Thursday, August 2, 2012

PowerShell: Add all users who works for a manager/director/VP to a group

I couldn’t find a why to add all employees who works under an VP to an Active Directory group. I end up writing my own script and scheduled it to update it every week.

If you are interested, copy/paste the following script into notepad and save it as PopulateGroupByManager.ps1. Run with Manager/Director/VP’s username or distinguished name. 

#------------------------------------------------------------------------------------------
# Function: IsAccountDisabled
# Purpose: Gets state of the Active Directory User Account (True for disabled, false for
# active)
# Parameters: <distinguishedName> 
#------------------------------------------------------------------------------------------
Function IsAccountDisabled($UserDN)
{
    #Form the LDAP URL Path
    $LDAPPath = "LDAP://$UserDN"

    #Get the ADSI object of the LDAP path
    $UserObject = [ADSI] "$LDAPPath"
    
    #Get and return Account Disabled binary value (true or false)
    return $UserObject.PsBase.InvokeGet("AccountDisabled")
}


#------------------------------------------------------------------------------------------
# Function: Get-DirectReports
# Purpose: Get the direct reports employees list. If the direct report has other
# direct reports, call this function recursily to display the direct reports.
# Parameters: <User Name> or <distinguishedName>
#------------------------------------------------------------------------------------------
function get-directreports
{
    Param($user)

    #Increase the level of organization structure by one
    #Every time this function (get-directreports) called, it is processing
    #employees from an Manager
    $level++

    #Get the User object
    $userdetails = Get-ADUser $user -Properties directReports,distinguishedName
    
    #Check the account disabled or not
    $AccountStatus = IsAccountDisabled($userdetails.distinguishedName)


    if ( $AccountStatus )
    { 
        #Yes the account disabled..no need to process.
        #skipping
    }
    else
    {
        #Processing working employee (possibly an Manager)
        #Process through all direct reports of processing employee user object
        foreach( $directreport in $userdetails.directReports )
        {
            $adobject = get-AdObject $directreport
            If ($adobject.ObjectClass -eq "contact")
            {

                #this current object is a contact..do nothing.
            }
            else 
            {
                #if we are in this for loop, there is/are some direct reports for
                #the processing user object

                "Adding " + (Get-ADUser $directreport).name 
                Add-ADGroupMember -Identity $GroupName -Members (Get-ADUser $directreport).saMAccountName


                #Count the global employee count in this organization structure
                $Script:Count++  
            
            
                #Check the each directreport employee has other directreports
                $drdetails = get-aduser $directreport -Properties directReports

         
                if ($drdetails.directReports -eq $null) 
                {
                    #No direct reports for this employee...Do Nothing
                
                }
                else
                {
                    #There are some direct reports, so call get-directreports function (itself)
                    #to process the direct reports
                    get-directreports $drdetails.distinguishedName   
                }
            }
        }
    }

    #Decrease the level of organization structure by one
    #Every time this function quits, we are going to up in the organization structure
    $level--
}





#------------------------------------------------------------------------------------------
# Name: PopulateGroupByManager.ps1
# Purpose: Get all employees working under a speific VP
# Parameters: Distinguished Name of the employee (VP or Director or Manager)
# 
# Written by: Anand Venkatachalapathy
# Written Date: May 16th 2012
#------------------------------------------------------------------------------------------

#Turning off the errors and warnings.
#I am expecting some warning on contact objects in AD and other disabled accounts.
$ErrorActionPreference = "SilentlyContinue"

#Import Active Directory Module
Import-Module ActiveDirectory


if ($args.count -lt 2)
{
    "Error: Missing Arguments:"
    "Run this script with two arguments, 1. Manager/VPs UserName 2. Group name to add members."
    "e.g., PopulateGroupByManager.ps1 username GroupName"
    exit
    
}

#Get the passed distinguished name of the employee and assign to the vairable
$DNofVP = $args[0]
$Global:GroupName = $args[1]


#Set the employee count to 1 of this organization
$Script:Count=1

" - - - - - -  $GroupName  - - - - - -"

"Adding " + (Get-ADUser $DNofVP).name 
Add-ADGroupMember -Identity $GroupName -Members (Get-ADUser $DNofVP).saMAccountName

#Increase the employee count by 1 of this organization (before calling get-directreports
#function)
$Script:Count++

#Call the function to process the direct reports
Get-directreports $DNofVP

#Turn on displaying errors and warnings
$ErrorActionPreference = "Continue"

"`n$count users are added to $GroupName"

#--------------------------- End of Script ----------------------------------------
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Followers

hit counter