This may be the wrong approach, but I have used the last couple of days experimenting with the foreach in PowerShell (I use Ver. 5 of PowerShell).
What I am looking for is a way to add a list of computers that I already have into a list of AD groups that I already have. So I used Get-Content for importing the 2 .txt files, and I also learned that AD groups in PowerShell uses -Identity instead of name I don't know the reason for that decision. But nevertheless I came up with this:
$Apps = Get-Content C:\Scripts\Apps.txt
$Computers = Get-Content C:\Scripts\Computers.txt
foreach ($App in $Apps) {
Add-ADGroupMember $Apps -Identity $Computers
}
My problem is that it works of I only have 1 AD group in the Apps.txt file. If I add more groups PowerShell goes all red on me, and then my computer starts crying.
In Computers.txt I have listed the computer accounts with a $ at the end, and they are on seperate lines, like this:
PC1$
PC2$
In Apps.txt the AD groups are on seperated lines without any commas or semmicolons or anything.
Change $Apps to $App in the line Add-ADGroupMember $Apps -Identity $Computers
and also the -Identity parameter is the AD Group name. You also will need to use the -Members parameter for the users. E.g.
Add-ADGroupMember -Identity $App -Members $Computers
Related
Following situation: You have ForeignSecurityPrincipals in your AD Groups. But Remove-ADGroupMember cannot remove them, since it does not support removing "ForeignSecurityPrincipal". Using the DOMAIN\SamAccountName Method is not available as well, since that old domain does not exist any more. On top you are not allowed to use external modules since that company does not want external modules.
I needed this functionality today for a mass-cleanup job, as written without needing extra modules, and without having the old AD available since it was already killed. Found nothing, so I developed this solution and share it.
You have to get the DOMAINSID first, which should be simple. My example uses -Server since the "adminforest" is not the same as the forest of the groups to be modified. It searches all groups from the given OU, selects all groups with members matching the DOMAINSID, and then removes each member matching the DOMAINSID from those groups.
Don't forget to set $WhatIf=$false, else it runs in "we test only" mode.
$Groups = Get-ADGroup -Server other.domain.local -Filter * -SearchBase "OU=Groups,OU=SubOU,OU=Subsidary,DC=OTHER,DC=DOMAIN,DC=LOCAL" -Properties *
$GroupsWithForeignMembers = #($Groups.Where({$_.member -like "*S-1-5-21-2631234548-991234592-3812345124*"}))
$WhatIf=$true
foreach ($Group in $GroupsWithForeignMembers) {
$MemberForeign= #((Get-ADGroup -Server bk.bwl.net -Identity $Group.SamAccountName -Properties member).member.Where({$_ -like "*S-1-5-21-2631234548-991234592-3812345124*"}))
foreach ($Member in $MemberForeign) {
"Removing $Member from $($Group.SamAccountName)" | Tee-Object -Append "GROUPS-cleanup.log"
Set-ADObject -Server other.domain.local -Identity $Group -Remove #{member=$Member} -Verbose -WhatIf:$WhatIf
}
}
I'm building a script to automate AD deployments for customers. We have a prepared list of users and groups in CSV files. The groups are organized in a file with the following format. Keep in mind that I'm using the same CSV file to create the AD groups (which happens in a previous step).
Name,Description,Members
GroupName,GroupDescription,"user1,user2,user3"
The code I'm using to add the users to the groups is below:
$groups = Import-CSV -Path $groupCSVPath
$groups | % { Add-ADGroupMember -Identity $_.Name -Members $_.Members }
This results in an error: Get-ADUser : Cannot find an object with identity: 'user1,user2,user3'.
If I attempt the following, it works:
Add-ADGroupMember -Identity "GroupName" -Members user1,user2,user3
The error appears to reference the Get-ADUser command, which does not accept arrays as inputs. However, the Add-ADGroupMember command does. Why am I getting the Get-ADUser error when using the Add-ADGroupMember command and how can I get it to accept an array of values for the AD Username?
Tricky one. The problem turned out to be that the $_.members parameter is being passed to the Add-ADGroupMember cmdlet as a single string rather than an array of separate values, because of the way Import-CSV works. Get-Help Add-ADGroupMember shows that the members parameter expects an array, not a string.
This should work, I've tested it:
$groups | % { Add-ADGroupMember -Identity $_.Name -Members $_.members.split(',') }
I have the following line of code in a PowerShell file, intended to remove a user from all Active Directory groups beginning with an # symbol;
Get-ADGroup -Filter 'name -like "#*"' | Remove-ADGroupMember -Members $UserID
It actually works fine, and successfully removes them from the correct groups, however the script locks my admin account every time it's run. Weird!
