0
votes

I created a PS script to add ADusers to a group if Email attribute contains "abc.com" or "def.com" and existing users in the group will skip the process. Below is my script

import-module ActiveDirectory

$Users = Get-ADUser -Filter * -Properties emailaddress
$existingUsers = Get-ADgroupmember "Test_group"

foreach ($user in $Users) {
    #if user existing in the group, Skip this process
    if (($existingUsers | Where-Object { $_.sAMAccountName -eq $user.sAMAccountName }) -eq $null) {
        #if user email attribute contain "abc.com" or "def.com"
        if ($user.emailaddress -match "abc.com" -or $user.emailaddress -match "def.com") {
            $GroupMembers = Get-ADGroupMember -Identity "test_group" | Select -ExpandProperty SamAccountName
            if ($User.SamAccountName -NotContains $GroupMembers) {
                Add-ADGroupMember -Identity "test_group" -Members $User
            }
        }
    }
}

However, after execution, there is 2 return error as below.

I added "add key="MaxGroupOrMemberEntries" value="200000" in ADWS config but issue persist.

Get-ADGroupMember : Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running. At C:\scripts\AutoAddUserToGroup.ps1:15 char:50 + $GroupMembers = Get-ADGroupMember <<<< -Identity "test_group" | Select -ExpandProperty SamAccountName + CategoryInfo : ResourceUnavailable: (test_group:ADGroup) [Get-ADGroupMember], ADServerDownException + FullyQualifiedErrorId : Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Servic es running.,Microsoft.ActiveDirectory.Management.Commands.GetADGroupMember

Add-ADGroupMember : The specified account name is already a member of the group At C:\scripts\AutoAddUserToGroup.ps1:18 char:34 + Add-ADGroupMember <<<< -Identity "test_group" -Members $User + CategoryInfo : NotSpecified: (test_group:ADGroup) [Add-ADGroupMember], ADException + FullyQualifiedErrorId : The specified account name is already a member of the group,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember

1
This code not efficiënt at all, use Get-ADUser with a proper filter, thats all you need, will post an example in a few minutes.SteloNLD

1 Answers

0
votes

As promised see example below, i am using the -Filter parameter of the Get-ADUser command to only return the ADUsers which i need to add to the Test_Group.

#Clear Console
Clear-Host

#Import Modules
Import-Module ActiveDirectory

#Show verbose output
$VerbosePreference = 'Continue' 

#Script Settings
$EmailDomains = @('*@abc.com', '*@def.com') #EmailDomains to check for.
$ADGroup = "CN=Test_Group,OU=Groups,DC=corp,DC=company,DC=com" #Group Membership to check for.

#Create EmailDomains Filter for AD Query
$EmailDomains_Filter = ($EmailDomains | ForEach-Object {"(emailaddress -like '$($_)')"}) -join ' -or '

# Get AD users with specified emailadresses wich are not memberof specified group
$ADUsers = Get-ADUser -filter "($($EmailDomains_Filter)) -and (-not (MemberOf -eq '$($ADGroup)'))" -Properties emailaddress

#Show amount of users we need to add.
$ADUsers_Measure = $ADUsers | Measure-Object
Write-Verbose "Found $($ADUsers_Measure.Count) ADUsers that match EmailDomains_Filter but are not MemberOf $($ADGroup)"

To add user to the specified group you have 2 options, all at once (faster)

Add-ADGroupMember -Identity $ADGroup -Members $ADUsers

or per user (more control).

foreach ($ADUser in $ADUsers) {
    Write-Verbose "Adding User $($ADUser.SamAccountName) to group $($ADGroup)"
    Add-ADGroupMember -Identity $ADGroup -Members $ADUser
}