Hi,
I'm in the process of writing a script which will update groups based on AD Attributes (department). This works great and reads a CSV with a list of groups and departments and adds uses to the relevant groups. The second section of the script reads the current group members and removes them if they are disabled - this part works too. But the part I am struggling on is where it reads the group members, checks if someone that is a member of the group shouldn't be anymore, by looking at their department. If there is only one member in the group it works fine, if there are more members in the group then it can't process them. I think it's because I need to loop it to check each user, but can't seem to get it to work.
I've commented the lines that are causing me the issue
#Script variables
#Make edits below this line
#Enter path to CSV file containing headers for ADDepartment,GroupName
$CSVFile = "c:\Source\Scripts\Depatmentalgroups\DepartmentalGroups-test.csv"
#Enter Log file path
$LogFile = "c:\Source\Scripts\Depatmentalgroups\logfile.txt"
#Don't change anything after this line
###############################################################################################################
#Get todays date
$today = Get-Date -DisplayHint Date
#Imports data from CSV file containing department names and group names - data is case sensistive
import-csv $csvFile | foreach {
#Adds users to group based on attributes
$dept = $_.DeptName
$ADGroup = $_.GroupName
$user = Get-QADUser -Department $dept -NotMemberOf $ADgroup -Enabled
If (!($user)) {Write-output "$Today,$Dept,No-Matching-Users-Found" >> $LogFile}
Else {Add-QADGroupMember $adgroup -member $user
Write-Output "$Today,$Dept,$user Was-Added-To-Group" >> $LogFile
}
#Removes any disabled users from group
$disableduser = Get-QADGroupMember $ADgroup -Disabled #check to see if users in group are disabled
If(!($disableduser)) {Write-Output "$Today,$Dept,No-Disabled-Users-To-Remove" >> $Logfile} #if no disabled users are found write it to logfile
Else {Remove-QADGroupMember $ADGroup $disableduser #if disabled users are found, remove them from the group
Write-Output "$Today,$Dept,$disableduser,Was-Removed-From-Group" >>$logfile
}
#Remove any user no longer in department
$groupmember = Get-QADGroupMember $ADGroup #gets all users left in group
If(!($groupmember)) {Write-Output "$Today,$Dept,Group-Was-Empty" >>$LogFile} #if no members are in the group write it to log file
Else {$nolongermember = Get-QADUser $groupmember | Where-Object {$_.department -ne $dept} #otherwise get all users who are in the group but that don't match the required department
#if more then one user is found in the above line, the get-qaduser fails with 'idenity' specified method is not supported - so i think i need to do something like foreach but struggling to figure this part out
}
If(!($nolongermember)) {Write-Output "$Today,$Dept,No-Users-To-Remove" >> $LogFile}
Else {Remove-QADGroupMember $ADGroup $nolongermember
Write-Output "$Today,$Dept,$nolongermember,Was-Removed-From-Group" >>$logfile
}
}
################################################################################################################Regards,
Denis Cooper
MCITP EA - MCT
Help keep the forums tidy, if this has helped please mark it as an answer
LinkedIn: