问题描述
我正在使用PowerShell脚本来批量修改用户,但是我碰到了其中的特定部分。
当前,我组织中有一系列以“ RIS_”开头的组-经常添加和删除新组,因此我的想法是创建一个脚本,该脚本可以检查.csv中列出的每个用户(参考= $ Username )以查看它们是否属于以“ RIS_”开头的组。
例如,基本组是“ RIS_ReadOnly”,它授予对组织内使用的应用程序的基本访问权限。其他组代表具有不同权限的各种访问级别,但是成为多个组的成员将始终强制使用最低权限。这是我无法控制的事情,因此我无法推动更改工作方式。
脚本本身是从.csv文件中提取的-整个部分都已排序并可以正常工作。
用户一次只能是这些组之一的成员,而我们通常的过程涉及将它们添加到基本ReadOnly组中。但是,这没有考虑返回工作的现有用户,这些用户可能具有较高的访问权限,因此在添加到ReadOnly组时将失去访问权限。由于来来往往的人员数量,我们无法实际检查每个帐户的现有成员身份,因此无法执行脚本。
此命令需要检查用户是否是以“ RIS_”开头的组的成员。如果用户不在组中,则它将被添加到.csv中指定的组中(参考= $ RIS)。如果用户在一个组中,则它将编写一条消息并继续进行代码的下一阶段,而无需将其添加到任何内容中。
我在网上找到的所有内容都指向首先获取群组并列出成员,但是由于群组数量会随着时间变化,并且每个群组中都有大量用户,因此这是行不通的组。有什么方法可以使用“ IF”语句来设置它?我已经尝试了多种方法来执行此操作,但是该脚本要么根本不添加任何内容,要么不添加任何组。
这是我目前所拥有的,但显然无法正常工作。有提示吗?
If ( ($User.MemberOf -like "RIS_" ) )
{
write-verbose "User is already a member of a RIS group"
else
Add-ADGroupMember -Identity "$RIS" -Members $Username
}
下面是完整的脚本(请原谅新手的混乱)
CLS
# Import active directory module for running AD cmdlets
Import-Module activedirectory
#Store the data from Adamend.csv in the $ADUsers variable
$ADUsers = Import-csv "\\nuth-it01\workstore\Service Desk\Account Admin Scripts\02 - Amend\01 User - Generic\Adamend.csv"
#Loop through each row containing user details in the CSV file
foreach ($User in $ADUsers)
{
#Read user data from each field in each row and assign the data to a variable as below
$Username = $User.username
$Password = $User.password
$Firstname = $User.firstname
$Lastname = $User.lastname
$employeeID = $User.EmployeeID
$email = $User.email
$jobtitle = $User.jobtitle
$department = $User.department
$dob = $User.dob
$INC = $User.INC # INC Identifier - can contain additonal text if account was reactivated/amended
$GMSN = $User.GMSN # Identifier for GMC and Student Number
$HomeDrive = $User.Homedrive # Identifier for Home Drive Group
$AUF = $User.AUF # Identifier for AUD Form completion (Y/N - default "N")
$AddGrp1 = $User.AddGrp1 # Catchall for additional groups if requested (Can be left blank)
$AddGrp2 = $User.AddGrp2 # Catchall for additional groups if requested (Can be left blank)
$AddGrp3 = $User.AddGrp3 # Catchall for additional groups if requested (Can be left blank)
$eRescue = $User.Erescue # eRescue-AHCare / eRescue-RegNurse / eRescue-SenMedic / eRescue-Medic
$RIS = $User.RIS # RIS_ReadOnly / RIS_Radiologists / RIS_Radiographers / RIS_Secretaries / RIS_Nurse
$PACS = $User.PACS # PACS_Clinicians / PACS_Radiologists / PACS_Radiographers / PACS_Secretaries
# Following code adds user to "Xenapp Erecord Downtime" group and enables account. This may return errors if the user is already a member or the account isn't disabled but they can be ignored
Add-ADGroupMember -Identity "Xenapp Erecord Downtime" -Members $Username
Remove-ADGroupMember -Identity "disabled_Users" -Members $Username -Confirm:$False
