none
Powershell - Need help combining multiple commands (?) into one script RRS feed

  • Question

  • Scenario:

    When a user is terminated from our company, I run these scripts separately:

    1. I use the script below in Windows Powershell ISE to launch an entry box so I can enter in the username@domain and get a list of distribution groups the termed employee currently manage export to a CSV file on my desktop:

    Add-PSSnapin quest.activeroles.admanagement
    $USerID = Read-host "Enter in Username@domain. Example: JohnDoe@cba.corp"
    connect-QADService -service blah.dc1.cba.corp -UseGlobalCatalog
    get-qadgroup -ManagedBy $UserID -Verbose | select Name,Type,DN | export-csv -
    NoTypeInformation "$home\desktop\$UserID.csv" -Verbose -Force

    2. I launch Powershell as an Administrator and run the following to activate Exchange Management in Powershell and to give me access to the entire forest of accounts:

    Add-PSSnapin -name "Microsoft.Exchange.Management.PowerShell.E2010"

    Set-AdServerSettings -ViewEntireForest $true

    3. Next, I run this script to remove the former owner's write permissions from the list of distribution lists they managed in the above CSV file:

    import-csv -Path "<PATH>" | Foreach-Object {Remove-ADPermission -Identity $_.Name -
    User '<domain\username>' -AccessRights WriteProperty -Properties “Member” -
    Confirm:$false}

    4. I run this script to show the new owner of the DLs, allow DL management via Webmail and add info in the Notes section on the DLs:

    import-csv -Path "<PATH>" | Foreach-Object {set-Group -Identity $_.Name -ManagedBy
    "<domain\username>" –Notes “<Enter Here>”}

    5. I run this script to allow management via Outlook and to automatically check the box in Active Directory "Manager can update membership list" under the Managed By tab within the Group's Properties:

    import-csv -Path "<PATH>" | Foreach-Object {Add-ADPermission -Identity $_.Name -User
    ‘<domain\username’ -AccessRights WriteProperty -Properties “Member”}

    Is there a way I can combine this into one Powershell script or two, at the most instead of having to copy and paste 6 different times and use two programs (Powershell and Powershell ISE)? 

    Friday, April 18, 2014 8:36 PM

Answers

  • I don't have the snapins to test this but it should work OK for you.  Also not sure where you're getting the <domain\username from, assuming you've got that covered already.

    You're importing the csv file every script/command when you don't even have to create the csv if you don't otherwise need it.  And you're cycling through all of the same lines in the CSV for each one of the commands.  You can combine each of those commands in the foreach loop:

    Add-PSSnapin -name "Microsoft.Exchange.Management.PowerShell.E2010"
    Add-PSSnapin quest.activeroles.admanagement
    Set-AdServerSettings -ViewEntireForest $true
    connect-QADService -service blah.dc1.cba.corp -UseGlobalCatalog
    Do {
       $USerID = Read-host "Enter in Username@domain. Example: JohnDoe@cba.corp"
       Try {
          get-qadgroup -ManagedBy $UserID -Verbose -ErrorAction Stop | select Name,Type,DN | Foreach-Object {
             Remove-ADPermission -Identity $_.Name -User '<domain\username>' -AccessRights WriteProperty -Properties “Member” -Confirm:$false
             set-Group -Identity $_.Name -ManagedBy "<domain\username>" –Notes “<Enter Here>”
             Add-ADPermission -Identity $_.Name -User ‘<domain\username’ -AccessRights WriteProperty -Properties “Member”
          }
          $Flag = $True
       } Catch {
          Write-Host "Invalid username or user not found, please try again"
       }
    } While (!$Flag)
    


    I added a try/catch in case someone enters the user@domain incorrectly, that might be useful to you and you might not care but it's something to think about if anyone else will be using this script after you.  There's a lot more you can do with a try catch - this is just the very basic example so you can retry the username and not have ugly  bloody red powershell console if you goof.


    I hope this post has helped!

    • Marked as answer by TechMoeBowl Sunday, April 20, 2014 12:45 PM
    Saturday, April 19, 2014 1:54 AM

All replies

  • What is stopping you?  Why can't you put them together?  Have you tried?


    ¯\_(ツ)_/¯

    Friday, April 18, 2014 9:09 PM
  • I don't have the snapins to test this but it should work OK for you.  Also not sure where you're getting the <domain\username from, assuming you've got that covered already.

    You're importing the csv file every script/command when you don't even have to create the csv if you don't otherwise need it.  And you're cycling through all of the same lines in the CSV for each one of the commands.  You can combine each of those commands in the foreach loop:

    Add-PSSnapin -name "Microsoft.Exchange.Management.PowerShell.E2010"
    Add-PSSnapin quest.activeroles.admanagement
    Set-AdServerSettings -ViewEntireForest $true
    connect-QADService -service blah.dc1.cba.corp -UseGlobalCatalog
    Do {
       $USerID = Read-host "Enter in Username@domain. Example: JohnDoe@cba.corp"
       Try {
          get-qadgroup -ManagedBy $UserID -Verbose -ErrorAction Stop | select Name,Type,DN | Foreach-Object {
             Remove-ADPermission -Identity $_.Name -User '<domain\username>' -AccessRights WriteProperty -Properties “Member” -Confirm:$false
             set-Group -Identity $_.Name -ManagedBy "<domain\username>" –Notes “<Enter Here>”
             Add-ADPermission -Identity $_.Name -User ‘<domain\username’ -AccessRights WriteProperty -Properties “Member”
          }
          $Flag = $True
       } Catch {
          Write-Host "Invalid username or user not found, please try again"
       }
    } While (!$Flag)
    


    I added a try/catch in case someone enters the user@domain incorrectly, that might be useful to you and you might not care but it's something to think about if anyone else will be using this script after you.  There's a lot more you can do with a try catch - this is just the very basic example so you can retry the username and not have ugly  bloody red powershell console if you goof.


    I hope this post has helped!

    • Marked as answer by TechMoeBowl Sunday, April 20, 2014 12:45 PM
    Saturday, April 19, 2014 1:54 AM
  • Rhys - it won't work.  Yu cannot mix Exchange, AD and QAD like that.

    The OP needs to do this onescript at a time and choose what is being done.  Mst otf this has likely never worked as expected.

    Why use QAD and AD CmdLets and why load Exchange when no Exchange calls are being used.

    Be helpful? Whay is it that is really required here?

    Forget bioth QAD and Exchange.  THey are not needed and not useful.


    ¯\_(ツ)_/¯

    Saturday, April 19, 2014 1:58 AM
  • Hi jrv,

    he is using plenty Exchange calls from Step 2 to 5.

    I'd assume those are all pasted one after the other into the same command-line window. Based on how his calls are set up, I assume his scenario is a multi-domain forest and he focuses on Exchange calls thus. There are no AD-Module commands in his steps that I've noticed (note that some Exchange cmdlets sound as if they ought to be in the AD-Module. They are not.).

    Whether the Quest calls in Step 1 need to be ... can't say, never used the Quest ones, AD Module was always enough for me.

    Cheers,
    Fred


    There's no place like 127.0.0.1

    Saturday, April 19, 2014 2:36 AM
  • I did this hours ago.  It is not a very good method.  There are too many missing pieces.   Why use Quest?

    Shrunk down this is what he is doing:

    <<<<< DELETED >>>
    

    Which is pretty close to this:

    Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010
    $USerID = Read-host "Enter in Username@domain. Example: JohnDoe@cba.corp"
    connect-QADService -service blah.dc1.cba.corp -UseGlobalCatalog
    get-qadgroup -ManagedBy $UserID | 
         Foreach-Object{
            Remove-ADPermission -Identity $_.Name -User '<domain\username>' -AccessRights WriteProperty -Properties “Member” -Confirm:$false
            set-Group -Identity $_.Name -ManagedBy '<domain\username>' –Notes '<Enter Here>'
            Add-ADPermission -Identity $_.Name -User '<domain\username' -AccessRights WriteProperty -Properties Member
         }

    My point was and is why isn't the user able to write this?  Why do it this way?  What information is missing here?



    ¯\_(ツ)_/¯


    • Edited by jrv Saturday, April 19, 2014 2:53 AM
    Saturday, April 19, 2014 2:50 AM
  • Well screw this.  What I posted was clobbered by this damn website.  Half of the first code block just disappeared.

    I really wish someone would fix that.


    ¯\_(ツ)_/¯

    Saturday, April 19, 2014 2:52 AM
  • Rhys W Edwards, that worked. After seeing the script,  a light bulb went off on how I can make it even better and use only one program to run it. I took your script, which worked, removed a couple of redundant things I found in my original script, added a couple of things and now it does what I want it to do.

