Powershell – Convert Get-ADPrincipalGroupMembership such that I can write it to the notes field

active-directorypowershell

I am writing a PowerShell script to automate putting users on a leave of absence. As part of this process, we remove the user from their DLs if it is a long absence to stop them from coming back to thousands of emails.

I am planning to saving the list of members to the notes field under the telephone tab, so I can easily restore it manually when they get back (one automation step at a time)

I have no problem pulling a list of of distribution groups with:

 Get-ADPrincipalGroupMembership $user | Where-Object GroupCategory -eq Distribution | select name

The part I run into trouble with is when I try to save it to the notes field with:

Set-ADUser $user -replace @{info=(Get-ADPrincipalGroupMembership $user | Where-Object GroupCategory -eq Distribution |select name)}

I get the error:

Set-ADUser : Invalid type 'System.Management.Automation.PSObject'.

I have tried massaging the data into shape with -split and -join, but either I'm not doing it right or these are not the right commands. ConvertTo-CSV "works", but adds a lot of extra cruft.

How can I transform this data so that the telephone tab will accept it? My prefered format is something I can use to copy/paste the groups back in afterwords ie. group1;group2;group3 etc. (I will also take comments that the way I am approaching this is all wrong and that method xyz is much better.)

Best Answer

Well, I don't mean to state the obvious, but you are trying to paste in a Powershell object, where the info attribute of an AD user will only accept strings. You need to convert the list of group memberships into a string first, and add the logic yourself for putting your delimiter of choice in between each group name, be it a comma, semicolon or newline character.

Foreach($grp In Get-ADPrincipalGroupMembership $usr | Where-Object GroupCategory -eq Distribution) 
{ 
    $GroupString += $grp.Name + ';' 
}
$GroupString = $GroupString.TrimEnd(';') # Remove the last delimiter off the end
Set-ADUser $usr -Replace @{info=$GroupString}

Related Solutions

Powershell – How to use get-qadcomputer to return all computer objects that have msFVE-RecoveryInformation child objects

I don't believe that this is possible with only one LDAP search, regardless of what type of child object you are looking for. In cases like this I usually try to find if there is an attribute in either the parent or the child that references the other so that I can use that to retrieve the data I want, but in this case there doesn't seem to be.

What might be a better approach than invoking an LDAP search for each computer is this: 1. Use Get-QADObject to enumerate the msFVE-RecoveryInformation objects in your environment, starting from as low of a search root as possible. 2. Build a list of DNs for the parent computer objects using the data retrieved from those objects and store those DNs in an array. 3. Either call Get-QADComputer and use Where-Object to filter out the computers without a DN matching those stored in your array or if there are not many computers that are bitlocker enabled, call Get-QADComputer for each DN in your array to get the computer objects.

FYI, I did a quick Google search for "BitLocker cmdlets" to see if there was an easier way and it returned a go.microsoft.com link to a "Future Resource" document for Windows Server 2008 R2, so maybe these are coming at some point. All that document says for now though is "The document you are attempting to access is not yet available."

Active Directory – How to List All Active Directory Users and Their Group Membership

Install the Quest CMDlets and then run this code:

Add-PSSnapin Quest.ActiveRoles.ADManagement
$memberships = @()

Get-QADGroup -SizeLimit 0 | Foreach-Object {
        $NameGroup = $_.Name
        Write-Host "Working with $NameGroup"
        $membership = Get-QADGroupMember $_.DN -Enabled -SizeLimit 0
        if ($membership -ne $null ) {
        $membership | Add-Member -type NoteProperty -name AuditGroupUserIsMemberOf -value $_.Name
        $memberships += $membership
        }
    }

$memberships | Select-Object AuditGroupUserIsMemberOf, NTAccountname | Export-Csv "GroupsWithUsers.csv"

This will give you a 1 record per group-user connection so expect multiple occurrences of users and groups. If you wan't other fields, you can just edit the Select-Object statement. Use $memberships | gm to see all the possibilities for the users. If you want more fields for the groups, use Get-QADGroup | gm, you will then need to add these by adding a new NoteProperty.

If you don't really care about more options, here is a one-liner you can just mash in the terminal:

Get-QADGroup -sizeLimit 0 | select @{name="Group";expression={$_.name}} -expand members | select Group,@{n='User';e={ (Get-QADObject $_).NTAccountName}} | Export-Csv "MyUsersAndGroups.csv"

Best Answer

Related Solutions

Powershell – How to use get-qadcomputer to return all computer objects that have msFVE-RecoveryInformation child objects

Active Directory – How to List All Active Directory Users and Their Group Membership

Related Topic