如果用户的描述发生更改,则修改 ADGroup - Powershell
[英]Modify ADGroup if the Description of a User changes - Powershell
问题描述
I'm still pretty new to powershell.
我对 powershell 还是很陌生。 I have now the order to create a group / mail distribution which gets updated weekly.我现在有创建每周更新的组/邮件分发的命令。 It looks for the description of the user.它查找用户的描述。 I have an Arraylist in which I have listed all Descriptions which should be in there.我有一个 Arraylist,其中列出了所有应该在其中的描述。 Add the User is not a problem but i want aswell that if the discription of someone changes he gets removed from the group.添加用户不是问题,但我还希望如果某人的描述发生变化,他会从组中删除。 I tried with some examples from here but its not working.我从这里尝试了一些示例,但它不起作用。 Im glad for every answer.我很高兴每一个答案。
Add:添加:
$Descriptions = @("Supporter","System Eng", "etc.","etc.")
Foreach($Description in $Descriptions){
$user = Get-ADUser -Filter * –SearchBase "OU=Int,OU=user,OU=1,DC=test,DC=me,DC=nl" -properties *| Where-Object {$_.Description -like $Description}
$group = Get-ADGroup "CN=testgroup,OU=Dirs,OU=Global,OU=group,OU=1,DC=test,DC=me,DC=nl"
Add-ADGroupMember $group -Members $user
}
Remove:消除:
$groupname = 'testgroup'
$members = Get-ADUser -LDAPFilter "(&(!(description=$Descriptions))(memberOf=CN=testgroup,OU=Dirs,OU=Global,OU=group,OU=1,DC=test,DC=me,DC=nl))"
foreach($member in $members)
{
Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname-Confirm:$false
}
I guess the mistake is here "(&(.(description=$Descriptions)) maybe im wrong but i have no clue how to do it.我想错误在这里“(&(。(description = $Descriptions))也许我错了,但我不知道该怎么做。
2 个解决方案
解决方案1
0 2019-10-17 12:49:26
It's more about LDAP than PowerShell. LDAP 比 PowerShell 更多。 LDAP queries cannot accept an array. LDAP 查询不能接受数组。 If you want the equivalent of "description is one of these", then you will need to end up with something like this:如果您想要“描述是其中之一”的等价物,那么您最终需要得到这样的结果:
(|(description=Supporter)(description=System Eng)(description=etc.))
Notice the |注意| for "OR".为“或”。
To do that from your array, you can use the -join operator:要从您的数组中执行此操作,您可以使用-join运算符:
$members = Get-ADUser -LDAPFilter "(&(!(|(description=$(($Descriptions -join ')(description=')))))(memberOf=CN=testgroup,OU=Dirs,OU=Global,OU=group,OU=1,DC=test,DC=me,DC=nl))"
About your code to add a user: it works, but the -like is unnecessary since your matching string doesn't have any wildcards.关于添加用户的代码:它有效,但-like是不必要的,因为您的匹配字符串没有任何通配符。 You can use -eq instead, which will save a little processing power.您可以改用-eq ,这将节省一点处理能力。 You may not even notice it though.你可能甚至没有注意到它。
Where-Object {$_.Description -eq $Description}
解决方案2
0 已采纳 2019-10-17 13:07:07
Since you are using the -like operator without wilcard characters, you gain no benefit from using -like .由于您使用的是没有通配符的-like运算符,因此使用-like没有任何好处。 When comparing a single value against a collection, you should consider using the -in operator.将单个值与集合进行比较时,应考虑使用-in运算符。 However, Containment Comparison Operators like -in and -contains are not supported in the -filter of the ActiveDirectory cmdlets.但是,ActiveDirectory cmdlet 的-contains不支持-in和-contains等包含-filter 。 You are left with either iterating over your collections and using -filter comparing single values or relying on Where-Object , which does support all of the comparison operators.你要么迭代你的 collections 并使用-filter比较单个值或依赖Where-Object ,它支持所有的比较运算符。
The Get-ADGroupMember and Remove-ADGroupMember -Members parameter supports arrays. Get-ADGroupMember和Remove-ADGroupMember -Members -Members支持 arrays。 If you create an array of users you want to add or remove, you can perform the add/remove with one command.如果您创建要添加或删除的用户数组,则可以使用一个命令执行添加/删除。
$Descriptions = @("Supporter","System Eng", "etc.","etc.")
$group = Get-ADGroup "CN=testgroup,OU=Dirs,OU=Global,OU=group,OU=1,DC=test,DC=me,DC=nl"
$UsersToAdd = Get-ADUser -Filter "MemberOf -ne '$($group.DistinguishedName)'" –SearchBase "OU=Int,OU=user,OU=1,DC=test,DC=me,DC=nl" -properties MemberOf,Description |
where Description -in $Descriptions
$UsersToRemove = Get-ADUser -Filter "MemberOf -eq '$($group.DistinguishedName)'" -properties MemberOf,Description |
where Description -notin $Descriptions
Add-ADGroupMember $group -Members $UsersToAdd
Remove-ADGroupMember $group -Members $UsersToRemove
The -Properties switch does allow you to selectively choose properties (in an array format for multiple properties and string format for a single property) you want to display. -Properties开关确实允许您有选择地选择要显示的属性(多个属性的数组格式和单个属性的字符串格式)。 I would not recommend using * as that will increase the resource demand on your system during queries and data retrieval.我不建议使用* ,因为这会增加查询和数据检索期间对系统的资源需求。
Note: The solution assumes that your $Descriptions array contains the exact descriptions you expect to see on a user objects.注意:该解决方案假定您的$Descriptions数组包含您希望在用户对象上看到的确切描述。
If $Descriptions contains partial strings that you want to match against, you can opt for using the -match operator.如果$Descriptions包含要匹配的部分字符串,则可以选择使用-match运算符。 Instead of an array, just create a single delimited (delimited by | ) string.而不是一个数组,只需创建一个分隔(由|分隔)字符串。
$Descriptions = "Supporter|System Eng|etc\."
$group = Get-ADGroup "CN=testgroup,OU=Dirs,OU=Global,OU=group,OU=1,DC=test,DC=me,DC=nl"
$UsersToAdd = Get-ADUser -Filter "MemberOf -ne '$($group.DistinguishedName)'" –SearchBase "OU=Int,OU=user,OU=1,DC=test,DC=me,DC=nl" -properties MemberOf,Description |
where Description -match $Descriptions
$UsersToRemove = Get-ADUser -Filter "MemberOf -eq '$($group.DistinguishedName)'" -properties MemberOf,Description |
where Description -notmatch $Descriptions
Add-ADGroupMember $group -Members $UsersToAdd
Remove-ADGroupMember $group -Members $UsersToRemove
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.