New to PS scripting-help with add user to AD group

Welcome Forums General PowerShell Q&A New to PS scripting-help with add user to AD group

This topic contains 23 replies, has 5 voices, and was last updated by

 
Participant
5 months, 4 weeks ago.

  • Author
    Posts
  • #100315
    Ben

    Participant
    Points: 1
    Rank: Member

    Hi all,

    I'm new to PS scripting and am a student of studying for an MCSA in Windows 10 and am beginning to try to use PS for my corporate environment's benefit. I have an idea of writing a script that checks if a user is added to a particular security group in AD, and if not, will add them to it The query will require input from the technician running the script to add the LDAP username and then press Enter to run the script.

    If the user is already part of the group, then it returns that information in a write memo to the tech. If the user is not already in the group, they are added and a write memo will say "added to "x" group.

    If there has already been a script template shared for this, can you please re-share the link? If not, does anyone have an idea to help get me started?

    Thank you!

  • #100318

    Participant
    Points: 134
    Helping Hand
    Rank: Participant

    Did you search for it? There are tons of scripts doing the same or similar things. Grap one, modify it to you needs and test it in your test environment. If you have a specific question to a particular piece of code you wrote you can post this here along with error you get and we will be happy to try to help you.

    Here you have 2 common sources for scripts:

    http://www.powershellgallery.com/

    https://gallery.technet.microsoft.com/scriptcenter/

    • #100321
      Ben

      Participant
      Points: 1
      Rank: Member

      Hi,

      I did do some searching but was hoping to narrow the search down using these forums as the search alone could take some time to do and I work in a fast paced environment.

      I will use the links above to try and filter down my search but in the meantime, if anyone has easily posted examples (with non-specifics for the names and PID) then I'd be happy to take a look.

      Thanks!

  • #100351

    Participant
    Points: 51
    Rank: Member

    I search ADGroup and came across a couple ones. https://www.powershellgallery.com/items?q=Adgroup&x=0&y=0
    Search is your friend the Gallery as it's a bit overwhelming at first.

    https://www.morgantechspace.com/2015/07/powershell-check-if-ad-user-is-member-of-group.html

    Here's one that's already been made.

  • #100365

    Participant
    Points: -16
    Rank: Member

    While I don't have specific code examples to give you (you'll probably have to do some google searching for that one), I can give you some advice on how to get started.

    The script you're asking for is kind of specific. While you might have some luck finding things that do those exact tasks, I wouldn't bet on someone having an example off-hand to give you to use. I think you're going to have to work on building the script yourself. But luckily, you don't have to build it entirely from scratch!

    First, figure out all of the steps that the script needs to run through. Break the entire script down step by step. You mention that it needs to check your AD to see if a user has been created in it. Make sure you iron out how you want the AD checked. The order, locations, data, etc.

    Once you've broken down the entire script into steps, start searching around for scripts that complete the steps individually. Checking for a user in AD? There's millions of scripts for that. Grab one that you find from somewhere and then modify it to suit your specific steps. Move to the next step of your script: Adding a user to AD through Powershell. Again, you'll find lots of examples. Just find one and modify it slightly for your environment.

    Keep looking for individual step scripts like this and eventually, you'll end up with your whole script built out of really small ones.

    Just my two cents, but it's what I've done and it worked pretty well for me. Good luck!

    • #100366
      Ben

      Participant
      Points: 1
      Rank: Member

      Thank you–that's a great idea. I know it will take some time but, it will be worth the research and effort. I'll try to find script snippets here and there of the key components I need.

    • #100377

      Participant
      Points: 134
      Helping Hand
      Rank: Participant

      I don't know how new you are to PS scripting but if you haven't done that anyway I would suggest to start learning the basics of Powershell in a structured way from scratch and not by picking other peoples code and trying to understand. That's even free of charge and fun to watch in case of the free video course "Getting Started with Powershell" from Microsoft Virtual Academy. Here are some more good sources to start with: Beginner Sites and Tutorials.
      On top of Cobys excellent suggestions I would like to add that it would be even more professional when you create the pieces of your script as functions, maybe even as functions in a module. This way you have re-usable functionality you can always re-combine for your particular needs.

