如何解决关于如果不在 AD 组中时删除 AD 组的 if/else 循环语法的建议
所以我已经发布了一个星期的同一个脚本..我终于完成了我希望是一个简单的部分。脚本本身现在检查组中的成员资格,如果在组中使用“报告给 $manager”变量创建一个新组。我现在需要做的是检查是否存在像“报告给 Joe.Blow”这样的组如果 Joe 不在 AllManager 的安全组中.. 删除“报告给”组。这就是我现在所在的位置:
import-module activedirectory
#Test Function Area #
Function Get-DirectReport {
#requires -Module ActiveDirectory
<#
.SYnopSIS
This script will get a user's direct reports recursively from ActiveDirectory unless specified with the norecurse parameter.
It also uses the user's EmployeeID attribute as a way to exclude service accounts and/or non standard accounts that are in the reporting structure.
.NOTES
Name: Get-DirectReport
Author: theSysadminChannel
Version: 1.0
DateCreated: 2020-Jan-28
.LINK
https://thesysadminchannel.com/get-direct-reports-in-active-directory-using-powershell-recursive -
.ParaMETER SamAccountName
Specify the samaccountname (username) to see their direct reports.
.ParaMETER norecurse
Using this option will not drill down further than one level.
.EXAMPLE
Get-DirectReport username
.EXAMPLE
Get-DirectReport -SamAccountName username -norecurse
.EXAMPLE
"username" | Get-DirectReport
#>
[CmdletBinding()]
param(
[Parameter(
Mandatory = $false,ValueFromPipeline = $true,ValueFromPipelineByPropertyName = $true
)]
[string] $SamAccountName,[switch] $norecurse
)
BEGIN {}
PROCESS {
$UserAccount = Get-ADUser $SamAccountName -Properties DirectReports,displayName
$UserAccount | select -ExpandProperty DirectReports | ForEach-Object {
$User = Get-ADUser $_ -Properties DirectReports,displayName,Title,EmployeeID
if ($null -ne $User.EmployeeID) {
if (-not $norecurse) {
Get-DirectReport $User.SamAccountName
}
[PSCustomObject]@{
SamAccountName = $User.SamAccountName
UserPrincipalName = $User.UserPrincipalName
displayName = $User.displayName
Manager = $UserAccount.displayName
}
}
}
}
END {}
}
$ou = "ou=test,ou=Litmos,ou=Resources,ou=Groups,ou=company,dc=domain,dc=net"
$creds = "domain.net\ben"
$server = "dc01.domain.net"
$ErrorActionPreference = 'silentlycontinue'
$managers = get-adGroupMember -identity "CN=All Managers,OU=Organizational,OU=Groups,OU=company,DC=domain,DC=net" |
select samaccountname
#Collect
$ReportsTo = Get-adgroup -searchbase $ou -filter "Name -like 'Report to *'" |
where {$_.name -replace 'Report to ' -in $name} |
select name,samaccountname
#The below loop creates 'Report To' dist groups for people found in $managers
Foreach ($manager in ($managers.SamAccountName)) {
# Creates missing "Report to <manager>" groups
if ($manager -notin (($ReportsTo.Name) -replace 'Report to ')) {
new-adgroup -name "Report to $manager" -groupscope global -path $ou
} else {
write-warning "Group already exists"
}
# Get managers direct report
$underlings = Get-Directreport $manager -norecurse | Select-Object samAccountName
if ($underlings -ne $null) {
#write-host "$manager has reports"
} else {
write-warning "$Manager has no reports"
Continue
}
# Get manager's "report to <manager> group again to update members"
$managerReportToGroup = Get-ADGroup -SearchBase $ou -Filter "Name -like 'Report to $manager'"
if ($managerReportToGroup) {
Add-ADGroupMember -identity $managerReportToGroup.Name -members $underlings
} else {
Write-Warning "Could not locate group for $manager"
}
# Remove groups for users who are no longer in All Managers
$ManagerGroup = $managers
$ReportTogroup = get-adgroup -searchbase $ou -filter "Name -like 'Report to '"
$groupname = "Report to $manager"
if (-not($ReportToGroup -eq "Report to $manager")
{ Remove-ADGroup $ReportToGroup
} else {
Continue }
我知道最后一点是错误的..我无法想出那部分的逻辑流程..
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
