Powershell 腳本自動創建廣告用戶和組成員
[英]Powershell script to automate create Ad User and group member
問題描述
我是 powershell 的初學者,試圖創建一個 AD 用戶和一個組成員,這里的查詢是組應該是數組(多個組)它不應該是使用 for 循環的一對一映射,嘗試和捕獲方法需要檢查所有像用戶這樣的場景已經存在於 AD 以及 Group 如果不存在添加New-ADUser和組Add-ADGroupMember我正在嘗試的代碼但在某處邏輯丟失或我的腳本不正確,它不會進入foreach ($grp in $組)
Param
(
[parameter(Mandatory=$true)]
[string] $fname,
[parameter(Mandatory=$true)]
[string] $lname,
[parameter(Mandatory=$true)]
[string] $upn,
[parameter(Mandatory=$true)]
[string] $desc,
[parameter(Mandatory=$true)]
[string] $Email,
[parameter(Mandatory=$true)]
[string[]] $Group
)
# Define UPN
$SamAccount = "$fname.$lname"
$ADUser = Get-ADUser -Filter "SamAccountName -eq '$SamAccount'" | Select-Object SamAccountName
#$ADGroups = Get-ADGroup -Filter * | Select-Object Name
#Generate a Randam Secure Password to a User
Function GenerateStrongPassword ([Parameter(Mandatory=$true)][int]$PasswordLenght)
{
Add-Type -AssemblyName System.Web
$PassComplexCheck = $false
do {
$newPassword=[System.Web.Security.Membership]::GeneratePassword($PasswordLenght,1)
If ( ($newPassword -cmatch "[A-Z\p{Lu}\s]") `
-and ($newPassword -cmatch "[a-z\p{Ll}\s]") `
-and ($newPassword -match "[\d]") `
-and ($newPassword -match "[^\w]")
)
{
$PassComplexCheck=$True
}
} While ($PassComplexCheck -eq $false)
return $newPassword
}
$password = GenerateStrongPassword (10)
#Adding New User to AD and to the Groups
if ($ADUser -eq $null){
New-ADUser -GivenName "$fname" -Surname "$lname" -Initials $initials -displayName "${fname} ${lname}" -UserPrincipalName $upn -Description "$desc" -Name "$fname $lname" -EmailAddress "$email" -SamAccountName $SamAccount -ChangePasswordAtLogon $true -AccountPassword $(ConvertTo-SecureString $password -AsPlainText -Force) -Enabled $false -Path "OU=aws,DC=azure,DC=com" -Server "Domain"
"ResponseMessage: successfull- User " +$UPN+ " added to the AD and user's password is " +$password
foreach ($grp in $Group)
{
$grp = $grp.tostring()
$ADGroups = Get-ADGroupMember -Identity $grp| Select-Object name
if($ADGroups -eq $null){
Add-ADGroupMember -Identity $grp -Members $ADUser
"ResponseMessage: successfull- User " +$UPN+ " added to the $grp"
}
}
}
#if Ad user already exists but not exist on Group
elseif($ADUser){
"ResponseMessage: successfull- User " +$UPN+ " is already exists to the AD"
foreach ($grp in $Group)
{
$grp = $grp.tostring()
$ADGroups = Get-ADGroupMember -Identity $grp| Select-Object name
if($ADGroups -eq $null){
Add-ADGroupMember -Identity $grp -Members $ADUser
"ResponseMessage: successfull- User " +$UPN+ " added to the $grp"
}
else{
"User is " +$UPN+ " is already exists on the $grp"
}
}
}
else{
"user is not valid"
}
1 個解決方案
解決方案1
0 2022-08-29 19:50:24