    • #100554
      Ben

      Participant
      Points: 1
      Rank: Member

      Hi Olaf,

      Yes I did take the full MVA course for Powershell Beginners. The scripting part is where it gets tougher, and where I'm thinking a more hands-on approach (trial and error) will help more than digesting text in part.

      It's hard to break away from my primary duties to practice it as well but I'm working on it. Thank you for the added suggestions!

    • #100561

      Participant
      Points: 134
      Helping Hand
      Rank: Participant

      Ben,
      great to hear (read). Maybe you already know – they did a "second part": Advanced Tools & Scripting with PowerShell 3.0 Jump Start.

      I think it's gonna be easier when you get more used to it. At least it did it for me. So have a lot of fun playing around with it. I whish a lot of success.

  • #100623
    Ben

    Participant
    Points: 1
    Rank: Member

    *Edit*
    Update: I figured out how to get the input by erasing two variables from the top that weren't needed at this time. I'd like to now figure out how to take the user's inputted username and query it against a certain AD Group to see if they belong to it or not.

    Okay. So I have part I written for this script, but, when I run the script, and enter the username, it does not output the information. I'm just trying to test this part I out (trial and error). Can someone tell me what I may be doing wrong to allow an output? The script runs and completes, but no output (no red errors, at least).

    # Define variables
    $adGroupMembers = @()
    $adGroupMemberDetails = @()
    $adGroupName = read-host "Please enter AD Username"
    
    # Narrow down the user via prompt
    $adGroupMembers = Get-ADUser -Identity $adGroupName -Properties SamAccountName,Surname,GivenName,Enabled; Select-Object csv | ConvertFrom-Csv
    
  • #100626
    Jon

    Participant
    Points: 23
    Rank: Member

    I'm not sure what the CSV stuff is about, no need for that.

    Also if you want the results immediately you either need to get rid of $adgroupmembers in front of get-aduser or if you keep it, just type in the variable name in again to get the results

    No variable

    # Define variables
    $adGroupMembers = @()
    $adGroupMemberDetails = @()
    $adGroupName = read-host "Please enter AD Username"
    
    # Narrow down the user via prompt
    Get-ADUser -Identity $adGroupName -Properties SamAccountName,Surname,GivenName,Enabled
    

    Variable

    
    
    # Define variables
    $adGroupMembers = @()
    $adGroupMemberDetails = @()
    $adGroupName = read-host "Please enter AD Username"
    
    # Narrow down the user via prompt
    $adGroupMembers = Get-ADUser -Identity $adGroupName -Properties SamAccountName,Surname,GivenName,Enabled
    
    #get the data from the variable
    $adGroupMembers
    
    
    • #100632
      Ben

      Participant
      Points: 1
      Rank: Member

      Thanks, yeah I figured to remove the variable in front of Get-AdUser and it fixed the issue. I did jettison the csv stuff and find the results no different (cleaner code–thank you!).

      I'd like to now figure out how to take the user's inputted username and query it against a certain AD Group to see if they belong to it or not.

  • #100633
    Jon

    Participant
    Points: 23
    Rank: Member
    $user = read-host "enter username to check"
    $group = read-host "enter group to check"
    
     $membership = (get-adgroupmember $group).samaccountname
        if ($membership -like $user)
        {
        "$($user) is a member of $($group)"
        }
    
    • #100636
      Ben

      Participant
      Points: 1
      Rank: Member

      Jon, Thank you! This leads me closer to where I want to be. I modified it for my environment, and changed the $group variable to one specific in our AD.

