close
Powershell-AD

One of the best uses of Powershell is automating Active Directory administration. There’s a number of very powerful cmdlets for performing Powershell AD Group Management. I’ve found these to useful for doing Security Administration, Application Deployments, and even validation.

The cmdlets I’ve found to be the most useful for Active Directory Group Management are the following. One import feature of all these cmdlets is that they accept a -Server parameter that allows you to specify a domain name, this is very useful if you’re working in a multi-domain environment.

  • Get-ADGroup – Searches for a group, it returns a list objects (Microsoft.ActiveDirectory.Management.ADGroup). Wrap this cmdlet in a Try, Catch if you expect that the group may not be found.
  • Get-ADGroupMember -Returns a list of usernames that are members of the group. You can pipe the list to a Where to filter for a specific username, if the username is not a member you’ll get a null object.
  • Remove-ADGroupMember – Remove a username from an AD Group.
  • Add-ADGroupMember – Add a username to an AD Group.

The following script is a good example of using each of these cmdlets. The AD Group names are stored in a text file. The username and domain I’m testing access with is hard coded, but it could be a script parameter. The script tests if a group exists, if it does exist it checks if the user is a member or not. If it is a member, it removes the user. If not a member, it adds the user.  I’ve used this script for testing large numbers of AD Groups, but it can easily be modified to perform a whole host of operations.

$groupfile = "\\atl0fs01\platform\Temp\AD-Groups.txt"
$testuserid = "user01"
$domain = "na.tekmortar.com"

$groups = Get-Content $groupfile
$workinglist = @()
$failedlist = @()
$missinglist = @()
$successful = 0
$failures = 0

foreach ($group in $groups)
{
	Write-Host "Checking $group"

	Try {
		$g1 = Get-ADGroup $group -server $domain
	}
	Catch {
		Write-Warning "$group does not exist in $domain"
		$missinglist += $group
		$g1 = $null
	}

	Try {
		if ($g1){
		$members = Get-ADGroupMember $group -server $domain | select-object name | where-object {$_.name -eq $testuserid}

		if ($members){
			Write-Host "$testuserid is already in $group, attempting Remove"
			Remove-Adgroupmember -Identity $group -member $testuserid -server $domain -Confirm:$false
		}else{
			Write-Host "Attempting to Add $testuserid to $group"
			Add-Adgroupmember $group $testuserid -server $domain
		}

		$successful += 1
		$workinglist += $group
		}else{
			# The Group doesn't exist
		}
	}
	Catch {

	        Write-Warning "Failed to manage $group"
	        # Uncomment to get actual error
	        #$_
	        $failures += 1
	        $failedlist += $group
	}
}

Write-Host ""
Write-Host "Groups that were Successfully Managed in $domain"
foreach ($a in $workinglist)
{
	Write-Host $a
}

Write-Host ""
Write-Host "Groups that are missing from $domain"
foreach ($a in $missinglist)
{
	Write-Host $a
}

Write-Host ""
Write-Host "Groups that failed to manage in $domain"
foreach ($a in $failedlist)
{
	Write-Host $a
}


Tags : ADpowershell
Byron Pate

The author Byron Pate