Pre-requisites: Quest AD Management Shell
Sharing a script that has been written for one of the project & it shares the same logic of comparison as the other two scripts shared by me in the past.
This script will update the AD attribute value based on the AD group membership.
I am showing the example of updating extension attribute value which we have used for assigning impersonation permissions.
Download & extract the script files from below link, update the .ps1 file:
https://gallery.technet.microsoft.com/scriptcenter/Update-AD-attribute-based-da02e471
Image may be NSFW.
Clik here to view.
$Attrbv = “EnableSync” #Attribute Value
$group = “TestGroup1” #group Name
$Adattrbute = “extensionattribute1” #Ad attribute that will be updated
Update the email parameters for error reporting..
$smtpServer = “smtp.labtest.com”
$fromadd = “DoNotReply@labtest.com”
$email1 = “sviaks@labtest”
script also recycles log based on below parameters (by default set to 30 days)
$limit = (Get-Date).AddDays(-30)
Ones these all parameters have been updated as per your Environment’s requirement.
Run the batch file:
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
Note: On first run it will just create csv file, empty the csv file keeping one member only.
Also, what you can do is change the value of the remaning row with userid that is not a member of the group that you are working on.
Image may be NSFW.
Clik here to view.
Now run the batch file again, every group member will get AD attribute updated.
Image may be NSFW.
Clik here to view.
Schedule the Task after above is completed, it will work as incremented, when group memebrship is updated –> addition will update the AD attribute and removal will remove the Ad attribute.
Note: You can browse the logs in logs folder to troubleshoot if something is not happening as desired.
You will also get email if there is an error on execution of script.
###################################################################### # Author: Vikas Sukhija # Date:- 12/27/2015 # Reviewer:- # Description:- Add EA Attribute to # a particular AD group members. ###################################################################### $date1 = get-date -format d $date1 = $date1.ToString().Replace("/","-") $dir= ".\logs" $limit = (Get-Date).AddDays(-30) $logs = ".\Logs" + "\" + "Processed_" + $date1 + "_.log" $smtpServer = "smtp.labtest.com" $fromadd = "DoNotReply@labtest.com" $email1 = "vikas@labtest.com" Start-Transcript -Path $logs ######Add Quest Shell & define attrib/ group value############ If ((Get-PSSnapin | where {$_.Name -match "Quest.ActiveRoles.ADManagement"}) -eq $null) { Add-PSSnapin Quest.ActiveRoles.ADManagement } $Attrbv = "EnableSync" #Attribute Value $group = "TestGroup1" #group Name $Adattrbute = "extensionattribute12" #Ad attribute that will be updated ################################################################# $groupmem = Get-QADGroupMember $group -sizelimit 0 -includedproperties $Adattrbute $Statefile = "$($group)-Name.csv" # If the file doesn't exist, create it If (!(Test-Path $Statefile)){ $groupmem | select Name,$Adattrbute | Export-csv $Statefile -NoTypeInformation } # Check Changes $Changes = Compare-Object $groupmem $(Import-Csv $StateFile) -Property Name | Select-Object Name, @{n='State';e={ If ($_.SideIndicator -eq "=>"){ "Removed" } Else { "Added" } } } $Changes | foreach-object{ if($_.state -eq "Added") { Write-host "$Attrbv will be added to "$_.Name"" -foregroundcolor green Set-QADUser -identity $_.Name -ObjectAttributes @{$Adattrbute = $Attrbv} } if($_.state -eq "Removed") { $userid = "$_.Name" Write-host "$Attrbv will be removed from "$_.Name"" -foregroundcolor Red Set-QADUser -identity $_.Name -ObjectAttributes @{$Adattrbute = $null} } } $groupmem | select Name,$Adattrbute | Export-csv $StateFile -NoTypeInformation ###########################Recycle########################################## $path = $dir Get-ChildItem -Path $path | Where-Object { $_.CreationTime -lt $limit } | Remove-Item -recurse -Force #######################Report Error######################################### if ($error -ne $null) { #SMTP Relay address $msg = new-object Net.Mail.MailMessage $smtp = new-object Net.Mail.SmtpClient($smtpServer) #Mail sender $msg.From = $fromadd #mail recipient $msg.To.Add($email1) $msg.Subject = "AD Attribute Script Error" $msg.Body = $error $smtp.Send($msg) $error.clear() } else { Write-host "no errors till now" } $path = ".\logs\" $limit = (Get-Date).AddDays(-60) #for log recycling ########################Recycle logs ###################################### Get-ChildItem -Path $path | Where-Object { $_.CreationTime -lt $limit } | Remove-Item -recurse -Force stop-transcript ##########################################################################
Regards
Sukhija Vikas
Image may be NSFW.
Clik here to view.
Image may be NSFW.Clik here to view.
