howto populate “member Of” for a user account in AD

Welcome Forums General PowerShell Q&A howto populate “member Of” for a user account in AD

Viewing 7 reply threads
  • Author
    Posts
    • #207780
      Participant
      Topics: 28
      Replies: 67
      Points: 375
      Rank: Contributor

      Hi

      as part of disabling an account I store the groups a user is member of in the notes section

      
      #get all the groups this user is member of an paste this in Note section
      $groups =Get-ADPrincipalGroupMembership $user.SamAccountName
      Set-ADUser $user.samAccountName -Replace @{info=$groups.name -join “rn”}
      
      

      if for some reason a user has been wrongly disabled (in case of a contractor where the contract is extended at the last moment) how can I populate the member of again with all the groups stored in the Note section?

       

       

    • #207789
      Participant
      Topics: 4
      Replies: 2231
      Points: 5,414
      Helping Hand
      Rank: Community MVP

      I’d recommend to join your list elements with something unusual what helps later to split them correctly into separate pieces again. … like

      Set-ADUser $user.samAccountName -Replace @{info=$groups.name -join '_#_#_'}

      Now it’s easy to read the notes section and separate the single groups to use it to add the user to the groups.

    • #207795
      Participant
      Topics: 28
      Replies: 67
      Points: 375
      Rank: Contributor

      Olaf,

      thanks for that, any thoughts on how to populate the Member of based upon the groups stored in the notes section?

      Best regards

      Paul

       

    • #207846
      Participant
      Topics: 17
      Replies: 15
      Points: 102
      Rank: Participant

      If I understand correctly and you want to add the groups in $groups to the user , then you can try

      foreach ($g in $groups) {

      Get-ADGroup $g | Add-ADGroupMember -Members ( (Get-ADUser $user).DistinguishedName)

      }

       

      or with Try catch  :

      foreach ($g in $groups) {

      Try { Get-ADGroup $g | Add-ADGroupMember -Members ( (Get-ADUser $user).DistinguishedName) }
      Catch {Write-Host “user $user wasn’t added to group $g”}

      }

      • This reply was modified 2 months, 3 weeks ago by Arik Cher.
    • #207888
      Participant
      Topics: 28
      Replies: 67
      Points: 375
      Rank: Contributor

      Hi Arik,

      not quite

      in the above mentioned piece of code I store all the groups in the Note section of the user account.

      when for some reason HR made a mistake and this user needs to be enabled again we need to add the groups he was member off before we disabled his account.
      the challenge is
      to grab the groups stored in the notes section and add these back into the member off tab
      the above mentioned code is only here for illustration on how I’ve exported the groups to the notes section of this user account

       

      thanks for your assistance

    • #208173
      Participant
      Topics: 4
      Replies: 2231
      Points: 5,414
      Helping Hand
      Rank: Community MVP

      Hmmm … actually I don’t understand what’s the challange on that. You managed to get the group memberships of the user with Get-ADPrincipalGroupMembership. Then you used this to set the info for the AD user with Set-ADUser. Now you need to get the info from the AD user … so you use Get-ADUser. Now you use this info to add the group memberships of the user with Add-ADPrincipalGroupMembership.
      To accomplish this you need to split the group names again you joined before.

      $groups =Get-ADPrincipalGroupMembership $user.SamAccountName
      Set-ADUser $user.samAccountName -Replace @{info = $groups.sAMAccountName -join '_#_#_'}
      
      $CurrState = Get-ADUser -Identity $user.SamAccountName -Properties Info 
      $SavedADGroupList = $CurrState.Info -split '_#_#_'
      Add-ADPrincipalGroupMembership -Identity $user.SamAccountName -MemberOf $SavedADGroupList

      I’d recommend to use the sAMAccountName instead of the name of the groups because they are unique while the names might be not.

      You may have to deal with the Primary Group of the users accounts as you cannot remove it from the accounts but you will have them in the list you’ve got from the membership list.

    • #208176
      Participant
      Topics: 4
      Replies: 2231
      Points: 5,414
      Helping Hand
      Rank: Community MVP

      …. or with Try catch ….

      Could you please use the code tags “PRE” to format your code as code?

      Thank you.

    • #208239
      Participant
      Topics: 28
      Replies: 67
      Points: 375
      Rank: Contributor

      thanks Olaf that works like a charm 🙂

Viewing 7 reply threads
  • You must be logged in to reply to this topic.