Author Posts

February 7, 2017 at 6:36 pm

Hi, i'm new to using Powershell and am trying to create a script to automatically add all users with a specific attribute in AD to a Group and remove any from that group that do not have this attribute. I have just one section of a line that is not working and keeps giving errors. Any assistance would be great

Here is what i have:

#Import the AD module
ipmort-module ActiveDirectory

#Set your search OU and Group Variables
$OU="OU=***,DC=***,DC=com"
$Group="CN=GroupNameHere,OU=***,DC=***,DC=com"

#Pull current list of Group Members and remove anyone not a Regular Employee – This part works fine
Get-ADGroupMember –Identity $Group | Where-Object {$_.extensionAttribute2 –NotMatch "Regular"} | ForEach-Object {Remove-ADPrincipalGroupMembership –Identity $_ –MemberOf $Group –Confirm:$false}

#Adds any Regular employee to the Group that currently is not a member of it – This is where my issue is. The LDAPfilter to check if user already in a group is not working. I want to find any user with the attribute listed set to 'Regular" and add them to this group if they are not already in it.

Get-ADUser -Filter {extensionAttribute2 -like "Regular"} –SearchBase $OU –SearchScope Subtree –LDAPFilter “(!memberOf=$Group)” | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $Group}

February 7, 2017 at 6:42 pm

What happens when you break it down?

Get-ADUser -Filter {extensionAttribute2 -like "Regular"} –SearchBase $OU –SearchScope Subtree –LDAPFilter “(!memberOf=$Group)”

I would expect this to return all results. Worry about the later action after you get this core piece working. If I remember correctly (I am a bit of a newb myself) -like requires wildcards. so "*regular*"

February 7, 2017 at 6:48 pm

This portion works fine running by itself: Get-ADUser -Filter {extensionAttribute2 -like "Regular"} –SearchBase $OU –SearchScope Subtree

once i add –LDAPFilter “(!memberOf=$Group)” it gives the below error:

Get-ADUser : Parameter set cannot be resolved using the specified named parameters.
At line:1 char:1
+ Get-ADUser -Filter {extensionAttribute2 -like "Regular"} –SearchBase ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-ADUser], ParameterBindingException
+ FullyQualifiedErrorId : AmbiguousParameterSet,Microsoft.ActiveDirectory.Management.Commands.GetADUser

February 7, 2017 at 7:07 pm

Please post the error message. From a quick glance your last statement is not correct. You can't combine -Filter and -LDAPFilter in the same command. Either settle on -Filter or -LDAPFilter.

February 7, 2017 at 7:15 pm

Example:

Get-ADUser -LDAPFilter "(&(extensionAttribute2=Regular*)(!memberOf=$Group))" –SearchBase $OU –SearchScope Subtree | ForEach-Object { Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $Group }

February 7, 2017 at 8:58 pm

Thanks..That solved my issue. Really appreciate the help.