Updating AD Group Memberships

-

hello,

i trying take members of security group/distribution list contains many nested groups , add all of them sg.  able complete on first pass, when target sg empty.  users added , none of nested groups are  carried over.  however, running issue on subsequent passes.  receive error 'specified account name member of group'.  guess first remove members of target group , update membership each time run process, curious know if there possibility skip existing users , add added users source groups.  there dozen users in target group static entries , not exist in of source groups, present challenge.

$erroractionpreference = "stop"  try {  import-module activedirectory  $groupname = get-adgroup $targetgroup -properties members | select-object members | foreach { $_.members}  get-adgroupmember -identity $sourcegroup | {$_.objectclass -ne "group"} | foreach {      if($_.samaccountname -notcontains $_)      {          add-adgroupmember -identity $targetgroup -member $_          $_       }      }  get-adgroup $sourcegroup | get-adgroupmember | {$_.objectclass -eq "group"} | get-adgroup -properties members | select-object members | foreach {$_.members} | foreach {      if($_.samaccountname -notcontains $_)      {          add-adgroupmember -identity $targetgroup -member $_          $_       }      }  } catch {                $_ | out-file d:\ps\problemupdatinggroupsreport.txt -append -width 1000  }

thanks in advance , assistance.  also, special siva mulpuru , blog getting me started down path in accomplishing (http://smulpuru.wordpress.com/).

regards,
brian

give script try. created recursive function, when pass group, checks see if member group , if so, calls again. returns final array of users distinguished names, , before adding user target group, checks see if member of.

function getmembers { 	param 	( 		[string]$groupname 	) 	$allmembers = @() 	$members = get-adgroupmember $groupname 	 	foreach ($member in $members) 	{ 		if ($member.objectclass -eq "group") 		{ 			getmembers $member.samaccountname 		} 		else 		{ 			$allmembers += $member.distinguishedname 		} 	} 	 	return $allmembers }  $sourcegroup = "source group name" $targetgroup = "target group name" $targetgroupdn = get-adgroup $targetgroup | select-object -expandproperty distinguishedname  getmembers $sourcegroup | foreach-object { 	if (!(@(get-aduser $_ -properties memberof | select-object -expandproperty memberof) -contains $targetgroupdn)) 	{ 		add-adgroupmember -identity $targetgroup -members $_
	} }
did not test add-adgroupmember portion dont have test ad environment play in. used write-host instead view information, may want add -whatif switch see happen , verify correct before proceeding.

if find post has answered question, please mark answer. if find post helpful in anyway, please click vote helpful.




Windows Server  >  Windows PowerShell



Comments

Post a Comment

Popular posts from this blog

Motherboard replacement

-
running windows 10 technical preview, need replace motherboard can run the  sysprep  command restoring pc ? or there easier  or more preferred way ? thanks if replace motherboard within same family of chipsets (i.e. intel > intel or amd > amd), should okay restarting pc twice. carey frisch Windows 10 Insider Preview  >  Windows 10 Insider Preview General
Read more

Cannot create Full Text Search catalog after upgrading to V12 - Database is not fully started up or it is not in an ONLINE state

-
in order access new full text search capiblities of sql azure, upgraded our azure sql v12. (a day later), when try create new catalog: create fulltext catalog mycatalog default i following message: msg 9972, level 16, state 100, line 1 database not started or not in online state. try full-text ddl command again after database started , becomes online. hi scott, apologies inconvenience caused you. known issue on service side , fix going included in next update. specific case mitigated, should able use full-text search syntax now. thanks, mihaela Microsoft Azure  >  Azure SQL Database
Read more

Remote Desktop App - Error 0x207 or 0x607

-
hi all, i manage windows 2012 r2 network, including connection broker, session hosts , remote apps virtual servers.  i've used remote desktop app on own android phone, no issues @ - connects published gateway url , can login , access network. we looking move business onto nokia handsets ms operating system (currently on blackberry), not able connect via remote desktop app on nokia lumia handset. setup, per android config , brings remote apps , remote desktop screen, know can connect.  when select remote desktop, shows following process: initiating remote connection securing remote connection certificate can't verified - choose connect it digitally signed cert (digicert sha2), pc name different physical connection broker name (inherited domain name old gov project - can't publish publicly) initiating establishing securing connection error have been 0x207 getting 0x607 a bit baffled, work on android (and ipad @ home using app). assume ms use d...
Read more