locked
Problem with looping... RRS feed

  • Question

  • Hi,

    I'm in the process of writing a script which will update groups based on AD Attributes (department). This works great and reads a CSV with a list of groups and departments and adds uses to the relevant groups. The second section of the script reads the current group members and removes them if they are disabled - this part works too. But the part I am struggling on is where it reads the group members, checks if someone that is a member of the group shouldn't be anymore, by looking at their department. If there is only one member in the group it works fine, if there are more members in the group then it can't process them. I think it's because I need to loop it to check each user, but can't seem to get it to work.

    I've commented the lines that are causing me the issue

    #Script variables
    #Make edits below this line
    
    #Enter path to CSV file containing headers for ADDepartment,GroupName
    $CSVFile = "c:\Source\Scripts\Depatmentalgroups\DepartmentalGroups-test.csv"
                
    #Enter Log file path
    $LogFile = "c:\Source\Scripts\Depatmentalgroups\logfile.txt"
    
    
    #Don't change anything after this line
    ###############################################################################################################
    #Get todays date
    $today = Get-Date -DisplayHint Date
    
    #Imports data from CSV file containing department names and group names - data is case sensistive
    import-csv $csvFile | foreach {
    
    #Adds users to group based on attributes
    $dept = $_.DeptName
    $ADGroup = $_.GroupName
    
    $user = Get-QADUser -Department $dept -NotMemberOf $ADgroup -Enabled
    If (!($user)) {Write-output  "$Today,$Dept,No-Matching-Users-Found" >> $LogFile}
    	Else {Add-QADGroupMember $adgroup -member $user 
    			Write-Output "$Today,$Dept,$user Was-Added-To-Group" >> $LogFile
    			} 
    
    
    #Removes any disabled users from group
    $disableduser = Get-QADGroupMember $ADgroup -Disabled #check to see if users in group are disabled
    If(!($disableduser)) {Write-Output "$Today,$Dept,No-Disabled-Users-To-Remove" >> $Logfile} #if no disabled users are found write it to logfile
    	Else {Remove-QADGroupMember $ADGroup $disableduser  #if disabled users are found, remove them from the group
    		Write-Output "$Today,$Dept,$disableduser,Was-Removed-From-Group" >>$logfile
    		}
    
    #Remove any user no longer in department
    $groupmember = Get-QADGroupMember $ADGroup #gets all users left in group
    
    If(!($groupmember)) {Write-Output "$Today,$Dept,Group-Was-Empty" >>$LogFile} #if no members are in the group write it to log file
    	Else {$nolongermember = Get-QADUser $groupmember | Where-Object {$_.department -ne $dept} #otherwise get all users who are in the group but that don't match the required department
    	#if more then one user is found in the above line, the get-qaduser fails with 'idenity' specified method is not supported - so i think i need to do something like foreach but struggling to figure this part out
    	}
    
    If(!($nolongermember)) {Write-Output "$Today,$Dept,No-Users-To-Remove" >> $LogFile}
    	Else {Remove-QADGroupMember $ADGroup $nolongermember
    		Write-Output "$Today,$Dept,$nolongermember,Was-Removed-From-Group" >>$logfile
    		}
    }
    
    ################################################################################################################


    Regards,

    Denis Cooper

    MCITP EA - MCT

    Help keep the forums tidy, if this has helped please mark it as an answer

    My Blog

    LinkedIn:

    Friday, June 14, 2013 9:40 AM

Answers

  • ok

    replace this line

    $groupmember = Get-QADGroupMember $ADGroup

    with

    $groupmember = @(Get-QADGroupMember -Identity $ADGroup | Select-Object -expandproperty SamAccountName)


    and change this line again

    Else {$nolongermember = $groupmember | % {Get-QADUser -SamAccountName $_} | Where...

    • Marked as answer by Denis Cooper Monday, June 17, 2013 8:46 AM
    Friday, June 14, 2013 1:59 PM

All replies

  • try replace

    Else {$nolongermember = Get-QADUser $groupmember | Where...

    with

    Else {$nolongermember = $groupmember | Get-QADUser $_ | Where...

    Friday, June 14, 2013 10:33 AM
  • thanks,

    get this now

    Get-QADUser : Cannot bind parameter 'Identity'. Cannot convert the "@{GroupName=CN=Dept-G-Test123,OU=Departmental,OU=Groups,OU=xxx,DC=xx,DC=int; DeptName=Test342}" value of type


    Regards,

    Denis Cooper

    MCITP EA - MCT

    Help keep the forums tidy, if this has helped please mark it as an answer

    My Blog

    LinkedIn:

    Friday, June 14, 2013 10:38 AM
  • ok

    replace this line

    $groupmember = Get-QADGroupMember $ADGroup

    with

    $groupmember = @(Get-QADGroupMember -Identity $ADGroup | Select-Object -expandproperty SamAccountName)


    and change this line again

    Else {$nolongermember = $groupmember | % {Get-QADUser -SamAccountName $_} | Where...

    • Marked as answer by Denis Cooper Monday, June 17, 2013 8:46 AM
    Friday, June 14, 2013 1:59 PM
  • that worked great - thanks

    are you able to explain what the difference is?


    Regards,

    Denis Cooper

    MCITP EA - MCT

    Help keep the forums tidy, if this has helped please mark it as an answer

    My Blog

    LinkedIn:

    Monday, June 17, 2013 8:46 AM
  • This line

    $groupmember = @(Get-QADGroupMember -Identity $ADGroup | Select-Object -expandproperty SamAccountName)

    create a array with the samaccountnames for the members from the group, if are 0 member in the group it create a empty array, with 1 member in the group. in create a array with 1 entry, ....

    and this line

    ... $groupmember | % {Get-QADUser -SamAccountName $_} ...

    pipe each samaccountname in the array in the get-qaduser cmdlet, % is a alias for  ForEach-Object 

    Monday, June 17, 2013 10:02 AM