get-aduser group membership

working on trying to add a user to a group from a csv.
checking if that user is already a member of the group. if so do nothing…
if not… then add user to group. provide some level of feedback
I have this already.
it seems to work close to ok… I get a return where as some users don’t appear to be in AD, but I suspect its due to hyphenated names and apostrophes. if I am correct in this… how can I correct / compensate for the bad characters?
or…
is there a better way to do this?

[pre]
foreach ($line in $userlist) {
$student = $line.stuid
$STUADName = “CN=”+$line.firstname+" “+$line.lastname+”,"+ $ou
$totalstudentsonlist++
# $error.clear()
try {
Get-ADUser -Filter { memberOf -RecursiveMatch $group } -SearchBase $STUADName -SearchScope Base -ErrorAction stop
“$student user is a member of the group”
$memberofgroup++
}
catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {

             "$student ..may not exist in AD or could be naming convention error"
             $StuNotInADError=$true
             $studentnotinAD++
                                 if (!$StuNotInADError){
                                "$student is in AD"
                                $needtoaddmembertogroup++
                       }
           }
           
          
 }

[pre/]

So, as a quick note, we don’t use square brackets for the PRE code tag. See right above the reply box - it shows the correct syntax for formatting code.

Second, what you’re doing to concatenate strings is a bit hard to read.

#Instead of this 
$STUADName = "CN="+$line.firstname+" "+$line.lastname+","+ $ou

#Consider this
$STUADName = "CN=$($line.firstname) $($line.lastname),$ou"

String concatenation is very 1990s ;).

I’m also questioning some of your syntax.

Get-ADUser -Filter { memberOf -RecursiveMatch $group } -SearchBase $STUADName -SearchScope Base -ErrorAction stop

First, you’re specifying a -SearchBase that is a user account; that isn’t what -SearchBase is meant for . -SearchBase is supposed to be the starting point - e.g., an OU - where you want the search to begin. Now, I get that you can specify just an object - but it doesn’t seem… I don’t know, useful? to search that way. Instead of saying, “look for a car in the garage,” you’re saying, “look for a car at the location of the car.”

Nice use of -RecursiveMatch, though. So few people know about that.

Now, on to what you think the problem is…

Can you give me an example of the bad-looking data? You’re saying that the problem might be due to hyphens or apostrophes? Neither of those should be upsetting AD. Like, can you show an example CN that IS in AD, but your script is saying isn’t?

thanks for the suggestions.
I agree with the "Searchbase " option. I am trying to limit the “container” for the specific container I need to search. to save time… make the script run better… no need to look where I know there is nothing I need to look at. this was my direction.

example of bad data. ive got test csv’s that are representative of all my students in the HS say. I know they are all members of the group in question( so nothing would need to be done to them…ie taken out of a group…assigned to another group…etc)
I have 10 or so test users. example would be; CN=222222,OU=HS,OU=Students,OU=districtusers
givenname of Led, surname of Zepplin. for this user I am throwing “…may not exist in AD or could be naming convention error”.

I also have existing students. example would be; (the last name ill change but the first name is legit)
CN=D’AVERY Thomson,OU=HS,OU=Students,OU=districtusers
given name of A’very. surname of Thomson
(looking at my csv… its D Avery… without the hypen so I know this is the issue)

ive proven out that CN = 222222 will not work by running a rename-adobject command as such;

rename-adobject -identity "CN=555555,OU=HS,OU=Students,OU=DistrictUsers,OU=district,DC=sburg,DC=org" -newname "spider man"

after making that change it found the user in the group. I am guessing its the numbers as the “DistinguishedName” as opposed to letters.

and I have an example as follows that I cant see anything wrong with but yet does the same as above;
CN=Brianna Wooten,OU=HS,OU=Students,OU=DistrictUsers
givenname Brianna. surname wooten

what I would like to do is search based of "stuid which equates to “SamAccountName” but I have been unable to accomplish this. doing this would without a doubt alleviate the issues im having above. but this script got me the closest to what I was looking to do so unfortunately it sucked me into a direction that I now know may not be the best direction.

running the script gives me the following results as feedback;
1410 users on list in total
1382 users are already members of the group
0 users need to be added to group
28 users my not be in AD… or may not have the correct distingushed naming convention for the script to determine correcly

my intention was to have an outcome for the catch… which is beyond doubt that the user will not be in AD as determined by the [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException error, and then have an outcome that there is possibly a different situation.

OK. I’m super confused, in part because you’re not showing me any data.

I have 10 or so test users. example would be; CN=222222,OU=HS,OU=Students,OU=districtusers givenname of Led, surname of Zepplin. for this user I am throwing "..may not exist in AD or could be naming convention error".

If the user’s canonical name is 2222222, then that query should work. What the user’s given name or surname is are not relevant to that query. You weren’t querying for Led Zeppelin, you were querying for 2222222.

Are you saying that your query ($STUADName = “CN=”+$line.firstname+" “+$line.lastname+”,"+ $ou) didn’t work for Led Zeppelin? I wouldn’t expect it to. First of all, the object’s CN isn’t Led Zeppelin, it’s 2222222. Second, you used that query string as a SearchBase, not as a query.

I think you need to, just for the sake of discussion, disregard everything you’ve been doing. Start over. Try to explain concisely what you’re trying to do, what data you have to work with, and how the objects in your domain are named. I’m happy to try and help, but I think you may have gone down a bad path.

yea… I definitely think ive gone down a wrong path. starting over. my apologies for the confusion.
what im trying to accomplish is, I have a csv with Stuid numbers which are unique to each user. id like to query the AD with that stuid from the csv and see if that user is a member of a group,

then perform functions based off membership such as remove from group, add to another group.

OK. I can work with that.

So the student ID is a unique number; is it the samAccountName for the user accounts? Or does it appear as another attribute?

correct… it is the samaccountname.

OK. So, in that case, you should just be able to:

Get-ADUser -Identity $NumericStudentID

And it’ll find the user. You could add an LdapFilter so that you only got the user back if they were a member of the group you’re after…

Get-ADUser -Filter { samAccountName -eq $StudentID -and memberOf -RecursiveMatch $group } | Measure | Select -Expand Count

If that returns 0, either the student doesn’t exist or isn’t in the group. If it returns nonzero, they exist and are in the group.

I don’t know if you’re looking at a SINGLE group, but if you are, in might just be easier to get that group (Get-ADGroup), and then pull its Members list into a string array. Given a student ID, it’s then easy to test:

if ($array -contains $studentid) { # student is in group }

ok… working on it now… ill get back to you with what I come up with… thanks for your help. its very much appreciated. I think I got sidetracked and overwhelmed with what im trying to accomplish, which is why I reached out looking for a better direction.