From trawling the internet for a while, I suspect it's something to do with it 'using up' my Kerberos authentication tokens (it uses too many, as it runs for every single AD group beginning with #), or it thinks I'm trying to do something malicious because I'm sending such a large amount of commands in a short time?
Is there a way for me to amend this line of code, so that instead of running Remove-ADGroupMember for every single # group in the Active Directory, it only runs for the groups that the user is a member of? Or any other ideas?
Thank you.
Try this:
$groups = Get-ADPrincipalGroupMembership $user | where {$_.name -like "#*"} | select -expandproperty name
foreach($group in $groups){
Remove-ADGroupMember -identity $group -Members $user
}
It will only looking for the groups that the $user is a member in so you should be fine token wise.
Don't forget to change $user with user name or fill the variable beforehand.
Hmm, I don't have an AD infrastructure at home, but it looks like your example has nothing defining $UserID.
Admittedly, I am not a PowerShell monster, so I'm going to punt...
I am working with a client who is pulling a list of all his user shares on his CIFS server to help redirect AD HomeDirectory paths in a major file server migration. This list is being compared to the list of AD users home directories as AD currently sees them.
The problem is that some user directories use old NT Usernames (NAMEI$) and some use SAMAACCOUNTNAME$. To Additionally complicate, the share SERVER differs in AD due to an elaborate history of DNS aliases over the past 10-15 years - so even though all the users home directories currently exist on SERVERA they could be mapped to OLDSERVER3, OLDERSERVER01, or OLDESTSERVERNT4 - resulting in home directories that are all over the map.
I need to write a script that can use the SAMACCOUNTNAME from a list, then change all the server information in the home directory to \NEWSEVERNAME\CURRENTSHARE$ - hopefully using something like this:
Use UserList
From UserList, get-ADuser -Identity $_ -HomeDrive "U:" -HomeDirectory
in HomeDirectory replace \\*\ with \\NewServer\ while leaving the Share$ untouched.
Set-ADuser -Identity $_ -HomeDrive "U:" -HomeDirectory
I'm fairly certain that this can be accomplished with regular expressions, for/each loops, etc... but I can't put it together.
Thank you for your help!
I went through the same migration a short while ago. Here is what you can use to set the new server while leaving the share folder untouched.
Import-Module activedirectory
$samAccountNameList = get-content "c:\userIds.txt"
$newServer = "newFps01"
foreach ($user in $samAccountNameList) {
$adProperties = get-aduser -Identity $user -Properties homeDirectory, homeDrive
$homeDrive = $adProperties.HomeDrive
# Split original homedirectory path and grab just the share folder portion
$shareFolder = ($adProperties.homeDirectory).Split("\")[3]
$newHomeDirectory = "\\$newServer\$shareFolder"
set-aduser -Identity $user -HomeDrive $homeDrive -HomeDirectory $newHomeDirectory
}
I need to add various applications groups to the computers in an OU, that will be pushed out later. In AD, I go to OU, right click on the respective computer and click properties and then go to "member of" tab, and then add the various groups.
How can I automate these steps using PowerShell, so that it will apply these groups to all the computers in that OU?
import-module ActiveDirectory
$allComputers = #()
$ADgroup = "Computer Policy Application Group"
$theOU = [ADSI]"LDAP://OU=AnOU,DC=some,DC=test,DC=com"
foreach ($item in $theOU.psbase.Children) {
if ($item.ObjectCategory -like '*computer*') {
$allComputers += $item.Name
}
}
foreach ($pc in $allComputers) {
Add-ADGroupMember $ADgroup $pc
}
Then of course, you can add more groups, or setup an array of groups and iterate through it adding as you go... This will throw a lot of errors if the computer is already part of the group, by the way.
If you are using server2008 or newer (or have the required components installed) this is the simplest solution I have found.
$groupList=#("group1","group2","group3")
foreach ($Comp in (Get-AdComputer -server $ADServer -searchBase "OU=computers,DC=company,DC=com" -searchscope oneLevel")) {
foreach ($Group in $groupList) { Add-ADGroupMember -Identity $Group -Members $Comp -Server $ADServer }
}
Be sure to populate the $groupList variable with an array of the samaccountnames of the groups you wish to add, and to replace "OU=computers,DC=company,DC=com" with the LDAP Path to the OU containing the computers you wish to add permissions to.
Using the ActiveDirectory module, you can either user Add-ADPrincipalGroupMember or Add-ADGroupMember.
The former 'Adds a member to one or more Active Directory groups' whilst the latter 'Adds one or more members to an Active Directory group'.