none
PowerShell Script to Move ADUser to appropriate group based on its Department ID attribute RRS feed

  • Question

  • I am new to PowerShell and AD, I have a small task which I am finding difficult to complete. Can someone please help me here ?

    The task is as follows:

    There are 3 ADgroups defined in AD, namely

    "CN=Technology Champion,OU=Exchange Distribution Lists,OU=Groups,DC=dpsnc,DC=local"
    "CN=Media Contacts-ES,OU=School Groups,OU=Groups,DC=dpsnc,DC=local"
    "CN=Media Contacts-SS,OU=School Groups,OU=Groups,DC=dpsnc,DC=local"

    What I need to do is among all the ADUsers that exist in 'Domain Users' , I need to check whether a ADUser belongs to any one of the above mentioned groups. If the ADUser belongs to atleast any one of the above mentioned group then check his 'Department Id' attribute (which would be department_id = "304-BEE") and based on the department id attribute I have to move the ADObject to appropriate ADgroup whose name contain the 'department_id'

    "CN=vBrick-ContentApprover.304-BEE.VC - Elementary,OU=Groups,OU=304-BEE,OU=VC - Elementary,DC=dpsnc,DC=local"
    "CN=vBrick-ContentApprover.306-BMS.VC - Middle,OU=Groups,OU=306-BMS,OU=VC - Middle,DC=dpsnc,DC=local"
    "CN=vBrick-ContentApprover.308-BUR.VC - Elementary,OU=Groups,OU=308-BUR,OU=VC - Elementary,DC=dpsnc,DC=local"

    For example:

    If a ADUser belongs to ADgroup "CN=Media Contacts-ES,OU=School Groups,OU=Groups,DC=dpsnc,DC=local" then I need to check his dept_id attribute, suppose the dept_id value is "304-BEE", then I need to move that ADObject to ADgroup "CN=vBrick-ContentApprover.304-BEE.VC - Elementary,OU=Groups,OU=304-BEE,OU=VC - Elementary,DC=dpsnc,DC=local"

    NOTE: The Powershell script should be compatible with Windows Server 2003 R2 and Windows Server 2012


    Nikhil Katre



    Wednesday, July 16, 2014 1:42 PM

All replies

  • On Wed, 16 Jul 2014 13:42:49 +0000, Nikhil Katre wrote:

    I am new to PowerShell and AD, I have a small task which I am finding difficult to complete. Can someone please help me here ?

    Since you're not using FIM you should port this question to one of the
    scripting forums.


    Paul Adare - FIM CM MVP
    Niklaus Wirth has lamented that, whereas Europeans pronounce his name
    correctly, Americans invariably mangle it into "Nick-les Worth". Which is
    to say that Europeans call him by name, but Americans call him by value.

    • Proposed as answer by Manuj Khurana Wednesday, July 16, 2014 3:01 PM
    Wednesday, July 16, 2014 2:09 PM
  • I figured out a script by myself which works perfectly fine, I am posting the answer to the script below....

    I created a test environment to work with existing attributes, instead of extending the AD schema.

    This script will work for a group name Teacher( minor modification to this script can automate it for multiple groups as well) where I am using the 'title' attribute of ADUser and 'description' attribute of ADGroup to find a match, if match is found then the ADUser is added to the ADGroup.

    $members = Get-ADGroupMember -Identity 'CN=Teacher,CN=Users,DC=DPSTest,DC=local' | %{Get-ADUser $_ -Properties title} $groups = Get-ADGroup -filter 'name -like "vBrick-ContentApprover"' -Properties description foreach ($member in $members) { if($groups.description -contains $member.title) { Add-ADGroupMember (Get-ADGroup -filter 'description -eq $member.title') -Members $member } }

    Any suggestions are welcome. Thank You all!


    Nikhil Katre

    Thursday, July 17, 2014 2:19 PM