janikvonrotz
10/24/2013 - 1:44 PM

PowerShell: Update ActiveDirectory Security Groups #PowerShell #EmbededPost #ActiveDirectory

PowerShell: Update ActiveDirectory Security Groups #PowerShell #EmbededPost #ActiveDirectory

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2013-03-20T14:18:21.6393172</Date>
    <Author>Janik von Rotz (http://janikvonrotz.ch)</Author>
	<Description>Update Security Groups</Description>
  </RegistrationInfo>
  <Triggers>
    <CalendarTrigger>
      <StartBoundary>2013-01-01T02:30:00</StartBoundary>
      <Enabled>true</Enabled>
      <ScheduleByDay>
        <DaysInterval>1</DaysInterval>
      </ScheduleByDay>
    </CalendarTrigger>
  </Triggers>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>false</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>$PSapps.PowerShell</Command>
      <Arguments>$(Get-ChildItem -Path $PSscripts.Path -Filter "Update-ADSecurityGroups.ps1" -Recurse).Fullname</Arguments>
      <WorkingDirectory>$PSProfile.Path</WorkingDirectory>
    </Exec>
  </Actions>
</Task>
<#
$Metadata = @{
    Title = "Update ActiveDirectory Security Groups"
    Filename = "Update-ADSecurityGroups.ps1"
    Description = ""
    Tags = "powershell, activedirectory, security, groups, update"
    Project = ""
    Author = "Janik von Rotz"
    AuthorContact = "http://janikvonrotz.ch"
    CreateDate = "2013-10-07"
    LastEditDate = "2014-01-30"
    Url = "https://gist.github.com/7137592"
    Version = "1.1.1"
    License = @'
This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Switzerland License.
To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/ch/ or
send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.
'@
}
#>


#--------------------------------------------------#
# modules
#--------------------------------------------------#    
Import-Module ActiveDirectory

$OUConfigs = @(
    @{
        OU = "OU=vblusers2,DC=vbl,DC=ch"
        
        GroupSuffix = " Abteilung"
        GroupMemberPrefix = "F_"

        ParentGroupSuffix = " Abteilungen"
        ParentGroupMemberSuffix = " Abteilung"

        ExcludeOUs = "Extern","ServiceAccounts","Services"
        
        ExcludeADGroups = "F_Mitarbeiter ohne Arbeitsplatz",
            "F_Mitarbeiter mit Arbeitsplatz",
            "F_Verwaltungsrat"
    }
)

$Tasks = @(
    @{
        Name = "F_Mitarbeiter mit Arbeitsplatz"
        Options = @("CleanGroup","UpdateFromGroups","RemoveGroups","ProcessUsers")
        AddGroups = @("vblusers2 Abteilungen")
		RemoveGroups = @("F_Mitarbeiter ohne Arbeitsplatz","F_Service Benutzer","F_Archivierte Benutzer")
    },
    @{
        Name = "F_Mitarbeiter"
        Options = @("CleanGroup","UpdateFromGroups","RemoveGroups","ProcessUsers")
        AddGroups = @("F_Mitarbeiter ohne Arbeitsplatz","F_Mitarbeiter mit Arbeitsplatz")
        RemoveGroups = @("F_Archivierte Benutzer")
    },
    @{
        Name = "F_Service Benutzer"
        Options = @("CleanGroup","UpdateFromOU","RemoveGroups","IncludeDisabledUsers","ProcessUsers")
        AddOU = @("OU=vblusers2,DC=vbl,DC=ch")
		RemoveGroups = @("F_Mitarbeiter","F_Archivierte Benutzer")
    } 
)

$OUConfigs | %{
    $OUConfig = $_
    Get-ADOrganizationalUnit -Filter "*" -SearchBase $_.OU | 
    where{$ThisOU = $_; -not ($OUConfig.ExcludeOUs | where{$ThisOU.DistinguishedName -match $_})} | %{
            
        $OUconfig.OU = $_
            
        $ParentGroupName = ($_.Name + $OUconfig.ParentGroupSuffix)          
        $ParentGroupMembers = Get-ADOrganizationalUnit -Filter * -SearchBase $_.DistinguishedName | %{Get-ADGroup -SearchScope OneLevel -Filter * -SearchBase $_.DistinguishedName | where{$_.Name.EndsWith($OUconfig.ParentGroupMemberSuffix)}} | select -Unique
        $ParentGroup = Get-ADGroup -SearchScope OneLevel -Filter {SamAccountName -eq $ParentGroupName -and GroupCategory -eq "Security"}  -SearchBase $_.DistinguishedName
        
        $GroupName = ($_.Name + $OUconfig.GroupSuffix)
        $GroupMembers = Get-ADGroup -SearchScope OneLevel -Filter * -SearchBase $_.DistinguishedName | where{$_.Name.StartsWith($OUconfig.GroupMemberPrefix) -and ($OUconfig.ExcludeADGroups -notcontains $_.Name)}
        $Group = Get-ADGroup -SearchScope OneLevel -Filter{SamAccountName -eq $GroupName -and GroupCategory -eq "Security"} -SearchBase $_.DistinguishedName
        
        if($ParentGroupMembers -and $ParentGroup){
            
            "Update members in parent group: $($ParentGroup.Name)." | %{$Message += "`n" + $_; Write-Host $_}
            Get-ADGroupMember -Identity $ParentGroup | %{Remove-ADGroupMember -Identity $ParentGroup -Members $_ -Confirm:$false}
            $ParentGroupMembers | %{Add-ADGroupMember -Identity $ParentGroup -Members $_}
                    
