none
Assistance with "moving" AD group membership RRS feed

  • Question

  • So I am using a .csv that has 2 columns. The first column is called SourceGroup and the second is DestinationGroup. I am trying to use the csv to get the members of the source groups and add them to the destination. My company use Active Roles, so the cmdlets are slightly different in that we use Add-QADGroupMember for example. When I run the script I don't see any error messages, but it isn't adding them to the group or removing from the old one. My IT lead thinks it could be because of nested group memberships. Is there a way to have the script ignore nesting groups? Here is the script I am using. The logs show error that they are already a member of the group, but they are not. 

     clear
    $admin = read-host "Enter username(domain\username)"
    $pw = read-host "Enter password" -AsSecureString
    
    $LogFile = "H:\ticketstuff\success.txt"
    $LogFile2 = "H:\ticketstuff\failed.txt"
    
    connect-qadService -ConnectionAccount $admin -ConnectionPassword $pw
    
    $list = import-csv “H:\ticketstuff\listtest.csv"
    
    
    foreach( $Group in $List ){
        $Members = Get-qadGroupMember $Group.SourceGroup | select UserPrincipalName
        $Member = $Members.UserPrincipalName 
        $S = Get-QADGroup $Group.SourceGroup | Select-Object -ExpandProperty name
        $D = Get-QADGroup $Group.DestinationGroup | Select-Object -ExpandProperty name
        foreach ($User in $Member){
        Try
            {
            add-qadgroupmember -identity $Group.DestinationGroup -member $User -ErrorAction Stop
            "User $User added to group $S" | Add-Content -Path $LogFile
            remove-qadgroupmember -identity $Group.SourceGroup -member $User
            "User $User removed from group $D" | Add-Content -Path $LogFile
            }
        catch
              {
    	        "Error $User already in group $D" | Add-Content -Path $LogFile2
              }
         }
    }
      
    Disconnect-QADService 

    • Moved by Bill_Stewart Tuesday, July 31, 2018 3:02 PM This is not third-party support forum
    Friday, June 22, 2018 2:23 PM

All replies

  • Where{$_.objectClass -eq 'User'}

    will restrict results to only users.


    \_(ツ)_/

    Friday, June 22, 2018 2:29 PM
  • I tried using 

            add-qadgroupmember -identity $Group.DestinationGroup -member $User | Where{$_.objectClass -eq 'User'} -ErrorAction Stop
            "User $User added to group $S" | Add-Content -Path $LogFile
            remove-qadgroupmember -identity $Group.SourceGroup -member $User | Where{$_.objectClass -eq 'User'}
            "User $User removed from group $D" | Add-Content -Path $LogFile
    
    They still fail. If I look at the groups properties, I can tick a box for showing indirect members. After that they show as a member. However if I do it manually I can still add them to the group. I think it is a problem that the script is reading indirect members as well and the stopping because if shows they are a member.

    Friday, June 22, 2018 2:42 PM
  • Since you are using Quest you need to post in the Quest forum.  You would be better off using the AD CmdLets.

    \_(ツ)_/

    Friday, June 22, 2018 2:56 PM