New to PS scripting-help with add user to AD group

Hi all,

I’m new to PS scripting and am a student of studying for an MCSA in Windows 10 and am beginning to try to use PS for my corporate environment’s benefit. I have an idea of writing a script that checks if a user is added to a particular security group in AD, and if not, will add them to it The query will require input from the technician running the script to add the LDAP username and then press Enter to run the script.

If the user is already part of the group, then it returns that information in a write memo to the tech. If the user is not already in the group, they are added and a write memo will say "added to “x” group.

If there has already been a script template shared for this, can you please re-share the link? If not, does anyone have an idea to help get me started?

Thank you!

Did you search for it? There are tons of scripts doing the same or similar things. Grap one, modify it to you needs and test it in your test environment. If you have a specific question to a particular piece of code you wrote you can post this here along with error you get and we will be happy to try to help you.

Here you have 2 common sources for scripts:

http://www.powershellgallery.com/

https://gallery.technet.microsoft.com/scriptcenter/

Hi,

I did do some searching but was hoping to narrow the search down using these forums as the search alone could take some time to do and I work in a fast paced environment.

I will use the links above to try and filter down my search but in the meantime, if anyone has easily posted examples (with non-specifics for the names and PID) then I’d be happy to take a look.

Thanks!

I search ADGroup and came across a couple ones. https://www.powershellgallery.com/items?q=Adgroup&x=0&y=0
Search is your friend the Gallery as it’s a bit overwhelming at first.

Here’s one that’s already been made.

While I don’t have specific code examples to give you (you’ll probably have to do some google searching for that one), I can give you some advice on how to get started.

The script you’re asking for is kind of specific. While you might have some luck finding things that do those exact tasks, I wouldn’t bet on someone having an example off-hand to give you to use. I think you’re going to have to work on building the script yourself. But luckily, you don’t have to build it entirely from scratch!

First, figure out all of the steps that the script needs to run through. Break the entire script down step by step. You mention that it needs to check your AD to see if a user has been created in it. Make sure you iron out how you want the AD checked. The order, locations, data, etc.

Once you’ve broken down the entire script into steps, start searching around for scripts that complete the steps individually. Checking for a user in AD? There’s millions of scripts for that. Grab one that you find from somewhere and then modify it to suit your specific steps. Move to the next step of your script: Adding a user to AD through Powershell. Again, you’ll find lots of examples. Just find one and modify it slightly for your environment.

Keep looking for individual step scripts like this and eventually, you’ll end up with your whole script built out of really small ones.

Just my two cents, but it’s what I’ve done and it worked pretty well for me. Good luck!

Thank you–that’s a great idea. I know it will take some time but, it will be worth the research and effort. I’ll try to find script snippets here and there of the key components I need.

I don’t know how new you are to PS scripting but if you haven’t done that anyway I would suggest to start learning the basics of Powershell in a structured way from scratch and not by picking other peoples code and trying to understand. That’s even free of charge and fun to watch in case of the free video course “Getting Started with Powershell” from Microsoft Virtual Academy. Here are some more good sources to start with: Beginner Sites and Tutorials.
On top of Cobys excellent suggestions I would like to add that it would be even more professional when you create the pieces of your script as functions, maybe even as functions in a module. This way you have re-usable functionality you can always re-combine for your particular needs.

Hi Olaf,

Yes I did take the full MVA course for Powershell Beginners. The scripting part is where it gets tougher, and where I’m thinking a more hands-on approach (trial and error) will help more than digesting text in part.

It’s hard to break away from my primary duties to practice it as well but I’m working on it. Thank you for the added suggestions!

Ben,
great to hear (read). Maybe you already know - they did a “second part”: Advanced Tools & Scripting with PowerShell 3.0 Jump Start.

I think it’s gonna be easier when you get more used to it. At least it did it for me. So have a lot of fun playing around with it. I whish a lot of success.

Edit
Update: I figured out how to get the input by erasing two variables from the top that weren’t needed at this time. I’d like to now figure out how to take the user’s inputted username and query it against a certain AD Group to see if they belong to it or not.

Okay. So I have part I written for this script, but, when I run the script, and enter the username, it does not output the information. I’m just trying to test this part I out (trial and error). Can someone tell me what I may be doing wrong to allow an output? The script runs and completes, but no output (no red errors, at least).

