Remove AD Group Membership based on field in CSV file

This topic contains 3 replies, has 3 voices, and was last updated by  Brian Jacobsen 3 months, 3 weeks ago.

  • Author
    Posts
  • #73580

    Brian Jacobsen
    Participant

    I have an almost working script but am getting stuck at one part. What i need to do is to read a CSV file with two columns (Department, GroupName) and add any user whose department attribute matches the department column to the Group. That part is working except for the statement that is supposed to filter out current members of the group. I also need the script to be able to look at the current group members and then remove any users who do not match one of the departments from the CSV file. i.e. so if a user transfers but was never removed from group this script will remove the access. This is the part i'm getting stuck at. I am getting the error "Get-ADUser : A parameter cannot be found that matches parameter name 'SamAccountName'". Also not sure the remove part is written properly for what i need. Any assistance or guidance would be greatly appreciated

    Thanks

    Here is what i have:

     
    #Import the AD module
    import-module ActiveDirectory
    
    #Enter path to CSV file containing headers for ADDepartment,GroupName
    $CSVFile = "\\server\folder\departmentgroups.csv"
                
    #Enter Log file path
    $LogFile = "\\server\folder\log.txt"
    
    #Get todays date
    $today = Get-Date -DisplayHint Date
    
    #Imports data from CSV file containing department names and group names - data is case sensitive
    import-csv $csvFile | foreach {
    
    #Adds users to group based on attributes
    
    $dept = $_.DeptName
    $ADGroup = $_.GroupName
    
    $user = Get-ADUser -LDAPFilter "(&((Department=$dept)(useraccountcontrol=512)(!memberOf=$ADGroup)))" | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $ADGroup 
    			Write-Output "$Today,$Dept,$user,DeptMatch-Was-Added-To-Group" >> $LogFile
    			}
    
    #Remove any user no longer in department
    $groupmember = @(Get-ADGroupMember -Identity $ADGroup | Select-Object -expandproperty SamAccountName)
    
    If(!($groupmember)) {Write-Output "$Today,$Dept,Group-Was-Empty" >>$LogFile} #if no members are in the group write it to log file
    	Else {$nolongermember = $groupmember | % {Get-ADUser -SamAccountName $_} | Where-Object {$_.department -ne $dept}
    	#if more then one user is found in the above line, the get-aduser fails with 'idenity' specified method is not supported - so i think i need to do something like foreach but struggling to figure this part out
    	}
    
    If(!($nolongermember)) {Write-Output "$Today,$Dept,No-Users-To-Remove" >> $LogFile}
    	Else {Remove-ADGroupMember $ADGroup $nolongermember
    		Write-Output "$Today,$Dept,$nolongermember,DeptMisMatch-Was-Removed-From-Group" >>$logfile
    		}
    }
    
    
  • #73583

    Curtis Smith
    Participant

    Your problem is simply that there is not such parameter as -SamAccountName for Get-ADUser, you need to use the correct parameter. You can see all parameters available to you by using get-help

  • #73787

    Aapeli Hietikko
    Participant

    Just questioning the method. If your CSV holds the data then why don't you remove all the accounts and then add the ones that needs to be in the group? I think it would make the end product much more simple.

    • #73840

      Brian Jacobsen
      Participant

      Since this group is used to grant membership to a share i don't want to remove all users and repopulate each day. The script is set to run daily to make it more of a dynamic AD Group that won't be managed by Admins. So i need it to remove users if they transfer departments.

You must be logged in to reply to this topic.