主要問題之一是您嘗試將$ADUser添加到$grp而它是null 。 if ($ADUser -eq $null){..}只有在$ADUser為 null 時才會運行,那么您正在嘗試使用Add-ADGroupMember -Identity $grp -Members $ADUser它不起作用的地方。 您的直接解決方法是將新創建的用戶帳戶分配給$ADUser ; $ADUser = New-ADUser 。
下一個問題是您通過Get-ADGroupMember -Identity $grp比較用戶是否已經屬於該組的方式,除了獲取指定組的組成員之外,它不會告訴您這一點。 您可以通過查詢memberof屬性並將您的$grp與返回的用戶組進行比較來解決此問題; $grp也不需要通過您的[string[]] $Groups顯式轉換類型轉換為字符串( .ToString() ),因為它已經是一個字符串。
修復上述問題,您最終會得到:
Param
(
[parameter(Mandatory=$true)]
[string] $fname,
[parameter(Mandatory=$true)]
[string] $lname,
[parameter(Mandatory=$true)]
[string] $upn,
[parameter(Mandatory=$true)]
[string] $desc,
[parameter(Mandatory=$true)]
[string] $Email,
[parameter(Mandatory=$true)]
[string[]] $Group
)
# Define UPN
$SamAccount = "$fname.$lname"
$ADUser = try { Get-ADUser -Identity $SamAccount -Properties 'memberof' } catch { }
#Adding New User to AD and to the Groups
if ($null -eq $ADUser) {
$newUserParams = @{
GivenName = $fname
Surname = $lname
Initials = $initials
DisplayName = "$fname $lname"
UserPrincipalName = $upn
Description = $desc
Name = "$fname $lname"
EmailAddress = $Email
SamAccountName = $SamAccount
ChangePasswordAtLogon = $true
AccountPassword = ConvertTo-SecureString $password -AsPlainText -Force
Enabled = $false
Path = "OU=aws,DC=azure,DC=com"
Server = "Domain"
PassThru = $true
}
$ADUser = New-ADUser @newUserParams
"ResponseMessage: successfull- User $UPN added to the AD and user's password is $password"
foreach ($grp in $Group)
{
$ADGroups = try { Get-ADGroup -Identity $grp } catch { }
if ($ADGroups) {
Add-ADGroupMember -Identity $grp -Members $ADUser.SAMAccountName
"ResponseMessage: successfull- User " + $UPN + " added to the $grp"
}
}
}
elseif ($ADUser) {
"ResponseMessage: successfull- User " + $UPN + " is already exists to the AD"
$userGroups = $ADUser.MemberOf.Foreach{ ($_ -Split 'CN=|,OU')[1] }
foreach ($grp in $Group)
{
if ($grp -notin $userGroups) {
Add-ADGroupMember -Identity $grp -Members $ADUser.SAMAccountName
"ResponseMessage: successfull- User $UPN added to the $grp"
}
else {
"User $UPN already exists in $grp"
}
}
}
else {
"user is not valid"
}
為簡潔起見,我刪除了 function GenerateStrongPassword ; 只需重新添加它。
如何編寫一個簡單的 Powershell 腳本將用戶分配到 AD 組
[英]How to write a simple Powershell script to assign a user to an AD group
用於獲取用戶及其所屬組的詳細信息的 Powershell 腳本
[英]Powershell Script to get details of user along with group they are member of
Powershell腳本可搜索AD中的特定OU並查找屬於組成員的禁用用戶
[英]Powershell Script to search specific OU in AD and find disabled users that is member of a group
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
Powershell AD用戶組成員
在特定組PowerShell中直接在AD中創建用戶
從 perm AD powershell 腳本添加 Azure 組成員
powershell腳本廣告腳本組
如何編寫一個簡單的 Powershell 腳本將用戶分配到 AD 組
用於獲取用戶及其所屬組的詳細信息的 Powershell 腳本
如何使用Powershell使AD組成為另一個AD組的成員?
Powershell Group成員來自AD的船舶領域
檢查用戶是否是 AD 組的成員 - Powershell
Powershell腳本可搜索AD中的特定OU並查找屬於組成員的禁用用戶
相關標簽