then use it in the Where clause.
Something like:
$ExcludedUsers =
#(
"user1"
"user2"
#...
)
$GroupMembers = Get-AdUser -Filter * | Where-Object{ $ExcludedUsers -notcontains $_.samAccountName}
Add-ADGroupMember -Identity <GroupName> -Members $GroupMembers
If you are extracting the exclusions from a csv file you can use something like:
$ExcludedUsers = ( Import-Csv C:\ExcludedUsers.csv ).samAccountName
$GroupMembers = Get-AdUser -Filter * | Where-Object{ $ExcludedUsers -notcontains $_.samAccountName}
Add-ADGroupMember -Identity <GroupName> -Members $GroupMembers
$ExcludedUsers = #()
import-csv C:\ExcludedUsers.csv | ForEach-Object { $ExcludedUsers += $_.SamAccountName}
$GroupMembers = (Get-AdUser -Filter * | Where-Object{ $ExcludedUsers -notcontains $_.samAccountName})
Add-ADGroupMember -Identity GroupName -Members $GroupMembers
that's the code i use, if that helps anyone in the future.
thanks to Steve.
I have a CSV file containing multiple values in one of its columns.
Basically it look like:
Name NewName Groups
UserA User01 IT Group;GroupB;Doc Users Group;GroupD
I need to know how to loop through the column to get all group names from it.
I used the following code but it doesn't work. I think the problem is there are spaces between words in group names and PowerShell treats the whole cell as one group name.
foreach ($user in (Import-Csv "$env:USERPROFILE\desktop\info.csv")) {
$oldusername = $user.name
$newusername = $user.NewName
$groups = $user.Groups -split ";"
foreach ($group in $groups) {
Remove-ADGroupMember $group -Members $oldusername -Confirm:$false -Verbose
Add-ADGroupMember $group -Members $newusername -Verbose
}
}
So I should get:
Remove-ADGroupMember IT Group
but I get:
Remove-ADGroupMember IT Group GroupB Doc Users Group GroupD
which obviously doesn't work.
I didn't copy/paste the csv file I just showed you the values in the file.
The proper csv content is:
"Name","NewName","Groups"
"UserA","User01","IT Group;GroupB;Doc Users Group;GroupD"
I think I solved the puzzle with the loop. The code which works is:
foreach ($user in (Import-Csv "$env:USERPROFILE\desktop\info.csv")) {
$oldusername = $user.name
$newusername = $user.NewName
$groups = $user.Groups
foreach ($group in $groups -split ";") {
Remove-ADGroupMember $group -Members $oldusername -Confirm:$false -Verbose
Add-ADGroupMember $group -Members $newusername -Verbose
} }
I have a .csv file with the group names and the SAM of the users I want to delete from the 10 groups.
How does this work? I am a PowerShell beginner.
Save the user list as csv and use something like
$users = import-csv C:\csvpath\users.csv
Foreach ($user in $users){
Remove-adgroupmember -identity "groupname1" -members $user.username -Confirm:$false
Remove-adgroupmember -identity "groupname2" -members $user.username -Confirm:$false
}
You could of course also get the groupnames from another csv to get a cleaner code
$users = import-csv C:\csvpath\users.csv
$groups = import-csv C:\csvpath\groups.csv
Foreach ($user in $users){
Foreach ($group in $groups) {
Remove-adgroupmember -identity $group.name -members $user.username -Confirm:$false
}
}
I am trying to create a CSV for AD cleanup work that will contain a couple hundred users' SamAccountName and a list of groups to remove the user from. Each user will have a different list of groups to remove them from.
CSV will look like this:
SamAccountName,ADgroupName1,ADgroupName2,ADgroupName3,ADgroupName4,etc...
user1,Group1,Group2,Group3,Group4
user2,Group2,Group3,,,
user3,Group5,,,,
The script I have so far:
# Get the list of SAMAccountNames
$user = Import-Csv .\GroupsToRemove.csv | Select-Object -ExpandProperty SAMAccountName
foreach ($user in $users) {
# Loop through the user list and select the list of groups to remove for each user
# from the CSV and set to the $Groups array
$Group = #()
$Group = %{(Import-Csv .\GroupsToRemove.csv | Where-Object {$_.SamAccountName -eq $user})} | select "GroupName*"
foreach ($group in $Groups) {
# Remove the AD groups from each User
Remove-ADPrincipalGroupMembership $user -Member $Group -Confirm:$false
}
}
I think part of the problem is that when I'm importing the group names from the CSV it also adds the column names into the $Group array? So the Remove-ADPrincipalGroupMembership command is failing?
$groups output is like below:
GroupName1 : Group1
GroupName2 : Group2
GroupName3 : Group3
GroupName4 : Group4
Don't define the AD groups as separate columns in the CSV. Make the groups one column with a comma (or other delimiter) separated string:
SamAccountName,Groups
user1,"Group1,Group2,Group3,Group4"
user2,"Group2,Group3"
user3,"Group5"
That way you can handle the groups from the CSV like this:
$csv = Import-Csv .\GroupsToRemove.csv
foreach ($user in $csv) {
$groups = $user.Groups -split ',' |
Get-ADGroup |
Select-Object -Expand DistinguishedName
Remove-ADPrincipalGroupMembership $user.SamAccountName -Member $groups -Confirm:$false
}