-
Notifications
You must be signed in to change notification settings - Fork 32
/
Copy pathSync-ADGroupMember.ps1
126 lines (100 loc) · 4.13 KB
/
Sync-ADGroupMember.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
<#
$Metadata = @{
Title = "Sync AD Group Members"
Filename = "Sync-ADGroupMember.ps1"
Description = ""
Tags = "powershell, activedirectory, sync, group, members"
Project = ""
Author = "Janik von Rotz"
AuthorContact = "http://janikvonrotz.ch"
CreateDate = "2013-11-11"
LastEditDate = "2013-12-16"
Url = ""
Version = "1.1.0"
License = @'
This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Switzerland License.
To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/ch/ or
send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.
'@
}
#>
function Sync-ADGroupMember{
<#
.SYNOPSIS
Advanced syncing of ad group members.
.DESCRIPTION
Will update the members of and an ad group by comparing the already assigned members the members to assign provided by a parameter.
.PARAMETER ADGroup
Provide the ActiveDirectory group to update.
.PARAMETER Member
The members to assign.
.PARAMETER LogScriptBlock
Use the variable $Message variable inside the script block.
Every sync action will update the $Message variable and run the report script block.
.EXAMPLE
PS C:\> Sync-ADGroupMember -ADGroup "Group1" -Member "User1", "Group1", "User2" -LogScriptBlock {Write-Host $Message}
.EXAMPLE
PS C:\> Sync-ADGroupMember -ADGroup $ADGroupObject -Member $ADGroupMemberObjects -LogScriptBlock {Write-Host $Message}
#>
[CmdletBinding()]
param(
[Parameter(Mandatory=$true)]
$ADGroup,
[Parameter(Mandatory=$true)]
[Array]
$Member,
[Parameter(Mandatory=$false)]
[ScriptBlock]
$LogScriptBlock,
[switch]
$OnlyAdd,
[switch]
$OnlyRemove
)# param end
#--------------------------------------------------#
# modules
#--------------------------------------------------#
Import-Module activedirectory
#--------------------------------------------------#
# main
#--------------------------------------------------#
$ADGroup | %{
if($_.PsObject.TypeNames -notcontains "Microsoft.ActiveDirectory.Management.ADGroup"){
$ADGroupItem = Get-ADGroup $_
}else{
$ADGroupItem = $_
}
if($Member[0].PsObject.TypeNames -notcontains "Microsoft.ActiveDirectory.Management.ADObject"){
$Member = $($Member | %{
Get-ADObject -Filter 'Name -eq $_' |
select -First 1 | %{
if($_.ObjectClass -eq "user"){
Get-ADUser $_.DistinguishedName
}elseif($_.ObjectClass -eq "group"){
Get-ADGroup $_.DistinguishedName
}
}
})
}
$IsMember = $(Get-ADGroupMember $ADGroupItem)
if($IsMember){
Compare-Object -ReferenceObject $IsMember -DifferenceObject $Member -Property Name, DistinguishedName | %{
if($_.SideIndicator -eq "<=" -and -not $OnlyAdd){
$Message = "Remove ADGroupMember: $($_.Name) from ADGroup: $($ADGroupItem.Name)"
Invoke-Command -ScriptBlock $LogScriptBlock
Remove-ADGroupMember -Identity $ADGroupItem -Members $_.DistinguishedName -Confirm:$false
}elseif($_.SideIndicator -eq "=>" -and -not $OnlyRemove){
$Message = "Add ADGroupMember: $($_.Name) to ADGroup: $($ADGroupItem.Name)"
Invoke-Command -ScriptBlock $LogScriptBlock
Add-ADGroupMember -Identity $ADGroupItem -Members $_.DistinguishedName -Confirm:$false
}
}
}elseif($Member){
$Member | %{
$Message = "Add ADGroupMember: $($_.Name) to ADGroup: $($ADGroupItem.Name)"
Invoke-Command -ScriptBlock $LogScriptBlock
Add-ADGroupMember -Identity $ADGroupItem -Members $_ -Confirm:$false
}
}
}
}# function end