howto populate "member Of" for a user account in AD

Hi

as part of disabling an account I store the groups a user is member of in the notes section
[pre]

#get all the groups this user is member of an paste this in Note section
$groups =Get-ADPrincipalGroupMembership $user.SamAccountName
Set-ADUser $user.samAccountName -Replace @{info=$groups.name -join “rn”}

[/pre]
if for some reason a user has been wrongly disabled (in case of a contractor where the contract is extended at the last moment) how can I populate the member of again with all the groups stored in the Note section?

 

 

I’d recommend to join your list elements with something unusual what helps later to split them correctly into separate pieces again. … like

Set-ADUser $user.samAccountName -Replace @{info=$groups.name -join ‘##_’}

Now it’s easy to read the notes section and separate the single groups to use it to add the user to the groups.

Olaf,

thanks for that, any thoughts on how to populate the Member of based upon the groups stored in the notes section?

Best regards

Paul

 

If I understand correctly and you want to add the groups in $groups to the user , then you can try

foreach ($g in $groups) {

Get-ADGroup $g | Add-ADGroupMember -Members ( (Get-ADUser $user).DistinguishedName)

}

 

or with Try catch :

foreach ($g in $groups) {

Try { Get-ADGroup $g | Add-ADGroupMember -Members ( (Get-ADUser $user).DistinguishedName) }
Catch {Write-Host “user $user wasn’t added to group $g”}

}

Hi Arik,

not quite

in the above mentioned piece of code I store all the groups in the Note section of the user account.

when for some reason HR made a mistake and this user needs to be enabled again we need to add the groups he was member off before we disabled his account.
the challenge is
to grab the groups stored in the notes section and add these back into the member off tab
the above mentioned code is only here for illustration on how I’ve exported the groups to the notes section of this user account

 

thanks for your assistance

Hmmm … actually I don’t understand what’s the challange on that. You managed to get the group memberships of the user with Get-ADPrincipalGroupMembership. Then you used this to set the info for the AD user with Set-ADUser. Now you need to get the info from the AD user … so you use Get-ADUser. Now you use this info to add the group memberships of the user with Add-ADPrincipalGroupMembership.
To accomplish this you need to split the group names again you joined before.

$groups =Get-ADPrincipalGroupMembership $user.SamAccountName
Set-ADUser $user.samAccountName -Replace @{info = $groups.sAMAccountName -join '_#_#_'}

$CurrState = Get-ADUser -Identity $user.SamAccountName -Properties Info 
$SavedADGroupList = $CurrState.Info -split '_#_#_'
Add-ADPrincipalGroupMembership -Identity $user.SamAccountName -MemberOf $SavedADGroupList

I’d recommend to use the sAMAccountName instead of the name of the groups because they are unique while the names might be not.

You may have to deal with the Primary Group of the users accounts as you cannot remove it from the accounts but you will have them in the list you’ve got from the membership list.

Could you please use the code tags “PRE” to format your code as code?

Thank you.

thanks Olaf that works like a charm :slight_smile: