Powershell – Adding multiple users from a group to an Active Directory group using Powershell

active-directorypowershell

I have a powershell script that is supposed to go through a specific ou and store the groups into a variable $groups. Here is the code I use in the script:

$Groups = Get-ADGroup -Properties * -Filter * -SearchBase "OU=GFS-USERS,OU=AFS-OU-Groups,OU=AFS,OU=FA,OU=DEPARTMENTS,DC=ou,DC=ad3,DC=blabla,DC=com" -Server "ou.ad3.blabla.com"
Foreach($G In $Groups)
{
    Write-Host $G.Name
    Write-Host "-------------"
    $G.Members
}

This step seems to work fine.

In my next part of my script I have it go through each group and attempt to add the users from each group into a group where they should all be combined. The code is as follows:

foreach ($group in $groups)
{
    Add-ADGroupMember -Identity "CN=test,OU=AFS-OU-ACLs-EDMS,OU=AFS-OU-Groups,OU=AFS,OU=FA,OU=DEPARTMENTS,DC=ou,DC=ad3,DC=blabla,DC=com" -Members (Get-ADGroupMember $group) -Server "ou.ad3.blabla.com"
}

When I run the script, it works fine for all users from:

OU=AFS,OU=FA,OU=DEPARTMENTS,DC=ou,DC=ad3,DC=blabla,DC=com

but for all other users I get the following error:

Add-ADGroupMember : The server is unwilling to process the request
At line:1 char:22

Does anyone know if this is a permissions issue or if there is something I am doing wrong?

Best Answer

Consider looping through and adding members to the new group one at a time from the old group.

$CombinedGroup = ...
$Groups = Get-ADGroup ...
foreach ($Group in $Groups) {
    $Members = GetADGroupMember $Group
    foreach ($Member in $Members) {
        Get-ADUser $Member | Set-ADGroup -Identity $CombinedGroup -Add $Member
        }
    }
}

Related Solutions

PowerShell and Active Directory User Management

The base algorithm of what you're looking for looks something like this (according to me, anyway):

Enumerate all of the group with the right prefix.
Recursively follow their GroupMembers to enumerate any nested groups in them.
1. Once you get a group with no groups as members, stop recursing.
Take the list of users, for each user
1. Enumerate their Group Memberships
2. If any have the right prefix, remove them from it.
3. If any of the remaining groups are in the list of groups enumerated in the previous major step, remove them from that one too.

Now for actual code-like things.

Enumerating all groups with a prefix (untested, there will be bugs):

$RecurseList=dsquery group -name "abc-*"
$TargetList=$RecurseList
foreach $Grp in $RecurseList {
    # Now get the members of that group, do not expand
    $GrpMembers=dsget group "$Grp" -members
    foreach ($Member in $GrpMembers) {
        $isGroup=dsget group $Member
        if ($isGroup.dn -eq $Member) {
            $TargetList.add("$Member")
            RecurseIntoGroup($isGroup.dn)
        }
    }
}

Then when it comes time to talk the CSV list, get the membership of the user, and check to see if that group exists in $TargetList above. If so, remove it.

This is a heck of a lot of work to go through when removing just one user from potentially thousands of groups, but if you're doing a LOT of these then having the pre-built list will save you time.

If you only need to do it for a few users (say, 10 or so), you can walk back up the tree.

$UserGroups = dsquery user -name $Username -memberof
foreach ($uGroup in $UserGroups) {
    if (isConcerning($uGroup)) {
        $ConcerningGroups.add("$uGroup")
    }
}

function isConcerning {
param ($uGroup)

$parentGroups=dsget group $uGroup -memberOf
$found=$False
foreach ($pg in $parentGroup) {
    if ($parentGroup.startswith("abc-")) {
    return($true)
    $found=$true
    } else {
        $concerning=isConcerning($pg)
        if ($concerning) {
            return($true)
            $found=$true
        } 
    }
}
if (-not $found) {
    return($False)
}

And then remove the concerning groups as needed.

Powershell – (Powershell) Method to return a list of groups where a specific user has ‘write member’ security

There are two problems here.

The CMDlet Get-QADPermission is writing directly to the console during execution which is why you're seeing Permissions for: .... Since your pipeline is writing to the same output, it all gets mixed together. Store the output from your pipeline to a variable instead.
When you pipe the group into Get-QADPermission, you're throwing away the group object and getting a permissions object instead. If you want to keep the original object, you need to filter with Where-Object.

Also, be careful with Get-QADPermission. If you only query for WriteProperty, it won't return results with both Read+Write access. Usually you want to query for both. And in most cases, you also want to use -Inherited to get permissions granted from parent OU's. If you're really looking for once-off permissions, then you can ignore this switch.

function Test-UserCanModifyGroupsInOU ($Username, $OU)
{
  $results = Get-QADGroup -SearchScope 'OneLevel' -SearchRoot $OU |
    Where-Object {
      $_ | Get-QADPermission -Rights ReadProperty,WriteProperty -Property member -Account $username
    } |
    Select @{Name="User";Expression={$username}}, @{Name="Group";Expression={$_.Name}}
  $results | Write-Output
  $results | Export-Csv "$username.csv"
}

@("bob","sally") |
  ForEach-Object {
    Test-UserCanModifyGroupsInOU -Username $_ -OU 'domain.org.com/path/to/OU'
  }

Also note that this only works for permissions on specific properties. It won't return results for a user that has "Full Control" on the group, even though they're stil allowed to modify the member attribute.

Best Answer

Related Solutions

PowerShell and Active Directory User Management

Powershell – (Powershell) Method to return a list of groups where a specific user has ‘write member’ security

Related Topic