我正在编写一个 PowerShell 脚本来批量修改用户,但我遇到了一个包含特定部分的墙。
目前我的组织中有一系列以“RIS_”开头的组 - 经常添加和删除新组,因此我的想法是创建一个脚本,可以检查 .csv(参考 = $Username)中列出的每个用户以查看如果它们属于以“RIS_”开头的组。
例如,基本组是“RIS_ReadOnly”,它授予对我们组织内使用的应用程序的基本访问权限。其他组代表具有不同权限的各种访问级别,但作为多个组的成员将始终强制最低权限。这是我无法控制的事情,所以我无法推动改变工作方式。
脚本本身从 .csv 文件中提取 - 整个部分已排序并正常工作。
用户一次只能是这些组之一的成员,我们通常的过程包括将它们添加到基本的 ReadOnly 组。但是,这并没有考虑到正在返回工作岗位的现有用户,这些用户可能具有提升的访问权限,因此在添加到 ReadOnly 组时将失去访问权限。由于来来往往的员工数量,我们无法实际检查每个帐户的现有会员资格,因此脚本。
此命令需要检查用户是否是以“RIS_”开头的组的成员。如果用户不在组中,则将其添加到 .csv 中指定的组(参考 = $RIS)。如果用户在一个组中,那么它将编写一条消息并继续代码的下一个阶段,而不将它们添加到任何内容中。
我在网上找到的所有内容都指向首先获取组本身并列出成员,但这不起作用,因为组的数量会随着时间的推移而变化,并且每个组中都有大量的用户。有没有办法用“IF”语句来设置它?我已经尝试了多种方法,但是脚本要么根本不添加任何东西,要么无论如何都添加了组。
这是我目前所拥有的,但显然它不起作用。有小费吗?
If ( ($User.MemberOf -like "RIS_" ) )
{
write-verbose "User is already a member of a RIS group"
else
Add-ADGroupMember -Identity "$RIS" -Members $Username
}
以下是完整的脚本(请原谅新手的混乱)
CLS
# Import active directory module for running AD cmdlets
Import-Module activedirectory
#Store the data from ADAmend.csv in the $ADUsers variable
$ADUsers = Import-csv "\\nuth-it01\workstore\Service Desk\Account Admin Scripts\02 - Amend\01 User - Generic\ADAmend.csv"
#Loop through each row containing user details in the CSV file
foreach ($User in $ADUsers)
{
#Read user data from each field in each row and assign the data to a variable as below
$Username = $User.username
$Password = $User.password
$Firstname = $User.firstname
$Lastname = $User.lastname
$employeeID = $User.EmployeeID
$email = $User.email
$jobtitle = $User.jobtitle
$department = $User.department
$DOB = $User.DOB
$INC = $User.INC # INC Identifier - can contain additonal text if account was reactivated/amended
$GMSN = $User.GMSN # Identifier for GMC and Student Number
$HomeDrive = $User.Homedrive # Identifier for Home Drive Group
$AUF = $User.AUF # Identifier for AUD Form completion (Y/N - default "N")
$AddGrp1 = $User.AddGrp1 # Catchall for additional groups if requested (Can be left blank)
$AddGrp2 = $User.AddGrp2 # Catchall for additional groups if requested (Can be left blank)
$AddGrp3 = $User.AddGrp3 # Catchall for additional groups if requested (Can be left blank)
$eRescue = $User.Erescue # eRescue-AHCare / eRescue-RegNurse / eRescue-SenMedic / eRescue-Medic
$RIS = $User.RIS # RIS_ReadOnly / RIS_Radiologists / RIS_Radiographers / RIS_Secretaries / RIS_Nurse
$PACS = $User.PACS # PACS_Clinicians / PACS_Radiologists / PACS_Radiographers / PACS_Secretaries
# Following code adds user to "Xenapp Erecord Downtime" group and enables account. This may return errors if the user is already a member or the account isn't disabled but they can be ignored
Add-ADGroupMember -Identity "Xenapp Erecord Downtime" -Members $Username
Remove-ADGroupMember -Identity "Disabled_Users" -Members $Username -Confirm:$False
