Powershell and ActiveDirectory – Modify-Group-Membership

Another day, another handy-dandy PowerShell script.  I’m a System Administrator at Indiana University, and I find myself needing to modify group membership in Active Directory several times a day.  Unfortunately, I think Indiana University has one of the largest single-domain Active Directory implementations in the world, and so simple tasks like adding a user to a group through MMC’s ADUC snap-in (DSA.msc) can take 30 – 45 seconds (I know – it’s not that long, but I’ve never been known for my patience).  Enter Powershell.  Using the function I’ve posted below, I can simply type “MGM -add -u joeuser -g joesgroup”, and joe is now in joe’s group in 2 seconds or less, leaving me 28 seconds to come up with another Powershell motto.  Here’s my latest try:  “Powershell… adding years to your life, thirty seconds at a time.”

A couple things to be aware of – the way I’ve written this script, it only adds users to groups, and it doesn’t search for users in AD, as we have all ours in one place.  If you have users in different OUs, you could modify the “User” section to make it look like the “Group” section, allowing both to be searched for in AD.  I’m sure there are several other improvements that could be made as well.  This was simply the quickest way to get my repetitive task automated…

function Modify-Group-Membership ([string]$group, [string]$user, [switch]$add, [switch]$remove)
{

# ==============================================================================================
#
# PowerShell Source File
# NAME:           Modify-Group-Membership
# AUTHOR:         Janssen Jones
# DATE  :         1/20/2007
#
# COMMENT:    This script allows one to add or remove users from groups via the command line.
#             You can use a wildard to select your group, so long as only one group is returned.
#             For example, if a group is BL-DSA-MYREALLYLONGGROUPNAME, you could use BL-DSA-MYREAL*
#
# Syntax:     Modify-Group-Membership.ps1 (-add|-remove) -user username -group groupname
#             -a can be used in place of add, -r for remove, -u for user, -g for group
#
# Examples: Modify-Group-Membership.ps1 -add -user joesmith -group BL-DSA-JOESGROUP
#           Modify-Group-Membership.ps1 -r -u joesmith -g BL-DSA-JOESGROUP
# ==============================================================================================

### these variables are set to interact with the Active Directory at Indiana University – change to suit your organization
$OU = “OU=accounts”  ##This is the AD location of the “Users” OU. In our environment, all users are in this single OU.
$DC = “DC=ads,DC=iu,DC=edu”  ##This is the LDAP path to your AD Domain

function aducsearch
{
##This portion checks for user input, searches the Active Directory, and assigns variables
$SEARCHER = New-Object DirectoryServices.DirectorySearcher
$SEARCHER.FILTER =”(&(objectCategory=group)(CN=$GROUP))”
$RESULTS = @($Searcher.FINDALL())

## This search will take wildcards.  Check to verify only one group was returned in the search.
if ($RESULTS.LENGTH -gt 1)
{“More than one group found.  Please check group name.”;break}
elseif ($RESULTS.LENGTH -lt 1)
{“Group not found.  Please check group name.”; break}
else
{
$rgroup = $RESULTS[0].PATH
$fqgroup = [ADSI]”$rgroup”
$fquser = “CN=$user,$OU,$DC” ## note: this does NOT take the full adsi/ldap path – it won’t work if that is passed
}

if ($user -eq “”){Write-Host “No user specified.  Specify user using -user ‘username’. Routine will now exit”;break}
if ($group -eq “”){Write-Host “No group specified.  Specify group using -group ‘groupname’.  Routine will now exit”;break}
}

### start of main function

### check to see if user specified add, remove, or neither
if ($add)
{
. aducsearch
###check to see if user is already a member of the specified group
$membercheck = ($fqgroup.member | where {$_ -eq $fquser})
if ( $membercheck.length -gt 1)
{Write-Host “User is already member of group.  No change made.”}
else
{
##This section is the code that acutually adds the user to the group
$fqgroup.member.add($fquser)
$fqgroup.setinfo()
}
}
elseif ($remove)
{
. aducsearch
###check to see if user really a member of the specified group
$membercheck = ($fqgroup.member | where {$_ -eq $fquser})
if ( $membercheck.length -lt 1)
{Write-Host “User is not a member of group.
No change made.”}
else
{
##This section is the code that acutually removes the user from the group
$fqgroup.member.remove($fquser)
$fqgroup.setinfo()
}
}
else {Write-Host “Must specify -add or -remove switch. Routine will now exit”; break}
}
## and finally, a quick alias to finish it off
Set-Alias MGM Modify-Group-Membership

Silencing a chassis intrusion alert with Powershell

OK, how many times has this happened to you, oh helpdesk worker:

<RING><RING>…Helpdesk, how can I help? … Yeah, I’ve got this popup that says "chassis intrusion detected", and it keeps popping up every 30 minutes.  If it doesn’t go away soon, I’m going to quit my job, and file a lawsuit… No problem, we’ll send someone over right away to fix it… Thirty minutes later, someone arrives on the scene, shuts the computer off, starts up into the BIOS, and flips the intrusion flag, restarts the computer, and then heads back. 

OK, so maybe that’s never happened to you, but if it has, you’ll appreciate the ease with which you can silence the alert and the customer before they hang up the phone.  Assuming you are working with a Dell desktop (and many corporate hepdesks are), all you need is to have installed Dell’s OMCI  (OpenManage Client Instrumentation) software on the client, and PowerShell on your desktop.  You can complete said task in 20 seconds with three lines of code:

$WMI = Get-WmiObject -computer computername -namespace "root/DellOMCI" -class Dell_SMBIOSSettings
$WMI.ChassisIntrusionStatus = "5"
$WMI.Put()

There you have it!  One of the many difficult tasks made simple with PowerShell!