A study in Powershell scripting: Part 3

This is the third part of my series of studying scripting. I will follow up with how I used the previous function I created to get the results that I wanted. (NB I have changed the name of some groups to something else to maintain privacy. )

Onto the example. I produced three groups to represent the separation of the alphabet.

Write-Verbose -Message "Collecting members from Contoso_GeneralAccess Active Directory group with surnames starting from A-H...."

$contoso_ah_extract = Export-ADGroupmember -ADGroup Contoso_GeneralAccess -ADProperty surname -regex "^[A-H]" | where {
	$_.samaccountname -notmatch "\b[A-Za-z]*admin\b" -and`
	$_.samaccountname -notmatch "\b[A-Za-z]*svc\b" -and $_.enabled -eq $TRUE} | select -ExpandProperty samaccountname

Write-Verbose -Message "Collecting members from Contoso_GeneralAccess Active Directory group with surnames starting from I-P...."
$contoso_ip_extract = Export-ADGroupmember -ADGroup Contoso_GeneralAccess -ADProperty surname -regex "^[I-P]" | where {
	$_.samaccountname -notmatch "\b[A-Za-z]*admin\b" -and`
	$_.samaccountname -notmatch "\b[A-Za-z]*svc\b" -and $_.enabled -eq $TRUE} | select -ExpandProperty samaccountname

Write-Verbose -Message "Collecting members from Contoso_GeneralAccess Active Directory group with surnames starting from R-Z...."
$contoso_qz_extract = Export-ADGroupmember -ADGroup Contoso_GeneralAccess -ADProperty surname -regex "^[Q-Z]" | where {
	$_.samaccountname -notmatch "\b[A-Za-z]*admin\b" -and`
	$_.samaccountname -notmatch "\b[A-Za-z]*svc\b" -and $_.enabled -eq $TRUE} | select -ExpandProperty samaccountname

So essentially what this snippet is saying is Find all users in the Contoso_GeneralAccess group and export all users that surname begins a-h, i-p, q-z and then dumps them as samaccountname format. It puts them into variables for the next lot of processing.

The next series of tasks is to grab the sharefile groupmembers. I want to put this in group variables so I can compare them with the extract variables above. The code is below:


Write-Verbose -Message "Collecting members from Sharefile_A-H group..."
$sharefileadgroup_ah = get-adgroup Sharefile_A-H | get-adgroupmember | Get-ADUser | select -ExpandProperty samaccountname
$sharefileadgroup_ah_obj = get-adgroup Sharefile_A-H

Write-Verbose -Message "Collecting members from Sharefile_I-P group..."
$sharefileadgroup_ip = get-adgroup Sharefile_I-P | get-adgroupmember | Get-ADUser | select -ExpandProperty samaccountname
$sharefileadgroup_ip_obj = get-adgroup Sharefile_I-P

Write-Verbose -Message "Collecting members from Sharefile_Q-Z group..."
$sharefileadgroup_qz = get-adgroup Sharefile_Q-Z | get-adgroupmember | Get-ADUser | select -ExpandProperty samaccountname
$sharefileadgroup_qz_obj = get-adgroup Sharefile_Q-Z

Then I use Compare-Object to do the comparison. My notes that I made in the script should explain the details what I am actually doing and the reasoning behind it. (NB Thats why its so important to add inline comments in my opinion so that when it comes to review in a few months time then then I can understand the logic!)


# This region compares the groups as discussed in the beginning notes. It creates variables on what to add and remove in the respective share file groups using the compare-object cmdlet. As the reference object is the  
# variable $Contoso_ range, Users which has the sideindicator => means that in this case the users exist in the differenceobject variable which is the sharefile group but not Contoso group and therefore should be removed. 
# Those that has the side indicator <= means that it exists in the Contoso group range and not the sharefile group and there should be added. #region Comparison: Write-Verbose -Message "Comparing members from Contoso_GeneralAccess group extract from A-H to decipher what to add and remove from Sharefile_A-H group..." $objects_to_remove_in_sharefile_ah_group = Compare-Object -ReferenceObject $Contoso_ah_extract -DifferenceObject $sharefileadgroup_ah | where { $_.sideindicator -eq "=>" } | Select -expandproperty inputobject
$objects_to_add_in_sharefile_ah_group = Compare-Object -ReferenceObject $Contoso_ah_extract -DifferenceObject $sharefileadgroup_ah | where { $_.sideindicator -eq "<=" } | Select -expandproperty inputobject Write-Verbose -Message "Comparing members from Contoso_GeneralAccess group extract from I-P to decipher what to add and remove from Sharefile_I-P group..." $objects_to_remove_in_sharefile_ip_group = Compare-Object -ReferenceObject $Contoso_ip_extract -DifferenceObject $sharefileadgroup_ip | where { $_.sideindicator -eq "=>" } | Select -expandproperty inputobject
$objects_to_add_in_sharefile_ip_group = Compare-Object -ReferenceObject $Contoso_ip_extract -DifferenceObject $sharefileadgroup_ip | where { $_.sideindicator -eq "<=" } | Select -expandproperty inputobject Write-Verbose -Message "Comparing members from Contoso_GeneralAccess group extract from Q-Z to decipher what to add and remove from Sharefile_Q-Z..." $objects_to_remove_in_sharefile_qz_group = Compare-Object -ReferenceObject $Contoso_qz_extract -DifferenceObject $sharefileadgroup_qz | where { $_.sideindicator -eq "=>" } | Select -expandproperty inputobject
$objects_to_add_in_sharefile_qz_group = Compare-Object -ReferenceObject $Contoso_qz_extract -DifferenceObject $sharefileadgroup_qz | where { $_.sideindicator -eq "<=" } | Select -expandproperty inputobject

#endregion

In the next post I will discuss about removing and adding users from these groups using the comparison object and how I created an email report to send out what was deleted and added.

I hope that this gives some insight to people learning Powershell.

4 thoughts on “A study in Powershell scripting: Part 3”

  1. Great stuff! The only thing I’d suggest is that you have a lot of redundant code. I’d consider creating an array…
    $Groups = @(‘A-H’,’I-P’,Q-Z’}

    then using a foreach loop…
    foreach ($Group in $Groups) {command -match “^[$Group]”}

    That’s vastly over simplified, but it would really cut down on the volume of code you have there.

    1. I will consider that. Putting things into an array never occurred to me. Will get familiar with it and then look at rewriting it. Thank you very much for the suggestion.

Leave a Reply to weiyentan Cancel reply

Your email address will not be published. Required fields are marked *