        }elseif($ParentGroupMembers -and $ParentGroupMembers.count -gt 1){
        
            "Add parent group: $ParentGroupName." | %{$Message += "`n" + $_; Write-Host $_}
            New-ADGroup -Name $ParentGroupName -SamAccountName $ParentGroupName -GroupCategory Security -GroupScope Global -DisplayName $ParentGroupName -Path $($_.DistinguishedName) -Description "Department group for $($_.Name)"
            $ParentGroupMembers | %{Add-ADGroupMember -Identity $ParentGroupName -Members $_}
        }
        
        if($Group -and $GroupMembers){
            
            #"Update members in group: $($Group.Name)." | %{$Message += "`n" + $_; Write-Host $_}
            $GroupMembersIS = Get-ADGroupMember -Identity $Group | %{"$($_.DistinguishedName)"}
            $GroupMemberTO = $GroupMembers | %{"$($_.DistinguishedName)"}
                                    
            Get-ADGroupMember -Identity $Group | where{(-not $_.Name.StartsWith($OUconfig.GroupMemberPrefix)) -or ($GroupMemberTO -notcontains $_.DistinguishedName)} | %{
                "Remove member: $($_.Name) from group: $($Group.Name)." | %{$Message += "`n" + $_; Write-Host $_}
                Remove-ADGroupMember -Identity $Group -Members $_ -Confirm:$false
            }            
            
            $GroupMembers | where{($GroupMembersIS -notcontains $_.DistinguishedName)} | %{
                "Add member: $($_.Name) to group: $($Group.Name)." | %{$Message += "`n" + $_; Write-Host $_}
                Add-ADGroupMember -Identity $Group -Members $_
            }
                    
        }elseif($GroupMembers){
        
            "Add group: $GroupName." | %{$Message += "`n" + $_; Write-Host $_}
            New-ADGroup -Name $GroupName -SamAccountName $GroupName -GroupCategory Security -GroupScope Global -DisplayName $GroupName -Path $($_.DistinguishedName) -Description "Department group for $($_.Name)"
            $GroupMembers | %{Add-ADGroupMember -Identity $GroupName -Members $_}
        }
    }
}

$Tasks | %{
    
    $ADGroup = Get-ADGroup -Identity $_.Name
    $Options = $_.Options
        
    if($_.Options -match "CleanGroup"){
        
        "Remove members from: $($_.Name)." | %{$Message += "`n" + $_; Write-Host $_}
        Get-ADGroupMember -Identity $ADGroup | %{Remove-ADGroupMember -Identity $ADGroup -Members $_ -Confirm:$false}
    }
    
    if($_.Options -match "UpdateFromOU"){
        
        "Add users from OU: $($_.AddOU) to: $($_.Name)." | %{$Message += "`n" + $_; Write-Host $_}
        $_.AddOU | %{Get-ADUser -Filter * -SearchBase $_ | where{($Options -match "IncludeDisabledUsers") -or ($Options -notmatch "IncludeDisabledUsers" -and $_.Enabled -eq $true)}} | select -Unique | %{Add-ADGroupMember -Identity $ADGroup -Members $_}
    
    } 
    
    if($_.Options -match "UpdateFromGroups"){        
        
        if($_.Options -match "ProcessUsers"){
        
            "Add users from: $($_.AddGroups) to: $($_.Name)." | %{$Message += "`n" + $_; Write-Host $_}
            $_.AddGroups | %{Get-ADGroupMember $_ -Recursive | Get-ADUser | where{($Options -match "IncludeDisabledUsers") -or ($Options -notmatch "IncludeDisabledUsers" -and $_.Enabled -eq $true)}} | select -Unique | %{Add-ADGroupMember -Identity $ADGroup -Members $_}
        
        }else{
        
            "Add groups: $($_.AddGroups) to: $($_.Name)." | %{$Message += "`n" + $_; Write-Host $_}
            $_.AddGroups | %{Add-ADGroupMember -Identity $ADGroup -Members $_}        
        }               
    }   
    
    if($_.Options -match "RemoveGroups"){
    
        if($_.Options -match "ProcessUsers"){
        
            "Remove users from: $($_.RemoveGroups) in: $($_.Name)." | %{$Message += "`n" + $_; Write-Host $_}
            $ADGroupMembers = Get-ADGroupMember -Identity $ADGroup
            $_.RemoveGroups | %{Get-ADGroupMember $_ -Recursive | Get-ADUser | where{($Options -match "IncludeDisabledUsers") -or ($Options -notmatch "IncludeDisabledUsers" -and $_.Enabled -eq $true) -and ($ADGroupMembers -match $_)}} | select -Unique |  %{Remove-ADGroupMember -Identity $ADGroup -Members $_  -Confirm:$false}
            
        }else{
        
            "Remove groups: $($_.RemoveGroups) in: $($_.Name)." | %{$Message += "`n" + $_; Write-Host $_}
            $_.RemoveGroups | %{Remove-ADGroupMember -Identity $ADGroup -Members $_ -Confirm:$false}
        }                  
    }           
}

Write-PPEventLog $($MyInvocation.InvocationName + "`n`n" + $Message ) -Source "Update Security Groups"
Write-PPErrorEventLog -Source "Update Security Groups" -ClearErrorVariable