Moving AD User when attribute has changed

Welcome Forums General PowerShell Q&A Moving AD User when attribute has changed

Viewing 9 reply threads
  • Author
    Posts
    • #276192
      Participant
      Topics: 11
      Replies: 23
      Points: 228
      Rank: Participant

      Good morning my fellow powershell scripters!  I work for a k-12 district and currently re-writing a script that was created before my time.  The script is a mile long and was created with little knowledge of powershell so I want to clean it up.  As you know being in a k-12 district students grade levels change as well as them moving to different schools.  We get a csv with updates on all students 4 times a day.  We have certain attributes that we use for what school they are at and what grade they are in.  I am able to check if the user exists in AD without issues.  My problems come when the school or grade have changed.  I have been trying these If\Else statements one at a time to keep troubleshooting to a minimum.  So I basically need to compare what is currently in the attributes in AD to the new attributes from the CSV.  Trying this If\Else statement if the company attribute has changed I can’t get working.  This is what I have:

      Could someone point me in the right direction or explain to me what I am doing wrong?  Any assistance would be appreciated.

    • #276207
      Participant
      Topics: 5
      Replies: 249
      Points: 985
      Helping Hand
      Rank: Major Contributor

      Is it possible to get a student in the csv who is NOT already in Active Directory?

      Either way what I would do is iterate over your csv like you do, but get the ADUser for the StudentID first and only assign variables/make changes if needed.  I don’t have an environment to test, but here is a basic flow.

       

       

      • #276282
        Participant
        Topics: 11
        Replies: 23
        Points: 228
        Rank: Participant

        Thank you Mike R this is what I was trying for.  For the most part the csv will have new students but we do get students in the csv that are already in AD so I need to deal with them, and the students who have moved up a grade and/or have switched schools.  I will test this out and post back the outcome.

        Good morning Rob!  Thank you for the reply.  I am moving users if they have moved to a new school due to relocation or graduating from Elementary to Middle or Middle to High.  I was just testing one scenario at a time to see if it works or not.  I am going to give Mike R’s suggestion a try and report back.

    • #276219
      Participant
      Topics: 5
      Replies: 249
      Points: 985
      Helping Hand
      Rank: Major Contributor

      I guess I could have put a little more code in my example.  To change a property, I would use Set-ADUser like this:

       

      • This reply was modified 1 month, 2 weeks ago by Mike R..
    • #276240
      Participant
      Topics: 17
      Replies: 1951
      Points: 3,986
      Helping Hand
      Rank: Community Hero

      First thing is this line:

      The SamAccountName is the student Id, so you don’t want to create a new account is they are not in the same school. Mike R.’s logic looks good, but it doesn’t appear that you are moving the student to the OU or doing something specific for the property change aside for setting it, you can just set it like this:

      Not sure how many records you are talking about, but you could even get rid of the if the properties don’t match and just overwrite the properties every time.

    • #276318
      Participant
      Topics: 11
      Replies: 23
      Points: 228
      Rank: Participant

      So I have gotten a bit further and it seems to be working.  I am not very good at counting the users who have been created and/or moved.  From the code below I get the userscreated total but the users moved tells me everyone has been moved which is obviously not the case.  Could you tell me what I am doing wrong there please.

       

    • #276330
      Participant
      Topics: 5
      Replies: 249
      Points: 985
      Helping Hand
      Rank: Major Contributor

      If you are creating a new user in every iteration of the foreach loop then this line never returns an object:

       

      I would double check your data to make sure that the StudentUserID column is in fact the correct SAM.  Also, it looks like you are searching for the user on “student.testlab.local” but creating them on “dc2.student.testlab.local”.  This could be an issue as well if the users don’t exist on the other DC that you are searching.  If these are supposed to be replicated, it may not be instantaneous.

       

    • #276336
      Participant
      Topics: 17
      Replies: 1951
      Points: 3,986
      Helping Hand
      Rank: Community Hero

      The $Student variable has all your user information. It’s better to be able to tell who was create, moved, etc. rather than getting a count. So rather than

      Do something like this:

      This is psuedo-code, but you are basically appending a Status property to each user. This will allow you to get counts and see what users had what problems by rolling errors up to results. Also, you must tell the command to Stop for try\catch to work:

      • #276360
        Participant
        Topics: 11
        Replies: 23
        Points: 228
        Rank: Participant

        Ok Rob! I tried your suggestion could you take a look at it?  I am still receiving 99 moved.

        This is the output:

         

    • #276369
      Participant
      Topics: 17
      Replies: 1951
      Points: 3,986
      Helping Hand
      Rank: Community Hero

      Ensure you are logging for all outcomes. New User, Move User, Failures and nothing changed…

    • #276927
      Participant
      Topics: 11
      Replies: 23
      Points: 228
      Rank: Participant

      Thanks guys for the assistance.  I have been able to get it working, however I have ran into another problem I didn’t take into account.  Each one of our schools (42) have their own security group.  When a student graduates from Elementary or Middle school their security group needs to change.  I can get their new security group without issues but I don’t know how to remove the security group prior to them graduating.  Any suggestion on how I can manage this?  Just an fyi the security groups at each school are named with a 4 digit code for example “1234 All Students”, “4321 All Students” and etc.  What are your thoughts on how to manage removing the old group?

    • #277182
      Participant
      Topics: 17
      Replies: 1951
      Points: 3,986
      Helping Hand
      Rank: Community Hero

      Not tested, but the general idea would be….

      • #277491
        Participant
        Topics: 11
        Replies: 23
        Points: 228
        Rank: Participant

        Thank you Rob I will test this today.  Appreciate your time.

         

        Rich

Viewing 9 reply threads
  • You must be logged in to reply to this topic.