Dynamic Group population and Role based Access PowerShell

For a customer i created a script which create new groups for all kind of unique jobtitles available in Active Directory. After the creation of all groups it loops through all users and add these to the created groups in the function above. This scripts help you to maintain for example role base access.

This scripts contains 3 functions:
1. Creating groups for all the unique jobtitle’s available.
2. Adding users with the same Jobtitle
3. Remove users after jobtitle change

<#
.SYNOPSIS
  Dynamic ADGroup population with PowerShell.

.DESCRIPTION
  This scripts contains 3 functions: 
   1. Creating groups for all the unique jobtitle's available.
   2. Adding users with the same Jobtitle
   3. Remove users after jobtitle change

.PARAMETER <Parameter_Name>
    $DynamicGroupOU = "OU=Functions,OU=Company,OU=Contoso,DC=contoso,DC=com"
    $GroupScope = "global"
    $logfile = "C:\Temp\Joblog.log"

.INPUTS
    CreateNewJobTitleGroups -usersWithJobTitle $usersWithJobTitle -DynamicGroupOU $DynamicGroupOU -GroupScope $GroupScope
    AddUsersJobTitleGroups -DynamicGroupOU $DynamicGroupOU
    RemoveUsersJobTitleGroups -DynamicGroupOU $DynamicGroupOU

.OUTPUTS
    Log file stored in C:\Windows\Temp\<name>.log>

.NOTES
  Version:        1.0
  Author:         Rob Verhees
  Creation Date:  16-11-2018
  Purpose/Change: Initial script development
  
#>


Function Write-Log {
    [CmdletBinding()]
    Param(
    [Parameter(Mandatory=$False)]
    [ValidateSet("INFO","WARN","ERROR","FATAL","DEBUG")]
    [String]
    $Level = "INFO",

    [Parameter(Mandatory=$True)]
    [string]
    $Message,

    [Parameter(Mandatory=$False)]
    [string]
    $logfile
    )

    $Stamp = (Get-Date).toString("yyyy/MM/dd HH:mm:ss")
    $Line = "$Stamp $Level $Message"
    If($logfile) {
        Add-Content $logfile -Value $Line
    }
    Else {
        Write-Output $Line
    }
}



Function CreateNewJobTitleGroups {

    Param(
        $usersWithJobTitle,
        $DynamicGroupOU,
        $GroupScope
    )

    $jobGroups = $usersWithJobTitle | Group-Object title
    $UniqueJobGroups = ($jobGroups | select group).group.title | select -Unique $_

    Foreach($Unique in $UniqueJobGroups) {

        $adGroup = Get-ADGroup -SearchBase $DynamicGroupOU -Filter * | where{$_.name -like $Unique}
        
        if(!$adGroup){

            try {
                write-log -Level INFO -Message "Creating new group: $unique" -logfile $logfile
                New-ADGroup -GroupScope $GroupScope -Path $DynamicGroupOU -Name $Unique
        
            } Catch {
                write-log -Level ERROR -Message "Failed to create group: $unique" -logfile $logfile
                Write-log -Level ERROR -Message $_.exception.message -logfile $logfile
            }
    
        }

    }

}

function AddUsersJobTitleGroups {

    Param (
        $DynamicGroupOU
    )
    
    $adGroups = Get-ADGroup -SearchBase $DynamicGroupOU -Filter *

    foreach($adGroup in $adGroups){

        $adRoleMembers = get-aduser -Filter * -Properties sAMAccountName,Title | where {$_.title -eq $adGroup.name -and $_.enabled -eq $true} 
           
        foreach($adRoleMember in $adRoleMembers){
    
            if(($adgroup | Get-ADGroupMember | where{$_.ObjectGUID -eq $($adRoleMember.ObjectGUID)} | select -ExpandProperty ObjectGUID) -ne $adRoleMember.ObjectGUID){
    
                write-log -Level INFO -Message "Adding new member: $($adrolemember.name) to $($adgroup.Name)" -logfile $logfile
                
                Try {
                    Add-ADGroupMember $adGroup -Members $adRoleMember

                } Catch {
                     Write-Log -Level ERROR -Message $_.exception.message -logfile $logfile

                }
            }

        }

    }

}

function RemoveUsersJobTitleGroups {

    Param (
        $DynamicGroupOU

    )
   
   
    $adGroups = Get-ADGroup -SearchBase $DynamicGroupOU -Filter *

    foreach($adGroup in $adGroups){
        $currentAdGroupMembers = Get-ADGroupMember $adGroup
        
        foreach($currentAdGroupMember in $currentAdGroupMembers) {
            
            if((Get-ADUser -Identity $currentAdGroupMember.objectGUID.guid -Properties title | select -ExpandProperty title) -ne $adGroup.name){
                
                write-log -Level INFO -Message "Removing: $($currentAdgroupmember.name) because JobTitle is changed" -logfile $logfile
                
                Try {
                    
                    Remove-ADGroupMember -identity $adGroup -members $currentAdGroupMember -Confirm:$false
                
                } Catch {
                   
                    Write-log -Level ERROR -Message $_.exception.message -logfile $logfile
                
                }

            } Elseif((Get-ADUser -Identity $currentAdGroupMember.objectGUID.guid | select -ExpandProperty Enabled) -eq $false  ){
                
                write-log -Level INFO -Message "Removing Disabled User: $($currentAdGroupMember.name)" -logfile $logfile
      
                Try {
                    
                    Remove-ADGroupMember -identity $adGroup -members $currentAdGroupMember -Confirm:$false
                
                } Catch {
                   
                    Write-log -Level ERROR -Message $_.exception.message -logfile $logfile
                
                }

            } Else {
                #Do Nothing
            }


        }
         

    }

}


$usersWithJobTitle = get-aduser -Filter *  -Properties sAMAccountName,Title | where {$_.title -notlike $null -and $_.enabled -eq $true}
$DynamicGroupOU = "OU=Functions,OU=Company,OU=Contoso,DC=contoso,DC=com"
$GroupScope = "global"
$logfile = "C:\Temp\Joblog.log"

CreateNewJobTitleGroups -usersWithJobTitle $usersWithJobTitle -DynamicGroupOU $DynamicGroupOU -GroupScope $GroupScope
AddUsersJobTitleGroups -DynamicGroupOU $DynamicGroupOU
RemoveUsersJobTitleGroups -DynamicGroupOU $DynamicGroupOU

The post Dynamic Group population and Role based Access PowerShell appeared first on Rob V IT.