1

我正在编写一个 PowerShell 脚本来批量修改用户,但我遇到了一个包含特定部分的墙。

目前我的组织中有一系列以“RIS_”开头的组 - 经常添加和删除新组,因此我的想法是创建一个脚本,可以检查 .csv(参考 = $Username)中列出的每个用户以查看如果它们属于以“RIS_”开头的组。

例如,基本组是“RIS_ReadOnly”,它授予对我们组织内使用的应用程序的基本访问权限。其他组代表具有不同权限的各种访问级别,但作为多个组的成员将始终强制最低权限。这是我无法控制的事情,所以我无法推动改变工作方式。

脚本本身从 .csv 文件中提取 - 整个部分已排序并正常工作。

用户一次只能是这些组之一的成员,我们通常的过程包括将它们添加到基本的 ReadOnly 组。但是,这并没有考虑到正在返回工作岗位的现有用户,这些用户可能具有提升的访问权限,因此在添加到 ReadOnly 组时将失去访问权限。由于来来往往的员工数量,我们无法实际检查每个帐户的现有会员资格,因此脚本。

此命令需要检查用户是否是以“RIS_”开头的组的成员。如果用户不在组中,则将其添加到 .csv 中指定的组(参考 = $RIS)。如果用户在一个组中,那么它将编写一条消息并继续代码的下一个阶段,而不将它们添加到任何内容中。

我在网上找到的所有内容都指向首先获取组本身并列出成员,但这不起作用,因为组的数量会随着时间的推移而变化,并且每个组中都有大量的用户。有没有办法用“IF”语句来设置它?我已经尝试了多种方法,但是脚本要么根本不添加任何东西,要么无论如何都添加了组。

这是我目前所拥有的,但显然它不起作用。有小费吗?

If ( ($User.MemberOf -like "RIS_" ) )
{
write-verbose "User is already a member of a RIS group" 
else
Add-ADGroupMember -Identity "$RIS" -Members $Username
}

以下是完整的脚本(请原谅新手的混乱)

CLS


# Import active directory module for running AD cmdlets

Import-Module activedirectory
  

#Store the data from ADAmend.csv in the $ADUsers variable

$ADUsers = Import-csv "\\nuth-it01\workstore\Service Desk\Account Admin Scripts\02 - Amend\01 User - Generic\ADAmend.csv"


#Loop through each row containing user details in the CSV file 

foreach ($User in $ADUsers)
{

    #Read user data from each field in each row and assign the data to a variable as below
        
    $Username   = $User.username
    $Password   = $User.password
    $Firstname  = $User.firstname
    $Lastname   = $User.lastname
    $employeeID = $User.EmployeeID
    $email      = $User.email
    $jobtitle   = $User.jobtitle
    $department = $User.department
    $DOB = $User.DOB
    $INC = $User.INC # INC Identifier - can contain additonal text if account was reactivated/amended
    $GMSN = $User.GMSN # Identifier for GMC and Student Number
    $HomeDrive = $User.Homedrive # Identifier for Home Drive Group
    $AUF = $User.AUF # Identifier for AUD Form completion (Y/N - default "N")
    $AddGrp1 = $User.AddGrp1 # Catchall for additional groups if requested (Can be left blank)
    $AddGrp2 = $User.AddGrp2 # Catchall for additional groups if requested (Can be left blank)
    $AddGrp3 = $User.AddGrp3 # Catchall for additional groups if requested (Can be left blank)
    $eRescue = $User.Erescue # eRescue-AHCare / eRescue-RegNurse / eRescue-SenMedic / eRescue-Medic
    $RIS = $User.RIS # RIS_ReadOnly / RIS_Radiologists / RIS_Radiographers / RIS_Secretaries / RIS_Nurse
    $PACS = $User.PACS # PACS_Clinicians / PACS_Radiologists / PACS_Radiographers / PACS_Secretaries

# Following code adds user to "Xenapp Erecord Downtime" group and enables account. This may return errors if the user is already a member or the account isn't disabled but they can be ignored

Add-ADGroupMember -Identity "Xenapp Erecord Downtime" -Members $Username
Remove-ADGroupMember -Identity "Disabled_Users" -Members $Username -Confirm:$False
Enable-ADAccount -Identity $Username
Clear-ADAccountExpiration -Identity $Username


# Adds the INC into the telephone notes - if this field is blank (it shouldn't be) then nothing will be changed.

$i = Get-ADUser $Username -Properties info | %{ $_.info}  
Set-ADUser $Username -Replace @{info="$($i) `r`n $INC"}


# This next set of code identifies if a cell is left blank in the input sheet, and ignores it if this is the case (prevents wiping pre-existing fields)

# NOTE: If input sheet is modified, this code will need to be modified too

If(-not [string]::IsNullOrWhiteSpace($User.DOB) )
{
Set-ADUser -Identity $Username -Replace @{extensionAttribute10="$DOB"} # Add DOB
}

If(-not [string]::IsNullOrWhiteSpace($User.password) )
{
Set-ADAccountPassword -Identity $Username -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "$Password" -Force)  # changes password to specified string - if left blank will not change password
Set-ADUser -Identity $Username -ChangePasswordAtLogon $True # Forces password change at logon - if password field is left blank this will be ignored
}

If(-not [string]::IsNullOrWhiteSpace($User.firstname) ) 
{
Set-ADUser -Identity $Username -GivenName $Firstname
}

If(-not [string]::IsNullOrWhiteSpace($User.lastname) ) 
{
Set-ADUser -Identity $Username -Surname $Lastname
}



If(-not [string]::IsNullOrWhiteSpace($User.EmployeeID) )
{
Set-ADUser -Identity $Username -EmployeeID $EmployeeID
}

If(-not [string]::IsNullOrWhiteSpace($User.Jobtitle) )
{
Set-ADUser -Identity $Username -Description $jobtitle
}

If(-not [string]::IsNullOrWhiteSpace($User.Department) )
{
Set-ADUser -Identity $Username -Office $department
}

If(-not [string]::IsNullOrWhiteSpace($User.GMSN) )
{
Set-ADUser -Identity $Username -Replace @{extensionAttribute14="$GMSN"} # Add GMC or Student Number
}

If(-not [string]::IsNullOrWhiteSpace($User.AUF) )
{
Set-ADUser -Identity $Username -Replace @{extensionAttribute1="$AUF"} # Has AUF form been signed?
}

If(-not [string]::IsNullOrWhiteSpace($User.Email) )
{
Set-ADUser -Identity $Username -EmailAddress $email
}

If(-not [string]::IsNullOrWhiteSpace($User.HomeDrive) )
{
Add-ADGroupMember -Identity "$HomeDrive" -Members $Username # Adds user to homedrive
}

If(-not [string]::IsNullOrWhiteSpace($User.AddGrp1) )
{
Add-ADGroupMember -Identity "$AddGrp1" -Members $Username
}

If(-not [string]::IsNullOrWhiteSpace($User.AddGrp2) )
{
Add-ADGroupMember -Identity "$AddGrp2" -Members $Username
}

If(-not [string]::IsNullOrWhiteSpace($User.AddGrp3) )
{
Add-ADGroupMember -Identity "$AddGrp3" -Members $Username
}

If(-not [string]::IsNullOrWhiteSpace($User.eRescue) )
{
Add-ADGroupMember -Identity "$eRescue" -Members $Username
}


If ( ($User.MemberOf -like "RIS_*" ) )
{
write-verbose "User is already a member of a RIS group" 
else

Add-ADGroupMember -Identity "$RIS" -Members $Username
}

If(-not [string]::IsNullOrWhiteSpace($User.PACS) )
{
Add-ADGroupMember -Identity "$PACS" -Members $Username
}

    Write-Warning "$Username Amended"

}

我还附上了下面输入 csv 的屏幕截图:

ADAmend.csv

4

1 回答 1

0

如果您想检查用户是否已经是该组的成员,您可以尝试直接在 Active Directory 中检查用户,如下所示:

if ((Get-ADUser $Username -Properties *).memberof | Where-Object {$_ -like 'CN=RIS_*'})
{
    write-verbose "User is already a member of a RIS group" 
}
else
{
    Add-ADGroupMember -Identity $RIS -Members $Username
}
于 2020-09-03T06:20:59.593 回答