locked
PowerShell Script To Replace Quest Active Roles RRS feed

  • Question

  • Hello all! I have been tasked with coming up with a PowerShell script that accomplishes what Quest's Active Roles Server does (explained below). 

    Basically the script should create a distribution list prefixed with "Associates" and populate it based on the office location attribute in an AD User object. As an example, John Smith's Office Location is New York so a new distribution group would be created and called "Associates-New York" with the user being added to it.

    I hope this makes sense...

    In a perfect world I would simply turn to Active Roles but we are sadly doing away with it. Any assistance is greatly appreciated!

    So far when I test the script I am not seeing the desired results. It is not pulling the $GroupValidate as seen in the pic below

    So far this is what I have for the script:

    ###-Variables For Script-###
    
    $CurrentDomain = Get-ADDomain
    
    #The OU That The Script Will Be Looking In
    $TargetOU = "OU=SOMEPLACE,OU=ANOTHERPLACE"
    
    #The Full Distinguished Name of OU
    $OrganizationalUnitDN = $TargetOU+","+$CurrentDomain
    
    $users = Get-ADUser -LDAPFilter '(&(|(objectCategory=user)(objectClass=person))(&(!(DisplayName=*\28Secondary\29*))(!(DisplayName=*Training*))(DisplayName=*,*)(mail=*)(extensionAttribute5=EMP))(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))))' -Properties Office
    $offices_unique = $users | select -ExpandProperty Office | select -Unique
    
    
    #####-----Group Creation-----#####
    
    $offices_unique = $users | select -ExpandProperty Office | select -Unique
    foreach($office in $offices_unique){
    $name='Associates-' + $($office.office)
    try
    {
    $GroupValidate = Get-ADGroup $name 
    }
    catch
    {}
    if ($GroupValidate -ne $null)
    {
    Write-Output "$GroupValidate is an existing group."
    }
    else
    {
    Write-Output "$GroupValidate is not an existing group. Creating group..."
    }
    #New-ADGroup -Name $name -SamAccountName $name -GroupCategory Distribution -GroupScope Universal -DisplayName "$name" -Path "$OrganizationalUnitDN" -Description "Members of this group are From $($office.office)"
    }
    
    ###-Modify Existing Group Memberships-###
    
    $ExistingGroups = Get-ADGroup -Properties * -Filter {name -like 'Associates-*'} -SearchBase $OrganizationalUnitDN | select -ExpandProperty name
    
    foreach($ExistingGroup in $ExistingGroups){ 
    try
    {
     $Members = Get-ADGroup $_ | Get-ADGroupMember | %{Get-ADUser $_.SamAccountName -Properties *} | select Office
    }
    catch
    {}
    if ($member.office -like $ExistingGroup)  
    {
    Write-Output "Checking whether $Member is a member of $ExistingGroup"
    if ((Get-ADUser $Member -Properties memberof).memberof -like "*$ExistingGroup*")
    {$true}
    Write-Output "$Member is already a member of $ExistingGroup"
    } 
    Else
    {
    Write-Output "$Member is not a member of $ExistingGroup. Adding membership..."
    }
    {
    Add-ADGroupMember -Identity $ExistingGroups -Members $Member.samaccountname
    }}
    

    Thursday, October 24, 2019 2:42 PM

All replies

  • I think I'd rewrite that first ForEach block. I left the $GroupValidate variable in there, but I don't think it's needed.

    If you want the Try/Catch to work you have to set ErrorAction to "stop" on the cmdlets.

    foreach($office in $offices_unique){
        $name='Associates-' + $($office.office)
        try{
            $GroupValidate = Get-ADGroup $name -ErrorAction STOP
            Write-Output "$name is an existing group."
        }
        catch{
            $GroupValidate = $null
            Write-Output "$name is not an existing group. Creating group..."
            try{
                #New-ADGroup -Name $name -SamAccountName $name -GroupCategory Distribution -GroupScope Universal -DisplayName "$name" -Path "$OrganizationalUnitDN" -Description "Members of this group are From $($office.office)" -ErrorAction STOP
            }
            catch{
                # Didn't create new group -- what do you want to do now?
            }
        }
    }


    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)


    Thursday, October 24, 2019 3:40 PM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Lee

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 8, 2019 1:11 PM