Add user to Group Based on Attribute value

Nabil Rashid 1 Reputation point


I have made this script to add the users into TEST Group if the user attribute "msRTCSIP-Line" is having any value ( means it is not equal to null) , And remove the users from the TEST group if we make the attribute "msRTCSIP-Line" as Null . But this is not working for me . ( Not throwing any error) .Means the code is running but it is not adding or removing any user

Can anyone help me to correct this ?

Import-Module ActiveDirectory

Get-ADGroupMember -Identity "TEST" | Get-ADUser -Properties msRTCSIP-Line | Where-Object {$.msRTCSIP-Line -eq $null} | % {Remove-ADGroupMember -Identity "TEST" -Members $ -Confirm:$false}

Get-ADUser -SearchBase 'DC=company , DC=test' -filter {msRTCSIP-Line -ne "$null"} | % {Add-ADGroupMember " TEST " $_.SamAccountName}

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,061 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,430 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Rich Matheisen 45,416 Reputation points

    This is similar to your code, but I think you had the quoting wrong in the filter string. You only need to quote the value of you quote the filter string. If you use "curly braces" around the filter string you shouldn't quote the value.

    I also removed and added the members in one execution of the Remove-ADGroupMember and Add-ADGroupMember cmdlet instead of individually.

    Is "TEST" the samaccountname of the group? Or is it just the name of the group? It makes a difference.

    $groupid = "TEST"   # NOTE: This must be one of these:
                        #       A distinguished name
                        #       A GUID (objectGUID)
                        #       A security identifier (objectSid)
                        #       A Security Account Manager account name (sAMAccountName)
    [array]$distnames = Get-ADGroupMember -Identity $groupid | 
                            Get-ADUser -Properties msRTCSIP-Line | 
                                Where-Object {$_.msRTCSIP-Line -eq $null} | 
                                    Select-Object -Expand distinguishedname
    Remove-ADGroupMember -Identity $groupid -Members $distnames -Confirm:$false
    [array]$adddistnames =  Get-ADUser -SearchBase 'DC=company , DC=test' -filter {msRTCSIP-Line -ne $null}|
                                Select-Object -Expand distinguishedname
    Add-ADGroupMember -Identity $groupid -Members $adddistnames
    0 comments No comments

  2. Newbie Jones 1,321 Reputation points

    Not sure the client side filtering is needed here.

    The requester asked "if the user attribute "msRTCSIP-Line" is having any value ( means it is not equal to null)".

    That can be done server side as part of the initial Get-ADUser request with a filter.

    Get-ADUser -properties msRTCSIP-Line -filter 'msRTCSIP-Line -Like "*"' | % {Add=ADGroupMember testGroup $_}
    # Here is another example without a pipeline.
    Add-ADGroupMember-Identity testGroup -Members (Get-ADUser -properties msRTCSIP-Line -filter 'msRTCSIP-Line -Like "*"')
    0 comments No comments

  3. Newbie Jones 1,321 Reputation points

    Just adding this to the discussion as it may be of interest to some.

    What I can't work out is why I need to use the ForEach in the first example.

    The -member property on Add-ADGroupMember can take a list of addresses.

    So in theory, the ForEach shouldn't be necessary. You should just be able to use the information in the current pipe.

    If anyone knows why the following happens, it would be appreciated.

     # This works.  Using ForEach loop
     Get-ADUser -properties msRTCSIP-Line -filter 'msRTCSIP-Line -Like "*"' | % {Add-ADGroupMember testGroup $_}
     # This doesn't.
     Get-ADUser -properties msRTCSIP-Line -filter 'msRTCSIP-Line -Like "*"' | Add-ADGroupMember testGroup $_
     # Nor does this
     $users = Get-ADUser -properties msRTCSIP-Line -filter 'msRTCSIP-Line -Like "*"' | Add-ADGroupMember testGroup $users
     # But this does.
     $users = Get-ADUser -properties msRTCSIP-Line -filter 'msRTCSIP-Line -Like "*"' 
     Add-ADGroupMember testGroup $users