Enable-ADAccount -Identity $Username
Clear-ADAccountExpiration -Identity $Username
# Adds the INC into the telephone notes - if this field is blank (it shouldn't be) then nothing will be changed.
$i = Get-ADUser $Username -Properties info | %{ $_.info}
Set-ADUser $Username -Replace @{info="$($i) `r`n $INC"}
# This next set of code identifies if a cell is left blank in the input sheet,and ignores it if this is the case (prevents wiping pre-existing fields)
# NOTE: If input sheet is modified,this code will need to be modified too
If(-not [string]::IsNullOrWhiteSpace($User.dob) )
{
Set-ADUser -Identity $Username -Replace @{extensionAttribute10="$dob"} # Add dob
}
If(-not [string]::IsNullOrWhiteSpace($User.password) )
{
Set-ADAccountPassword -Identity $Username -Reset -NewPassword (ConvertTo-securestring -AsPlainText "$Password" -Force) # changes password to specified string - if left blank will not change password
Set-ADUser -Identity $Username -ChangePasswordAtlogon $True # Forces password change at logon - if password field is left blank this will be ignored
}
If(-not [string]::IsNullOrWhiteSpace($User.firstname) )
{
Set-ADUser -Identity $Username -Givenname $Firstname
}
If(-not [string]::IsNullOrWhiteSpace($User.lastname) )
{
Set-ADUser -Identity $Username -Surname $Lastname
}
If(-not [string]::IsNullOrWhiteSpace($User.EmployeeID) )
{
Set-ADUser -Identity $Username -EmployeeID $EmployeeID
}
If(-not [string]::IsNullOrWhiteSpace($User.Jobtitle) )
{
Set-ADUser -Identity $Username -Description $jobtitle
}
If(-not [string]::IsNullOrWhiteSpace($User.Department) )
{
Set-ADUser -Identity $Username -Office $department
}
If(-not [string]::IsNullOrWhiteSpace($User.GMSN) )
{
Set-ADUser -Identity $Username -Replace @{extensionAttribute14="$GMSN"} # Add GMC or Student Number
}
If(-not [string]::IsNullOrWhiteSpace($User.AUF) )
{
Set-ADUser -Identity $Username -Replace @{extensionAttribute1="$AUF"} # Has AUF form been signed?
}
If(-not [string]::IsNullOrWhiteSpace($User.Email) )
{
Set-ADUser -Identity $Username -EmailAddress $email
}
If(-not [string]::IsNullOrWhiteSpace($User.HomeDrive) )
{
Add-ADGroupMember -Identity "$HomeDrive" -Members $Username # Adds user to homedrive
}
If(-not [string]::IsNullOrWhiteSpace($User.AddGrp1) )
{
Add-ADGroupMember -Identity "$AddGrp1" -Members $Username
}
If(-not [string]::IsNullOrWhiteSpace($User.AddGrp2) )
{
Add-ADGroupMember -Identity "$AddGrp2" -Members $Username
}
If(-not [string]::IsNullOrWhiteSpace($User.AddGrp3) )
{
Add-ADGroupMember -Identity "$AddGrp3" -Members $Username
}
If(-not [string]::IsNullOrWhiteSpace($User.eRescue) )
{
Add-ADGroupMember -Identity "$eRescue" -Members $Username
}
If ( ($User.MemberOf -like "RIS_*" ) )
{
write-verbose "User is already a member of a RIS group"
else
Add-ADGroupMember -Identity "$RIS" -Members $Username
}
If(-not [string]::IsNullOrWhiteSpace($User.PACS) )
{
Add-ADGroupMember -Identity "$PACS" -Members $Username
}
Write-Warning "$Username Amended"
}
我还在下面附上了输入csv的屏幕截图:
解决方法
如果要检查用户是否已经是该组的成员,可以尝试直接在Active Directory中检查用户,如下所示:
if ((Get-ADUser $Username -Properties *).memberof | Where-Object {$_ -like 'CN=RIS_*'})
{
write-verbose "User is already a member of a RIS group"
}
else
{
Add-ADGroupMember -Identity $RIS -Members $Username
}