Add user to Group Based on Attribute value

Question

Hi.

I have made this script to add the users into TEST Group if the user attribute "msRTCSIP-Line" is having any value ( means it is not equal to null) , And remove the users from the TEST group if we make the attribute "msRTCSIP-Line" as Null . But this is not working for me . ( Not throwing any error) .Means the code is running but it is not adding or removing any user

Can anyone help me to correct this ?

Import-Module ActiveDirectory

Get-ADGroupMember -Identity "TEST" | Get-ADUser -Properties msRTCSIP-Line | Where-Object {$.msRTCSIP-Line -eq $null} | % {Remove-ADGroupMember -Identity "TEST" -Members $ -Confirm:$false}

Get-ADUser -SearchBase 'DC=company , DC=test' -filter {msRTCSIP-Line -ne "$null"} | % {Add-ADGroupMember " TEST " $_.SamAccountName}

Answer

This is similar to your code, but I think you had the quoting wrong in the filter string. You only need to quote the value of you quote the filter string. If you use "curly braces" around the filter string you shouldn't quote the value.

I also removed and added the members in one execution of the Remove-ADGroupMember and Add-ADGroupMember cmdlet instead of individually.

Is "TEST" the samaccountname of the group? Or is it just the name of the group? It makes a difference.

$groupid = "TEST"   # NOTE: This must be one of these:
                    #       A distinguished name
                    #       A GUID (objectGUID)
                    #       A security identifier (objectSid)
                    #       A Security Account Manager account name (sAMAccountName)
[array]$distnames = Get-ADGroupMember -Identity $groupid | 
                        Get-ADUser -Properties msRTCSIP-Line | 
                            Where-Object {$_.msRTCSIP-Line -eq $null} | 
                                Select-Object -Expand distinguishedname
Remove-ADGroupMember -Identity $groupid -Members $distnames -Confirm:$false

[array]$adddistnames =  Get-ADUser -SearchBase 'DC=company , DC=test' -filter {msRTCSIP-Line -ne $null}|
                            Select-Object -Expand distinguishedname
Add-ADGroupMember -Identity $groupid -Members $adddistnames

Answer

Not sure the client side filtering is needed here.

The requester asked "if the user attribute "msRTCSIP-Line" is having any value ( means it is not equal to null)".

That can be done server side as part of the initial Get-ADUser request with a filter.

Get-ADUser -properties msRTCSIP-Line -filter 'msRTCSIP-Line -Like "*"' | % {Add=ADGroupMember testGroup $_}

# Here is another example without a pipeline.

Add-ADGroupMember-Identity testGroup -Members (Get-ADUser -properties msRTCSIP-Line -filter 'msRTCSIP-Line -Like "*"')

Answer

Just adding this to the discussion as it may be of interest to some.

What I can't work out is why I need to use the ForEach in the first example.

The -member property on Add-ADGroupMember can take a list of addresses.

So in theory, the ForEach shouldn't be necessary. You should just be able to use the information in the current pipe.

If anyone knows why the following happens, it would be appreciated.

 # This works.  Using ForEach loop
 Get-ADUser -properties msRTCSIP-Line -filter 'msRTCSIP-Line -Like "*"' | % {Add-ADGroupMember testGroup $_}

 # This doesn't.
 Get-ADUser -properties msRTCSIP-Line -filter 'msRTCSIP-Line -Like "*"' | Add-ADGroupMember testGroup $_

 # Nor does this
 $users = Get-ADUser -properties msRTCSIP-Line -filter 'msRTCSIP-Line -Like "*"' | Add-ADGroupMember testGroup $users

 # But this does.
 $users = Get-ADUser -properties msRTCSIP-Line -filter 'msRTCSIP-Line -Like "*"' 
 Add-ADGroupMember testGroup $users

Share via

Add user to Group Based on Attribute value

3 answers