# Define variables
$adGroupMembers = @()
$adGroupMemberDetails = @()
$adGroupName = read-host "Please enter AD Username"

# Narrow down the user via prompt
$adGroupMembers = Get-ADUser -Identity $adGroupName -Properties SamAccountName,Surname,GivenName,Enabled; Select-Object csv | ConvertFrom-Csv

I’m not sure what the CSV stuff is about, no need for that.

Also if you want the results immediately you either need to get rid of $adgroupmembers in front of get-aduser or if you keep it, just type in the variable name in again to get the results

No variable

# Define variables
$adGroupMembers = @()
$adGroupMemberDetails = @()
$adGroupName = read-host "Please enter AD Username"

# Narrow down the user via prompt
Get-ADUser -Identity $adGroupName -Properties SamAccountName,Surname,GivenName,Enabled

Variable

# Define variables
$adGroupMembers = @()
$adGroupMemberDetails = @()
$adGroupName = read-host "Please enter AD Username"

# Narrow down the user via prompt
$adGroupMembers = Get-ADUser -Identity $adGroupName -Properties SamAccountName,Surname,GivenName,Enabled

#get the data from the variable
$adGroupMembers

Thanks, yeah I figured to remove the variable in front of Get-AdUser and it fixed the issue. I did jettison the csv stuff and find the results no different (cleaner code–thank you!).

I’d like to now figure out how to take the user’s inputted username and query it against a certain AD Group to see if they belong to it or not.

$user = read-host "enter username to check"
$group = read-host "enter group to check"

 $membership = (get-adgroupmember $group).samaccountname
    if ($membership -like $user)
    {
    "$($user) is a member of $($group)"
    }

Jon, Thank you! This leads me closer to where I want to be. I modified it for my environment, and changed the $group variable to one specific in our AD.

Hey all,

Quick question/update:

I have made some progress on my script but am getting a bit stalled where I try to add code to have the user added to the specified AD group if the system reads that they are NOT part of the group. Code below (modified the name of the group to conceal private information). Suggestions welcome

$user = read-host "Enter AD username"
$group = "thegroup"

 $membership = (get-adgroupmember $group).samaccountname
    if ($membership -like $user)
    {
    "$($user) is a member of $($group)"
    }
    Else {"$User is not a member of $group" }

        if ($user -notin $group) 
        
            {Add-ADGroupMember -Identity "thegroup" -Members $user -Confirm -WhatIf}

You don’t need two ifs for the same condition. $Membership is an array and you wnat to check if it contains a certain element.
… schould work like this:

$user = read-host “Enter AD username”

$group = “thegroup”

$membership = (get-adgroupmember $group).samaccountname

if ($membership -contains $user){

“$($user) is a member of $($group)”

}

Else {

“$User is not a member of $group”

Add-ADGroupMember -Identity $group -Members $user -Confirm -WhatIf

}

So I had to add “()”'s around the initial “Else” statement to get the code to run, but it still doesn’t add a user to the group who is not part of it. The script runs and says complete, but checking in AD shows the user is still not part of the intended group.

Again, code for actual group name is changed for privacy.

$user = read-host "Enter AD username"
$group = "thegroup"

 $membership = (get-adgroupmember $group).samaccountname
    if ($membership -contains $user)
    {
    "$($user) is a member of $($group)"
    }
    Else {
    ("$User is not a member of $group")
        Add-ADGroupMember -Identity "thegroup" -Members $user -Confirm -WhatIf

        }

Does it work if you take off -whatif?

Yes, it did work. And the -Confirm parameter worked fine too.

More progress. Thank you all so far

So, I basically have my script finished–but I’m wondering one big thing: is there any suggestions the community here has for me to speed it up? I have included the measure-command -expression {} in it and average about 15-17 seconds per run. I would love to see this take less than 10 seconds. Pasting code below (again with concealed group names for privacy).

Measure-Command -Expression {



$user = read-host "Enter AD username"
$group = "thegroup"

 $membership = (get-adgroupmember $group).samaccountname
    if ($membership -contains $user)
    {
    "$($user) is a member of $($group)"
    }
    Else {
    ("$User is not a member of $group")
        Add-ADGroupMember -Identity "thegroup" -Members $user -Confirm

        }
    }