RSS All Posts

RSS PowerShell Posts

Tags

2142 Active Directory Administrativia Announcements Battlefield Blogging Cricket Deployment Deployment4 Get-PSUGUK Group Policy HowTo Linux MDT MDT 2010 Microsoft Deployment Toolkit MSDN Music Permissions Personal PowerGui Power Lines PowerShell PowerShell Groups PowerShell Support PowerShell Tools PowerShell V2 Presentations PSUGAU Quick Tips Scripting SDDL Security Tech Talk Ubuntu User Groups Virtualisation VMware Infrastructure Client WAIK Weekly Poll Windows 7 Windows Automation Installation Kit Windows Server 2003 Windows Server 2008 XML

Archives

Meta


« | Main | »

Managing group membership in Active Directory with PowerShell (Part 2)

By Adam Bell | February 16, 2007

Carrying on from where we left off yesterday; today I want to look at adding and removing users from groups.

To get us started we’ll bind to the two objects we’re going to be working with:


# Serverless bind to the domain, and define the root DN
$root = [adsi]""
$rootdn = $root.distinguishedName
 
# Bind to our User and Group objects
$user = [adsi]("LDAP://cn=bella, ou=Test OU,"+$root.distinguishedName)
$group = [adsi]("LDAP://cn=Domain Admins, cn=Users,"+$rootdn)

If you have a VBScript/ADSI background then the example below will be familiar. We’ve basically just called the add method against the group object. The important thing to be aware of using this approach is that add method has to be constructed using the ADspath, which is structured by specifying the provider (“LDAP://”) and the distinguishedName of the object we’re adding (user or group).


# The classical VBS/ADSi approach
$group.add("LDAP://"+$user.distinguishedName)
$group.SetInfo()

Alternatively we could use a PowerShell approach:


# PowerShell approach
$members = $group.member
$group.member = $members+$user.distinguishedName
$group.setinfo()

Here we basically retrieve the group members into the $members variable, and then add the full DN of the object we want to include. Then it’s just a case of writing the collection back to our group object.

If you’re making a lot of changes to an objects attributes, you’ll want to make sure that you rebind to the object after a SetInfo() call, otherwise your data will not be up to date, and you wont see the changes that have been made.

When it comes to removing members from a group it can become a little more complex.

So using the classic ADSI approach:


# Classic VBS/ADSI
$group.remove("LDAP://"+$user.distinguishedName)
$group.SetInfo()

That’s not too difficult!

If we look at the PowerShell approach, we would take similar steps as adding to the group, only this time we’ll enumerate through the group membership, and for every membership that isn’t our user account will get added to the $newList variable which we’ll then write back to the attribute when we’ve finished.


# PS - harder
foreach ($member in $group.member)
{
  # As long as it's not our user DN add the existing member
  # to the list of users we're going to add back into the group.
  if ($user.distinguishedname -ne $member)
  {
    $newlist = $newList+$member
  }
}
$group.member = $newlist
$group.SetInfo()

On the flipside if you want to be a little more selective you could do:


# PS - Simple
$group.member = $group.member[0..3]
$group.SetInfo()

This would just put back the first 4 members into the group.

The thing that I find so powerful about PowerShell, apart from the simplicity of doing stuff (when you can work out the right syntax!), is that it is so flexible. We can perform the same actions in this example, two different ways, and as Marc (MOW) pointed out recently, you can also use the .Net framework, so that’s three different ways to perform the task!

Topics: Active Directory, PowerShell | 8 Comments »

8 Responses to “Managing group membership in Active Directory with PowerShell (Part 2)”

  1. Peter {faa780ce-0f0a-4c28-81d2-3667b71287fd} Says:
    February 26th, 2007 at 11:04 pm

    My only question about this is: is the PowerShell way dangerous? With the old way, you know you’re JUST adding a new user. With the new way, it looks like you’re rebuilding the membership collection entirely and saying “make this happen”. Potentially this new way removes everyone from the group, then re-adds them all (plus one).

    Maybe it doesn’t, but maybe it does. I’m too scared to find out (especially in production on an “almost everyone”-type group with over 1000 members).

    Anyway, I agree PowerShell is quite powerful.

  2. Peter {faa780ce-0f0a-4c28-81d2-3667b71287fd} Says:
    February 26th, 2007 at 11:46 pm

    Also I tried implementing your “old way sample” just now, and it looks like the simple $group.add($ldapstring) syntax is busted. I’ve also tried just now using $group.psbase.invoke(“add”,$ldapstring) and I’m out of luck there too.

    Anyway, FYI

  3. AdamBell Says:
    February 27th, 2007 at 4:17 pm

    Hi Peter,

    I agree on the rewriting of the group membership. I wouldn’t do this in a large prod environment for the same fear! You should be able to perform this action using the .Net framework, but I have just been transfering old VBScript code for these examples.

    Interesting that you are experiencing issues with the sample code. I tested all of my examples in a 2003 AD hosted in VMware. Admittedly theres no scale here – replication etc but the code worked fine.

    Have you checked te code for typo’s? If you’re still having problems, email me offline and I’ll send you the code function to test.

    HTH

  4. Peter {faa780ce-0f0a-4c28-81d2-3667b71287fd} Says:
    February 28th, 2007 at 10:04 pm

    Thanks, as with everything AD-related, I understand that There Is Something Up with my domain, and I’ll try this on a VM to see what happens.

  5. Modifying Group Memberships with Powershell, Part II « Just Another Sysadmin Says:
    January 20th, 2008 at 2:33 am

    [...] membership in Exchange 2007 Managing group membership in Active Directory with PowerShell (Part 1) Managing group membership in Active Directory with PowerShell (Part 2) Powershell and ActiveDirectory – Modify-Group-Membership PowerShell script to list user group [...]

  6. Fred Says:
    November 18th, 2008 at 11:22 pm

    forget this crap… just got get the Quest AD tools for PS they are free…. one line management.

    http://www.quest.com/powershell/

  7. Adam Bell Says:
    December 4th, 2008 at 1:05 am

    Fred,

    Unfrotunately, not all environments are able to install third party tools. Also the post was written before Quest had released their tools ….

    I’m a big fan of the Quest AD CmdLets and they make managing AD activities a lot easier.

    There is value in knowing how to do it without these tools though so the crap way still has value. ;)

    Think defence environments for example …..

    Cheers,
    Adam

  8. Ryan Says:
    February 17th, 2009 at 7:19 pm

    You could just use the remove syntax for removing a user from the group:

    $group.remove(“LDAP://$userDN”)

    also Ive been using this in AD 2003 and ive never had to use

    $group.SetInfo()

Comments