问题描述
好的,先写代码:
import-module activedirectory
. "C:\Users\ben\Documents\Get-Directreport.ps1"
$ou = "ou=test,ou=Litmos,ou=Resources,ou=Groups,ou=company,dc=domain,dc=net"
$creds = "domain.net\ben"
$server = "dc01.domain.net"
$managers = get-adGroupMember -identity "CN=All Managers,OU=Organizational,OU=Groups,OU=company,DC=domain,DC=net" | select name,samaccountname
$name = $managers.name
$ReportsTo = Get-adgroup -searchbase $ou -filter "Name -like 'Report to *'" | where {$_.name -replace 'Report to ' -in $name} | select name,samaccountname
$Reports = $reportsto.name
$underlings = Get-Directreport $name | select samaccountname
Foreach ($manager in $name) {
if ($manager -notin ($reports -replace 'Report to '))
{ new-adgroup -name "Report to $manager" -groupscope global -path $ou }
}
ForEach ($report in $reports) {
#Get-Directreport $name | select samaccountname
{add-adgroupmember -identity $report -members $underlings.samaccountname}
}
所以这个脚本正确地创建了'Report to $name' 组,它正在添加成员,但是这创建的所有 300 个组都具有相同的成员集。我尝试将 $underlings 行放在最后一个循环中,但这导致根本没有成员。我很确定那条线是罪魁祸首,但我无法弄清楚。
谢谢!
编辑
首先为我最初遗漏的东西道歉。我想这就是我在一天结束时匆忙所得到的。无论如何,因此这段代码试图创建一系列新的 AD 安全组,即“Report to x”中提到的。它通过遍历“All Managers”组的成员来创建这些文件夹,X 变量将是每个 ALL Manager 成员的名称值。
然后我试图用相应的用户填充这些组。这就是它失败的地方。
Get-Directreport $name | select samaccountname 行实际上返回了它应该返回的内容。我可以在终端中运行包含 $underlings 的整行并正确返回。
我同意 Colyn1337 的观点,因为它就是那条线。我不确定如何让它迭代。
解决方法
因此,在完成脚本一段时间后,我提供了一些更改和内联注释。请看一下
import-module activedirectory
. "C:\Users\ben\Documents\Get-Directreport.ps1"
$ou = "ou=test,ou=Litmos,ou=Resources,ou=Groups,ou=company,dc=domain,dc=net"
$creds = "domain.net\ben"
$server = "dc01.domain.net"
$managers = get-adGroupMember -identity "CN=All Managers,OU=Organizational,OU=Groups,OU=company,DC=domain,DC=net" |
Select-Object name,samaccountname
# remove this and just use $managers.name. No need to create this.
## $name = $managers.name
# Groups where name like "reports to $managersName"
$ReportsTo = Get-adgroup -searchbase $ou -filter "Name -like 'Report to *'" |
Where-Object { $_.name -replace 'Report to ' -in $name } |
Select-Object name,samaccountname
# Same as before. No need for $Reports array. Just use $ReportsTo.Name were needed
## $Reports = $reportsto.name # AD Group names like "reports to <manager>'
# list of users for all managers? Does Get-Directreport take an array of managers or does it expect only 1 manager?
# If sending multiple managers does work,which it sounds like it doesn't,but if it did you would have an array of all direct reports
# for all managers in $name. This should probably be moved into the foreach ($manager in $name) loop
## $underlings = Get-Directreport $name | Select-Object samaccountname
Foreach ($manager in ($managers.Name))) {
# Creates missing "Report to <manager>" groups
if ($manager -notin (($ReportsTo.Name) -replace 'Report to ')) {
new-adgroup -name "Report to $manager" -groupscope global -path $ou
}
# Get managers direct reports
$underlings = Get-Directreports $manager | Select-Object samaccountname
# Get manager's "report to <manager> group again to update memebers"
$managerReportToGroup = Get-ADGroup -SearchBase $ou -Filter "Name -like 'Report to $manager'"
if ($managerReportToGroup) {
Add-ADGroupMember -identity $managerReportToGroup.Name -members $underlings.samaccountname
} else {
Write-Warning "Could not locate group for $manager"
}
}
# For each "reports to $managerName" group,adding direct reports found from Get-Directreports function/script
# $reports will not have any newly added groups from previous loop. Would need to call Get-AdGroup again
# Recommend moving loop up into $manager loop
## ForEach ($report in $reports) {
## #Get-Directreport $name | select samaccountname
## { add-adgroupmember -identity $report -members $underlings.samaccountname }
## }