Enable-ADAccount -Identity $Username
Clear-ADAccountExpiration -Identity $Username
# Adds the INC into the telephone notes - if this field is blank (it shouldn't be) then nothing will be changed.
$i = Get-ADUser $Username -Properties info | %{ $_.info}
Set-ADUser $Username -Replace @{info="$($i) `r`n $INC"}
# This next set of code identifies if a cell is left blank in the input sheet, and ignores it if this is the case (prevents wiping pre-existing fields)
# NOTE: If input sheet is modified, this code will need to be modified too
If(-not [string]::IsNullOrWhiteSpace($User.DOB) )
{
Set-ADUser -Identity $Username -Replace @{extensionAttribute10="$DOB"} # Add DOB
}
If(-not [string]::IsNullOrWhiteSpace($User.password) )
{
Set-ADAccountPassword -Identity $Username -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "$Password" -Force) # changes password to specified string - if left blank will not change password
Set-ADUser -Identity $Username -ChangePasswordAtLogon $True # Forces password change at logon - if password field is left blank this will be ignored
}
If(-not [string]::IsNullOrWhiteSpace($User.firstname) )
{
Set-ADUser -Identity $Username -GivenName $Firstname
}
If(-not [string]::IsNullOrWhiteSpace($User.lastname) )
{
Set-ADUser -Identity $Username -Surname $Lastname
}
If(-not [string]::IsNullOrWhiteSpace($User.EmployeeID) )
{
Set-ADUser -Identity $Username -EmployeeID $EmployeeID
}
If(-not [string]::IsNullOrWhiteSpace($User.Jobtitle) )
{
Set-ADUser -Identity $Username -Description $jobtitle
}
If(-not [string]::IsNullOrWhiteSpace($User.Department) )
{
Set-ADUser -Identity $Username -Office $department
}
If(-not [string]::IsNullOrWhiteSpace($User.GMSN) )
{
Set-ADUser -Identity $Username -Replace @{extensionAttribute14="$GMSN"} # Add GMC or Student Number
}
If(-not [string]::IsNullOrWhiteSpace($User.AUF) )
{
Set-ADUser -Identity $Username -Replace @{extensionAttribute1="$AUF"} # Has AUF form been signed?
}
If(-not [string]::IsNullOrWhiteSpace($User.Email) )
{
Set-ADUser -Identity $Username -EmailAddress $email
}
If(-not [string]::IsNullOrWhiteSpace($User.HomeDrive) )
{
Add-ADGroupMember -Identity "$HomeDrive" -Members $Username # Adds user to homedrive
}
If(-not [string]::IsNullOrWhiteSpace($User.AddGrp1) )
{
Add-ADGroupMember -Identity "$AddGrp1" -Members $Username
}
If(-not [string]::IsNullOrWhiteSpace($User.AddGrp2) )
{
Add-ADGroupMember -Identity "$AddGrp2" -Members $Username
}
If(-not [string]::IsNullOrWhiteSpace($User.AddGrp3) )
{
Add-ADGroupMember -Identity "$AddGrp3" -Members $Username
}
If(-not [string]::IsNullOrWhiteSpace($User.eRescue) )
{
Add-ADGroupMember -Identity "$eRescue" -Members $Username
}
If ( ($User.MemberOf -like "RIS_*" ) )
{
write-verbose "User is already a member of a RIS group"
else
Add-ADGroupMember -Identity "$RIS" -Members $Username
}
If(-not [string]::IsNullOrWhiteSpace($User.PACS) )
{
Add-ADGroupMember -Identity "$PACS" -Members $Username
}
Write-Warning "$Username Amended"
}
我还附上了下面输入 csv 的屏幕截图: