Update AD attribute based on Group Membership

Pre-requisites: Quest AD Management Shell

Sharing a script that has been written for one of the project & it shares the same logic of comparison as the other two scripts shared by me in the past.

This script will update the AD attribute value based on the AD group membership.

I am showing the example of updating extension attribute value which we have used for assigning impersonation permissions.

Download & extract the script files from below link, update the .ps1 file:

https://gallery.technet.microsoft.com/scriptcenter/Update-AD-attribute-based-da02e471

$Attrbv = “EnableSync”  #Attribute Value
$group = “TestGroup1” #group Name
$Adattrbute = “extensionattribute1” #Ad attribute that will be updated

Update the email parameters for error reporting..

$smtpServer = “smtp.labtest.com”

$fromadd = “DoNotReply@labtest.com”

$email1 = “sviaks@labtest”

script also recycles log based on below parameters (by default set to 30 days)

$limit = (Get-Date).AddDays(-30)

Ones these all parameters have been updated as per your Environment’s requirement.

Run the batch file:

Note: On first run it will just create csv file, empty the csv file keeping one member only.

Also, what you can do is change the value of the remaning row with userid that is not a member of the group that you are working on.

Now run the batch file again, every group member will get AD attribute updated.

Schedule the Task after above is completed, it will work as incremented, when group memebrship is updated –> addition will update the AD attribute and removal will remove the Ad attribute.

Note: You can browse the logs in logs folder to troubleshoot if something is not happening as desired.

You will also get email if there is an error on execution of script.

###################################################################### 
#               Author: Vikas Sukhija 
#               Date:- 12/27/2015 
#        Reviewer:- 
#               Description:- Add EA Attribute to  
#               a particular AD group members. 
###################################################################### 
 
$date1 = get-date -format d 
$date1 = $date1.ToString().Replace("/","-"$dir".\logs" 
$limit = (Get-Date).AddDays(-30) 
 
$logs = ".\Logs" + "\" + "Processed_" + $date1 + "_.log" 
 
$smtpServer = "smtp.labtest.com" 
$fromadd = "DoNotReply@labtest.com" 
$email1 = "vikas@labtest.com" 
 
Start-Transcript -Path $logs 
 
######Add Quest Shell & define attrib/ group value############ 
 
If ((Get-PSSnapin | where {$_.Name -match "Quest.ActiveRoles.ADManagement"}) -eq $null) 
{ 
    Add-PSSnapin Quest.ActiveRoles.ADManagement 
} 
 
 
$Attrbv = "EnableSync"  #Attribute Value 
 
$group = "TestGroup1" #group Name 
 
$Adattrbute = "extensionattribute12" #Ad attribute that will be updated 
 
################################################################# 
 
$groupmem = Get-QADGroupMember $group -sizelimit 0 -includedproperties $Adattrbute 
 
$Statefile = "$($group)-Name.csv" 
 
 
# If the file doesn't exist, create it 
 
   If (!(Test-Path $Statefile)){   
                $groupmem | select Name,$Adattrbute | Export-csv $Statefile -NoTypeInformation  
                } 
 
# Check Changes 
$Changes =  Compare-Object $groupmem $(Import-Csv $StateFile-Property Name |  
                Select-Object Name, 
                    @{n='State';e={ 
                        If ($_.SideIndicator -eq "=>"){ 
                            "Removed" } Else { "Added" } 
                        } 
                    } 
 
$Changes | foreach-object{ 
          
    if($_.state -eq "Added") { 
 
        Write-host "$Attrbv will be added to "$_.Name"" -foregroundcolor green 
    Set-QADUser -identity $_.Name -ObjectAttributes @{$Adattrbute  = $Attrbv} 
    } 
     
        if($_.state -eq "Removed") { 
        $userid = "$_.Name" 
        Write-host "$Attrbv will be removed from "$_.Name"" -foregroundcolor Red 
    Set-QADUser -identity $_.Name -ObjectAttributes @{$Adattrbute  = $null} 
    } 
      } 
 
$groupmem | select Name,$Adattrbute | Export-csv $StateFile -NoTypeInformation 
 
###########################Recycle########################################## 
 
$path = $dir  
  
Get-ChildItem -Path $path  | Where-Object {   
$_.CreationTime -lt $limit } | Remove-Item -recurse -Force  
 
#######################Report Error######################################### 
if ($error -ne $null) 
      { 
#SMTP Relay address 
$msg = new-object Net.Mail.MailMessage 
$smtp = new-object Net.Mail.SmtpClient($smtpServer) 
 
#Mail sender 
$msg.From = $fromadd 
#mail recipient 
$msg.To.Add($email1$msg.Subject = "AD Attribute Script Error" 
$msg.Body = $error 
$smtp.Send($msg$error.clear() 
       } 
  else 
 
      { 
    Write-host "no errors till now" 
      } 
 
$path = ".\logs\" 
$limit = (Get-Date).AddDays(-60) #for log recycling 
 
########################Recycle logs ###################################### 
 
Get-ChildItem -Path $path  | Where-Object {   
$_.CreationTime -lt $limit } | Remove-Item -recurse -Force  
stop-transcript 
 
##########################################################################

Regards

Sukhija Vikas

http://msexchange.me

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s