1

I am trying to set up a PS script to add members if they are not part of a group and run it as a task. Can someone proof the code and provide feedback? Thanks.

$GROUP = 'CN=Group1,OU=SomeOU,DC=domain,DC=local'

Get-ADUser -Filter * -SearchBase "DC=domain,DC=local" -Properties MemberOf | 
Where-Object {$_.MemberOf -notcontains $GROUP } | 
ForEach-Object { Add-ADGroupMember -Identity $GROUP -Members $_ }
Improve this question
5
  • Group should be an array : $GROUP = @('CN=Group1','OU=SomeOU','DC=domain,'DC=local') Commented Jan 3, 2023 at 17:59
  • 2
    @jdweng what are you talking about? that's a DistinguishedName.... Commented Jan 3, 2023 at 17:59
  • @SantiagoSquarzon : It is an array of four objects, Commented Jan 3, 2023 at 19:59
  • @jdweng, no, it isn't. A distinguished name is a single string that just so happens to be composed of multiple pieces of information internally. Commented Jan 3, 2023 at 22:47
  • @mklement0 : The string is not one object, it is four objects. Commented Jan 4, 2023 at 3:31

3 Answers 3

Reset to default
3

Code looks good but could be more efficient by leveraging the Active Directory Filter:

$group = 'CN=Group1,OU=SomeOU,DC=domain,DC=local'
Get-ADUser -LDAPFilter "(!memberof=$group)" -SearchBase "DC=domain,DC=local" |
    Add-ADPrincipalGroupMembership -MemberOf $group

-LDAPFilter "(!memberof=$group)" searches all users not being a member of your group which is by far more efficient than querying all users in your Search Base and then filtering with .

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

How would I exclude specific OU's from the -SearchBase? -notlike? Would I bring back the Where-Object?
you could use Where-Object in that case (where $_.DistinguishedName -notlike "*$ou" for example) Or you could loop over all OUs you want to target and pass each of them to -SearchBase. If that doesn't help please ask a new question with more details
Like this? Where-Object { $_.DistinguishedName -notlike "*$ou" }
@a3kop yup, but that should only work for 1 OU only! if you need to exclude more then you need to enumerate them
2

I would probably use Add-ADPrincipalGroupMembership instead, which takes a user as the pipeline input and the group to add to as a parameter. Should perform a little better.

Get-ADUser -Filter * -SearchBase "DC=domain,DC=local" -Properties MemberOf | 
Where-Object MemberOf -notcontains $GROUP | 
Add-ADPrincipalGroupMembership -MemberOf $GROUP
Improve this answer

Comments

0

Something like this should work without dumping every user (-ne won't do what you want and the filter doesn't take -notcontains). -eq works with an array on the left. -not has a high precedence, so parentheses are needed.

get-aduser -filter "-not (memberof -eq '$group')" -property memberof -SearchBase 'DC=domain,DC=local'
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.