[英]Powershell script to automate create Ad User and group member
我是 powershell 的初學者,試圖創建一個 AD 用戶和一個組成員,這里的查詢是組應該是數組(多個組)它不應該是使用 for 循環的一對一映射,嘗試和捕獲方法需要檢查所有像用戶這樣的場景已經存在於 AD 以及 Group 如果不存在添加New-ADUser和組Add-ADGroupMember我正在嘗試的代碼但在某處邏輯丟失或我的腳本不正確,它不會進入foreach ($grp in $組)
Param
(
[parameter(Mandatory=$true)]
[string] $fname,
[parameter(Mandatory=$true)]
[string] $lname,
[parameter(Mandatory=$true)]
[string] $upn,
[parameter(Mandatory=$true)]
[string] $desc,
[parameter(Mandatory=$true)]
[string] $Email,
[parameter(Mandatory=$true)]
[string[]] $Group
)
# Define UPN
$SamAccount = "$fname.$lname"
$ADUser = Get-ADUser -Filter "SamAccountName -eq '$SamAccount'" | Select-Object SamAccountName
#$ADGroups = Get-ADGroup -Filter * | Select-Object Name
#Generate a Randam Secure Password to a User
Function GenerateStrongPassword ([Parameter(Mandatory=$true)][int]$PasswordLenght)
{
Add-Type -AssemblyName System.Web
$PassComplexCheck = $false
do {
$newPassword=[System.Web.Security.Membership]::GeneratePassword($PasswordLenght,1)
If ( ($newPassword -cmatch "[A-Z\p{Lu}\s]") `
-and ($newPassword -cmatch "[a-z\p{Ll}\s]") `
-and ($newPassword -match "[\d]") `
-and ($newPassword -match "[^\w]")
)
{
$PassComplexCheck=$True
}
} While ($PassComplexCheck -eq $false)
return $newPassword
}
$password = GenerateStrongPassword (10)
#Adding New User to AD and to the Groups
if ($ADUser -eq $null){
New-ADUser -GivenName "$fname" -Surname "$lname" -Initials $initials -displayName "${fname} ${lname}" -UserPrincipalName $upn -Description "$desc" -Name "$fname $lname" -EmailAddress "$email" -SamAccountName $SamAccount -ChangePasswordAtLogon $true -AccountPassword $(ConvertTo-SecureString $password -AsPlainText -Force) -Enabled $false -Path "OU=aws,DC=azure,DC=com" -Server "Domain"
"ResponseMessage: successfull- User " +$UPN+ " added to the AD and user's password is " +$password
foreach ($grp in $Group)
{
$grp = $grp.tostring()
$ADGroups = Get-ADGroupMember -Identity $grp| Select-Object name
if($ADGroups -eq $null){
Add-ADGroupMember -Identity $grp -Members $ADUser
"ResponseMessage: successfull- User " +$UPN+ " added to the $grp"
}
}
}
#if Ad user already exists but not exist on Group
elseif($ADUser){
"ResponseMessage: successfull- User " +$UPN+ " is already exists to the AD"
foreach ($grp in $Group)
{
$grp = $grp.tostring()
$ADGroups = Get-ADGroupMember -Identity $grp| Select-Object name
if($ADGroups -eq $null){
Add-ADGroupMember -Identity $grp -Members $ADUser
"ResponseMessage: successfull- User " +$UPN+ " added to the $grp"
}
else{
"User is " +$UPN+ " is already exists on the $grp"
}
}
}
else{
"user is not valid"
}
主要問題之一是您嘗試將$ADUser
添加到$grp
而它是null 。 if ($ADUser -eq $null){..}
只有在$ADUser
為 null 時才會運行,那么您正在嘗試使用Add-ADGroupMember -Identity $grp -Members $ADUser
它不起作用的地方。 您的直接解決方法是將新創建的用戶帳戶分配給$ADUser
; $ADUser = New-ADUser
。
下一個問題是您通過Get-ADGroupMember -Identity $grp
比較用戶是否已經屬於該組的方式,除了獲取指定組的組成員之外,它不會告訴您這一點。 您可以通過查詢memberof
屬性並將您的$grp
與返回的用戶組進行比較來解決此問題; $grp
也不需要通過您的[string[]] $Groups
顯式轉換類型轉換為字符串( .ToString()
),因為它已經是一個字符串。
修復上述問題,您最終會得到:
Param
(
[parameter(Mandatory=$true)]
[string] $fname,
[parameter(Mandatory=$true)]
[string] $lname,
[parameter(Mandatory=$true)]
[string] $upn,
[parameter(Mandatory=$true)]
[string] $desc,
[parameter(Mandatory=$true)]
[string] $Email,
[parameter(Mandatory=$true)]
[string[]] $Group
)
# Define UPN
$SamAccount = "$fname.$lname"
$ADUser = try { Get-ADUser -Identity $SamAccount -Properties 'memberof' } catch { }
#Adding New User to AD and to the Groups
if ($null -eq $ADUser) {
$newUserParams = @{
GivenName = $fname
Surname = $lname
Initials = $initials
DisplayName = "$fname $lname"
UserPrincipalName = $upn
Description = $desc
Name = "$fname $lname"
EmailAddress = $Email
SamAccountName = $SamAccount
ChangePasswordAtLogon = $true
AccountPassword = ConvertTo-SecureString $password -AsPlainText -Force
Enabled = $false
Path = "OU=aws,DC=azure,DC=com"
Server = "Domain"
PassThru = $true
}
$ADUser = New-ADUser @newUserParams
"ResponseMessage: successfull- User $UPN added to the AD and user's password is $password"
foreach ($grp in $Group)
{
$ADGroups = try { Get-ADGroup -Identity $grp } catch { }
if ($ADGroups) {
Add-ADGroupMember -Identity $grp -Members $ADUser.SAMAccountName
"ResponseMessage: successfull- User " + $UPN + " added to the $grp"
}
}
}
elseif ($ADUser) {
"ResponseMessage: successfull- User " + $UPN + " is already exists to the AD"
$userGroups = $ADUser.MemberOf.Foreach{ ($_ -Split 'CN=|,OU')[1] }
foreach ($grp in $Group)
{
if ($grp -notin $userGroups) {
Add-ADGroupMember -Identity $grp -Members $ADUser.SAMAccountName
"ResponseMessage: successfull- User $UPN added to the $grp"
}
else {
"User $UPN already exists in $grp"
}
}
}
else {
"user is not valid"
}
為簡潔起見,我刪除了 function GenerateStrongPassword
; 只需重新添加它。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.