Powershell Script to query Active Directory

1
votes

I am trying to query all users in multiple OUs of the same name. Get the SamAccountName attribute and then check for a file at a specific location with that name.

Here is what I have so far:

$ous = Get-ADOrganizationalUnit -Filter "Name -eq 'Admin-User-Accounts'" 
$ous | ForEach-Object {
    $AccountName = Get-ADUser -Filter * -SearchBase $_.DistinguishedName |
                   Select SamAccountName
    Test-Path "\\domain.net\SYSVOL\domain.net\IA\$AccountName.pdf"
}

If a file is not found. I want to add the user to a group, however here is the kicker. The account has to be added to the non-compliance group for the organization that the account belongs to.

I.E an admin account found under:

OU=Admin-User-Accounts,OU=Administration,OU=ORG1,OU=ORGS,DC=domain,DC=net

would be added to the group named 'ORG1 IA - Non-Compliant Users' located under: 

OU=Groups,OU=ORG1,OU=Information Assurance,OU=ORGS,DC=domain,DC=net
3
powershellactive-directory
so what exactly the problem?Avshalom
Well, it seems I do not have enough skill to write the code to get this to work.Jacob Pagano
Putting users into the groups will be impossible with the information given. You need a list, naming scheme, mapping, or some way of tagging which groups users should be assigned unless there is only one group in the respective OU.AdminOfThings

3 Answers

1
votes

Well your post is a bit confusing, and no way to really validate because I have nothing setup like this.

Yet, querying for users in all OU or the enterprise is a common everyday thing.

However, an OU name, just like any other AD object name, must be unique. So, querying for the same OU name is not a thing, in a single AD forest / domain. If you meant querying every OU for the same username, then alrighty then.

By stepping thru how you are explanation for your use case, that you have laid out.

(though maybe you want to edit your post to make it's more clear, well to me anyway...)

Using pseudo code, then trying to map that out... and with no real way to determine what you mean by several things in your post/sample. So, the below is a rough first example of how I'd do approach this... again this is untested, so, I leave that homework to you.

# query all users in multiple OUs
(Get-ADOrganizationalUnit -Filter *).DistinguishedName |
ForEach{
    # Collect all members of the current OU
    $AccountNames = Get-ADUser -SearchBase $PSItem -Filter *

    # Process each member in the current OU collection
    ForEach($AccountName in $AccountNames)
    {
        "Processing $($AccountName.SamAccoutnName)`n"

        # Initialize properties needed for processing
        $UserOrg = $AccountName.DistinguishedName.split(",")[1]
        $MemberCheckOU = "OU=Admin-User-Accounts,OU=Administration,OU=ORG1,OU=$UserOrg,DC=domain,DC=net"
        $NonCompliantOU = "OU=Groups,OU=ORG1,OU=Information Assurance,OU=$UserOrg,DC=domain,DC=net"

        # Validate user file existence for the current user
        If(-Not (Test-Path -LiteralPath "\\domain.net\SYSVOL\domain.net\IA\$($AccountName.SamAccoutnName).pdf)"))
        {
            # if no file Process the user groupmebership modification
            "Processing $($AccountName.SamAccoutnName)"

            # Notify that the file was not found and processing is required
            Write-Warning -Message "$($($AccountName.SamAccoutnName).pdf) not found. Process group modify actions"       

            # If the current user is in the MemberCheckOU, add to the NonCompliantOU
            If(Get-ADPrincipalGroupMembership -Identity $($AccountName.SamAccoutnName) | Where-Object -Property DistinguishedName -Match $MemberCheckOU )
            { Add-ADGroupMember -Identity $NonCompliantOU -Members $($AccountName.SamAccoutnName) }
            Else
            {
                # Do something else
            }
        }
        Else
        { 
          # Notify that the file was found and no processing required
          Write-Host "$($AccountName.pdf) found. No further actions taken" -ForegroundColor Green }
    }
}
0
votes

It seems that one of the variables is incorrect because PowerShell is giving me the following:

Get-ADPrincipalGroupMembership : Cannot validate argument on parameter 'Identity'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.

Okay, so here is what I have so far based on your post above Postanote:

# query all users in multiple OUs
(Get-ADOrganizationalUnit -Filter "Name -eq 'Admin-User-Accounts'") |
ForEach{
    # Collect all members of the current OU
    $AccountNames = Get-ADUser -SearchBase $PSItem -Filter *

    # Process each member in the current OU collection
    ForEach($AccountName in $AccountNames)
    {
        "Processing $($AccountName.SamAccoutnName)`n"

        # Initialize properties needed for processing
        $UserOrg = $AccountName.DistinguishedName.split(",")[1]
        $MemberCheckOU = "OU=Admin-User-Accounts,OU=Administration,OU=$UserOrg,OU=ORGS,DC=domain,DC=net"
        $NonCompliantOU = "OU=Groups,OU=$UserOrg,OU=Information Assurance,OU=ORGS,DC=domain,DC=net"

        # Validate user file existence for the current user
        If(-Not (Test-Path -LiteralPath "\\domain.net\SYSVOL\domain.net\IA\$($AccountName.SamAccoutnName).pdf)"))
        {
            # if no file Process the user groupmebership modification
            "Processing $($AccountName.SamAccoutnName)"

            # Notify that the file was not found and processing is required
            Write-Warning -Message "$($($AccountName.SamAccoutnName).pdf) not found. Process group modify actions"       

            # If the current user is in the MemberCheckOU, add to the NonCompliantOU
            If(Get-ADPrincipalGroupMembership -Identity $($AccountName.SamAccoutnName) | Where-Object -Property DistinguishedName -Match $MemberCheckOU )
            { Add-ADGroupMember -Identity "$UserOrg IA - Non-Compliant Users" -Members $($AccountName.SamAccoutnName) }
            Else
            {
                # Do something else
            }
        }
        Else
        { 
          # Notify that the file was found and no processing required
          Write-Host "$($AccountName.pdf) found. No further actions taken" -ForegroundColor Green }
    }
}
0
votes

Looking at the original script fragment:

$ous = Get-ADOrganizationalUnit -Filter "Name -eq 'Admin-User-Accounts'" 
$ous | ForEach-Object {
    $AccountName = Get-ADUser -Filter * -SearchBase $_.DistinguishedName |
                   Select SamAccountName   # note 1
    Test-Path "\\domain.net\SYSVOL\domain.net\IA\$AccountName.pdf"   # note 2
}

Note 1: Your going to end up with $accountname.accountname holding your value. I think your going to want to expand this instead. Note2: Powershell may be getting confused and thinking your looking for the variable $accountname.pdf

Instead, try this...

$ous = Get-ADOrganizationalUnit -Filter "Name -eq 'Admin-User-Accounts'" 
$ous | ForEach-Object {
    $AccountName = $(Get-ADUser -Filter * -SearchBase $_.DistinguishedName).SamAccountName 
    Test-Path "\\domain.net\SYSVOL\domain.net\IA\$($AccountName).pdf"   
}

here, we save the value of just .SamAccountName for the query to the $AccountName, and by adding $($accountname) we make clear the variable we want, and that .pdf is not part of the variable name.

Now, note as well, this doesn't save the results anywhere, it will just flash them to screen.