    Now, I only run this script through Powershell ISE by right-clicking on it and opening it up as an Administrator:

    Add-PSSnapin -name "Microsoft.Exchange.Management.PowerShell.E2010"
    Add-PSSnapin quest.activeroles.admanagement
    Set-AdServerSettings -ViewEntireForest $true
    Do {
       $FormerOwner = Read-host "Enter in former DL owner as Username@domain."
       $UserID = Read-host "Enter in new DL owner as Username@domain."
       $Notes= Read-host "Enter in Notes for DL"
       Try {
          get-qadgroup -ManagedBy $FormerOwner -Verbose -ErrorAction Stop | select Name | Foreach-Object {
             Remove-ADPermission -Identity $_.Name -User $FormerOwner -AccessRights WriteProperty -Properties “Member” -Confirm:$false
             set-Group -Identity $_.Name -ManagedBy $UserID –Notes $Notes
             Add-ADPermission -Identity $_.Name -User $UserID -AccessRights WriteProperty -Properties “Member”
          }
          $Flag = $True
       } Catch {
          Write-Host "Invalid username or user not found, please try again"
       }
    } While (!$Flag)

    Thanks again and again, Rhys! I appreciate it one thousand times over.

    Sunday, April 20, 2014 12:50 PM
  • Rhys, again, thanks to your script, I was able to add even more to it to run nicely in PowerShell ISE (running as an Administrator):

    The following happens in the script below in this order:

    1. The script allows searching across multiple e-mail domains that we manage in Exchange

    2. It prompts for entry of the old owner's ID, the new owner's ID and notes that I want to add to the DLs.

    3. It exports a copy of lists owned by the old owner to a CSV file on my desktop.

    4. Powershell pauses and allows me to modify the old owner's.CSV file so I can remove any lists that should not be transferred, save the changes to the CSV file and click continue in Powershell ISE. If all lists should be transferred to the new owner, I would simply not edit the CSV export and click OK in Powershell ISE.

    5. Powershell ISE updates the DLs from the CSV export using the information I entered in the entry boxes.

    6. Powershell sleeps for about 1 minute after updating the DLs to allow Active Directory to register the changes. Then, Powershell ISE exports a copy of the lists transferred to the new owner to a <newownerID>.csv file on my desktop. This allows me to compare the CSV files (which should have the same exact lists on them) and make sure all of the lists were successfully transferred.

    7. If the lists are not the same because Active Directory didn't update in time while the file csv export was running for the new owner, I can run the script again with the exception of using the newownerID for the entry boxes in Step 2 (Notes don't matter as we won't execute any additional steps after capturing the updated export). You would simply select Cancel during the pause window that comes after the export completes to prevent the script from continuing a second time and overwriting your previous entries.

    8. You can now compare the updated newowner.csv to the oldowner.csv file on your desktop. 

     

    Add-PSSnapin -name "Microsoft.Exchange.Management.PowerShell.E2010"
    Add-PSSnapin quest.activeroles.admanagement
    Set-AdServerSettings -ViewEntireForest $true
    connect-QADService -service xyz-fakeserver.corp -UseGlobalCatalog
    Do {
       $FormerOwner = Read-host "Enter in former DL owner as Username@domain."
       $UserID = Read-host "Enter in new DL owner as Username@domain."
       $Notes = Read-host "Enter in Notes for DL"
       Try {
          get-qadgroup -ManagedBy $FormerOwner -Verbose -ErrorAction Stop | select Name | export-csv -NoTypeInformation "$home\desktop\$FormerOwner.csv" -Verbose -Force

    Read-Host 'Edit <FormerOwner>.CSV file on desktop to remove groups that should stay with current owner, save changes and press Enter or click OK to continue script. If all groups need to be transferred to new owner, do not modify CSV file and press Enter or click OK to continue.' 

    import-csv -Path "$home\desktop\$FormerOwner.csv"
    $UserList = import-csv "$home\desktop\$FormerOwner.csv"

    $Userlist | Foreach-Object {
     
             Remove-ADPermission -Identity $_.Name -User $FormerOwner -AccessRights WriteProperty -Properties “Member” -Confirm:$false
             set-Group -Identity $_.Name -ManagedBy $UserID –Notes $Notes
             Add-ADPermission -Identity $_.Name -User $UserID -AccessRights WriteProperty -Properties “Member”
          }

    Start-Sleep -s 60

    get-qadgroup -ManagedBy $UserID -Verbose -ErrorAction Stop | select Name | export-csv -NoTypeInformation "$home\desktop\$UserID.csv" -Verbose -Force

          $Flag = $True
       } Catch {
          Write-Host "Invalid username or user not found, please try again"
       }
    } While (!$Flag)

    Sunday, April 20, 2014 11:03 PM