    • #100803
      Ben

      Participant
      Points: 1
      Rank: Member

      Hey all,

      Quick question/update:

      I have made some progress on my script but am getting a bit stalled where I try to add code to have the user added to the specified AD group if the system reads that they are NOT part of the group. Code below (modified the name of the group to conceal private information). Suggestions welcome 🙂

      $user = read-host "Enter AD username"
      $group = "thegroup"
      
       $membership = (get-adgroupmember $group).samaccountname
          if ($membership -like $user)
          {
          "$($user) is a member of $($group)"
          }
          Else {"$User is not a member of $group" }
      
              if ($user -notin $group) 
              
                  {Add-ADGroupMember -Identity "thegroup" -Members $user -Confirm -WhatIf}
      
    • #100804

      Participant
      Points: 134
      Helping Hand
      Rank: Participant

      You don't need two ifs for the same condition. $Membership is an array and you wnat to check if it contains a certain element. 😉
      ... schould work like this:

      $user = read-host "Enter AD username"
      $group = "thegroup"
      
      $membership = (get-adgroupmember $group).samaccountname
      if ($membership -contains $user){
          "$($user) is a member of $($group)"
      }
      Else {
          "$User is not a member of $group" 
          Add-ADGroupMember -Identity $group -Members $user -Confirm -WhatIf
      }

      ... untested ...

    • #100815
      Ben

      Participant
      Points: 1
      Rank: Member

      So I had to add "()"'s around the initial "Else" statement to get the code to run, but it still doesn't add a user to the group who is not part of it. The script runs and says complete, but checking in AD shows the user is still not part of the intended group.

      Again, code for actual group name is changed for privacy.

      $user = read-host "Enter AD username"
      $group = "thegroup"
      
       $membership = (get-adgroupmember $group).samaccountname
          if ($membership -contains $user)
          {
          "$($user) is a member of $($group)"
          }
          Else {
          ("$User is not a member of $group")
              Add-ADGroupMember -Identity "thegroup" -Members $user -Confirm -WhatIf
      
              }
      
  • #100821
    Jon

    Participant
    Points: 23
    Rank: Member

    Does it work if you take off -whatif? 😉

    • #100822
      Ben

      Participant
      Points: 1
      Rank: Member

      Yes, it did work. And the -Confirm parameter worked fine too.

      More progress. Thank you all so far

    • #100828
      Ben

      Participant
      Points: 1
      Rank: Member

      So, I basically have my script finished–but I'm wondering one big thing: is there any suggestions the community here has for me to speed it up? I have included the measure-command -expression {} in it and average about 15-17 seconds per run. I would love to see this take less than 10 seconds. Pasting code below (again with concealed group names for privacy).

      Measure-Command -Expression {
      
      
      
      $user = read-host "Enter AD username"
      $group = "thegroup"
      
       $membership = (get-adgroupmember $group).samaccountname
          if ($membership -contains $user)
          {
          "$($user) is a member of $($group)"
          }
          Else {
          ("$User is not a member of $group")
              Add-ADGroupMember -Identity "thegroup" -Members $user -Confirm
      
              }
          }
      
      
  • #100836
    Jon

    Participant
    Points: 23
    Rank: Member

    You can only go as fast as the human element allows.

    Of the two items in there that require human interaction, you can remove one.

    • #100839
      Ben

      Participant
      Points: 1
      Rank: Member

      At least in the case where the user is already part of thegroup, once the name is entered and the script begins to run, then it takes 15-17 seconds on average. I understand the piece that requires human input needs to be done first. Does that help?

    • #100848

      Participant
      Points: 134
      Helping Hand
      Rank: Participant

      To make your measuremnts valid you should move the start of the measurement down after the Reead-Host. The speed also depends on some other conditions. ... the size of the targeted group, if you run the script on a domain controller or remote ...

  • #100842
    Jon

    Participant
    Points: 23
    Rank: Member

    It takes 7 seconds on my machine adding a user to a group they are not a member of, with removing the -confirm switch.

    Something wrong in your environment.

The topic ‘New to PS scripting-help with add user to AD group’ is closed to new replies.