PowerShell | Be What's Automated .. ™

Manoj Nair's technical blog covering topics such as PowerShell,Exchange Server,Virtualization, Windows Server and related Microsoft Technologies

Adding Users to AD Group using Quest PowerShell command-lets

Adding Users to AD Group using Quest PowerShell command-lets

  • Comments 4
  • Likes

Recently, while working on an Advisory case, one of my Client had the following request: 

The customer is using a SharePoint Form that the end users can fill and this form will create an AD account for the user and add it to a specific Organizational Unit. However, to get access to the SharePoint Site, the AD user account created should be a member of a specific AD group which unfortunately the SharePoint form couldn’t do. 

So, we had to find a way around. And what could be better that using PowerShell here. With the introduction of Active Directory PowerShell command-lets in Windows Server 2008 R2, I thought it would be a great idea to use the built in command-lets like Add-ADGroupMember. 

However, there are only 76 command-lets for Active Directory out of the box.

 So, to make things easier, I decided to use the Quest PowerShell command-lets. I’ve always been a great fan of the products being shipped out of the Quest Factory as they really simplify complex tasks especially in AD Migration, Exchange Migration etc.

 To make things simple, lets create a fictitious scenario. 

Scenario:- 

AlpineSkihouse (using a single domain, single forest called AlpineSkiHouse.com) uses a SharePoint Form to create a User Account in Active Directory. This User Account is created in an Organizational Unit called Sales. However, for the user to access the SharePoint website, he should be a member of an AD Global Security Group called SalesGG. This is something the SharePoint Form couldn’t accomplish. So as per the CEO’s requirement, as soon as the User Account is created in the Sales OU (via the form), he should be added to the SalesGG Group. This is kind of a dynamic requirement and is not provided out of the box in Active Directory. (Ofcourse, if it would be, then there was no point in writing this post :-) )

 So, Tom, our PowerShell expert chips in with suggestion saying that why don’t we create a PowerShell script and task schedule it for every 5 minutes.

 The IT manager, John looks impressed and Tom is tasked to create the PowerShell script. Tom is aware that Quest provides some AD PowerShell command-lets that can help him accomplish this goal.

Here is what Tom does:- 

He splits the end request into two parts 

Task 1

Create a PowerShell snippet to add users to the SalesGG group that are not a member of the SalesGG but are in the Sales OU. 

Task 2

Create a basic task sequence to execute the script every 5 minutes.

 Pre-Requisites

=============== 

Install the Quest PowerShell Command-Lets for Active Directory (freeware) on the DC on which you would be executing the script. If you are running this on a Windows Server 2008 R2 DC, install the 64-Bit version of the “PowerShell Commands for Active Directory” by Quest.

http://www.quest.com/powershell/activeroles-server.aspx

Open PowerShell as an Administrator (i.e. escalate PowerShell to run in Administrative mode) and enable script execution by typing the following command

Set-ExecutionPolicy RemoteSigned  OR

To provide complete unrestricted access type Set-ExecutionPolicy Unrestricted

Save the following PowerShell snippet (given below) as a .PS1 file and execute it within PowerShell. For Example, if I have saved this file as Demo.ps1 on my C drive under the Scripts directory, you can execute this as follows:-

PowerShell Code:-
===============

# Load the PowerShell Snappin for Quest
Add-PSSnapin Quest.ActiveRoles.ADManagement
Add-QADGroupMember -Identity SalesGG -Member (Get-QADUser -SearchRoot "OU=Sales,DC=alpineskihouse,DC=com" | Where-Object{!($_.MemberOf -eq "CN=SalesGG,OU=Sales,DC=alpineskihouse,DC=com")}).DN

What the command does:-
Adds User Accounts to SalesGG that are a part of the Sales OU but not a part of the SalesGG Group.

Tom uses the following approach,

Find out all users who are not a member of the SalesGG Global Group and then add them to the SalesGG group.

Now, if we take a closer look at the PowerShell snippet, the following line extracts all users from the Sales OU
Get-QADUser -SearchRoot "OU=Sales,DC=alpineskihouse,DC=com"

Now, the below Where-Object command-let is used to find out all users who are a member of the SalesGG Global Group. 

Where-Object{!($_.MemberOf -eq CN=SalesGG,OU=Sales,DC=alpineskihouse,DC=com")}).DN 

But notice the exclamation mark (!). The ! is the NOT operator in PowerShell, so if we read the entire line, it simply means

Not(all users who are a part of the SalesGG Global Group)

So lets read the entire code in plain simple English

Add the following to SalesGG Group (Members of the Sales OU which are NOT a member of the SalesGG Group)

That’s it. Now we have accomplished Task 1 of creating the script


Task 2

To use the Task Scheduler to run the script automatically every 5 minutes. This can be easily accomplished by creating a Basic Task Scheduler event to run the code (demo.ps1) at every interval of 5 minutes.

I agree, not an Optimal way of accomplishing it but it does do the trick. We could leverage ForeFront Identity Manager to create the SalesGG to use Dynamic Membership but that would be a pretty costly affair for AlpineSkiHouse Company.

If you are interested in learning more about PowerShell, do take a look at the Microsoft Official Course 10325A (http://www.microsoft.com/learning/en/us/Course.aspx?ID=10325a)
 

Wishing all my readers a Happy and Prosperous New Year in advance :-)

Comments
  • Hi i tried your script, it work for only a single user, if i have multiple users within an OU it does not work.

  • Hi Jonathan,

    I have checked and verified. It works as expected, can you send me more details so that I can take a look at the issue.

    Regards,

    Manoj

  • Hi, that's exactly what I was looking for and it actually did work for me... for one time. Another attempt ends in an error:

    Add-QADGroupMember : Cannot validate argument on parameter 'Member'. The argument is null or empty. Supply an argument that is not null or empty and then try the command again.

    Could You help me with this, please?

  • Powershell is outputting the following error after it runs through all 7000 users in my OU. What is it failing on the .DN at the end of the command?

    Property 'DN' cannot be found on this object. Make sure that it exists.

    At C:\Scripts\Add2StudentWLAN-Complex.ps1:3 char:1

    + Add-QADGroupMember -Identity StudentWLAN -Member (Get-QADUser -SearchRoot "OU=St ...

    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

       + CategoryInfo          : NotSpecified: (:) [], PropertyNotFoundException

       + FullyQualifiedErrorId : PropertyNotFoundStrict

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment