AD批量添加羣組與用戶

AD批量添加羣組與用戶

1、背景

因管理須要計劃將現有的serv-u服務改爲ad+iis+ftp+ntfs架構，因此須要在ad中新建對應羣組並添加用戶。

爲提升效率減小重複工做，編寫一個批量新增羣組及添加用戶腳本，如下爲測試環境。

2、彙總

• 注意事項：
  1. 用戶必須存在，在製做用戶文件時必須先行過濾，不然腳本將中途中斷
  2. 全部羣組的用戶存在一個用戶文件中，其長短不一存在無值（csv文件中間列）或空值（csv文件最後一列），需求將其過濾
  3. 腳本只添加羣組必須屬性，附加屬性需視需求修改
  4. 製做csv文件所用的一對多查找函數：

=INDEX(A:A,SMALL(IF($B$2:$B$200="Sam",ROW($2:$200),4^8),ROW(A1)))&""

• 完整腳本

Import-Module ActiveDirectory

$ngroups=Import-Csv C:\Data\ngs.csv
$nusers=Import-Csv C:\Data\nus.csv 

foreach ($ngroup in $ngroups) {
    #新建組
    New-ADGroup -Name $ngroup.name -SamAccountName $ngroup.name -GroupCategory $ngroup.GroupCategory -GroupScope $ngroup.Groupscope -Path $ngroup.path -Description $ngroup.description -PassThru
    Get-ADGroup -Identity $ngroup.name | Set-ADGroup -Replace @{info=$ngroup.info}
    #新增成員
    Add-ADGroupMember -Identity $ngroup.name -Members ($nusers.($ngroup.name) | Where-Object {$_ -ne ''} ) -PassThru 
}

• 羣組文件ngs.csv

name,path,groupcategory,groupscope,description,info
ftp-ops-w,"OU=FTP,OU=Group,DC=lxy,DC=lin",Security,Global,"ip/ftp/ops/","DRI：xx，TEL：xx"
ftp-ops-r,"OU=FTP,OU=Group,DC=lxy,DC=lin",Security,Global,"ip/ftp/ops/","DRI：xx，TEL：xx"
ftp-dba-w,"OU=FTP,OU=Group,DC=lxy,DC=lin",Security,Global,"ip/ftp/dba/","DRI：xx，TEL：xx"
ftp-dba-r,"OU=FTP,OU=Group,DC=lxy,DC=lin",Security,Global,"ip/ftp/dba/","DRI：xx，TEL：xx"

• 用戶文件:nus.csv

ftp-ops-w,ftp-ops-r,ftp-dba-w,ftp-dba-r
user01,user02,user03,user04
user05,,user06,user07
user08,,user09,

3、分解

• 導入AD模塊

Import-Module ActiveDirectory

• 新建賬號

foreach ( $num in 1..10 ) {
    $user='USER'+$num
    New-ADUser $user -Path "OU=Test,DC=iku,DC=lxy" -Enabled:$true -AccountPassword(ConvertTo-SecureString "lxy1989." -AsPlainText -Force)
}

• 篩選離職或不存在賬號

$newusers= Import-Csv .\nu.csv
$newgroups= Import-Csv .\ng.csv

# 新建數組保存離職或不存在賬號
$array_error_user = New-Object -TypeName System.Collections.ArrayList
$array_disabled_user = New-Object -TypeName System.Collections.ArrayList

foreach ($newgroup in $newgroups) {
   $newuser=($newusers.($newgroup.name) | Where-Object {$_ -ne ''}) 

   foreach ($user in $newuser) {
   $user_abled= (Get-ADUser $user).enabled  # 查詢賬號是否被禁用，默認狀況下只有離職的賬號纔會被禁用
   $returned=$?  # 若賬號不存在，則返回false
       if ($returned -eq $true)
        {
            if ($user_abled -eq $false)  
            {$array_disabled_user.Add($user+'@'+($newgroup.name))}  # 將被禁用（離職）的賬號添加至數組
         }
        else
        { $array_error_user.add($user+'@'+($newgroup.name))  }  # 將不存在的賬號添加至數組

  }
  }
echo "The following user is disabled :"$array_disabled_user
echo "The following user does not exist :"$array_error_user

• 從用戶文件中刪除離職或不存在賬號

vi user.error
xx
xxx
xx

:%s/@.*//g

vi deluser.sh
#!/bin/bash
#在sed中引用變量用雙引號
for user in $(cat user.error)
do
    sed -i "s/$user//g" nu.csv
done

• 導入羣組與用戶文件
  必須確認羣組及用戶是存在的，不然會導至腳本異常，後續用戶用戶添加

$ngroups=Import-Csv C:\Data\ngs.csv
$nusers=Import-Csv C:\Data\nus.csv

• 新建羣組
  備註信息info無命令參數，經過設置hash值添加

# version1
foreach ($ngroup in $ngroups) {

    New-ADGroup -Name $ngroup.name -SamAccountName $ngroup.name -GroupCategory $ngroup.GroupCategory -GroupScope $ngroup.Groupscope -Path $ngroup.path -PassThru
    Get-ADGroup -Identity $ngroup.name | Set-ADGroup -Replace @{info=$ngroup.info}

}

# version2
# 增長了羣組是否存在的判斷
$ngroups = Import-Csv  D:\PS\NewGroup\201807\ng.csv -Encoding Unicode

foreach ($ngroup in $ngroups) {
    $drop = Get-ADGroup $ngroup.name
    $return = $?
    # 檢查組是否存，不存在則新建組
    if ($return -eq $false){
        New-ADGroup -Name $ngroup.name   -SamAccountName $ngroup.name -GroupCategory $ngroup.groupcategory  -GroupScope $ngroup.groupscope -Path $ngroup.path -Description $ngroup.description
        Get-ADGroup $ngroup.name | Set-ADGroup -Replace @{info=$ngroup.info}
    }

}

• 爲羣組添加用戶
  用戶文件中並不是全部羣組都有用戶，命令碰見異常會停止全部操做，全部需求過濾空數據；
  在CSV文件中最後一列被識別爲空值，沒法使用‘’識別，經過在每列後增長一列逗號解決。

foreach ($ngroup in $ngroups) {
    Add-ADGroupMember -Identity $ngroup.name -Members ($nusers.($ngroup.name) | Where-Object {$_ -ne ''} ) -PassThru 
}

PS C:\Users\Administrator> ($nusers.'ftp-dba-r' | Where-Object {$_ -ne ''}).count
3
---nu.csv
ftp-ops-w,ftp-ops-r,ftp-dba-w,ftp-dba-r
user1,user2,user3,user4,
user5,,user6,user7,
user8,,user9,,
---
PS C:\> ($nusers.'ftp-dba-r' | Where-Object {$_ -ne ''}).count
2

• 查看羣組用戶信息

foreach ($ngroup in $ngroups) {
    Get-ADGroupMember -Identity $ngroup.name | select @{name='group';expression={$ngroup.name}},@{name='name';expression={$_.name}}
}

group                                                              name                                                              
-----                                                              ---- 
ftp-ops-w                                                          USER1             
ftp-ops-w                                                          USER5             
ftp-ops-w                                                          USER8             
ftp-ops-r                                                          USER2             
ftp-dba-w                                                          USER3             
ftp-dba-w                                                          USER6             
ftp-dba-w                                                          USER9             
ftp-dba-r                                                          USER4             
ftp-dba-r                                                          USER7

• 移除羣組全部用戶

foreach ($ngroup in $ngroups) {
    Remove-ADGroupMember -Identity $ngroup.name -Members (Get-ADGroupMember -Identity $ngroup.name)
}

4、更新

在使用過程當中發現腳本的功能實現方式生硬，書寫格式並不規範，不便閱讀，因此做了更新。

• 變量命名不易理解，已改用單詞
• 腳本編寫時沒使用縮進

# $ngroups = Import-Csv  D:\PS\NewGroup\201807\ng.csv -Encoding Unicode

# 新建組
<#
foreach ($ngroup in $ngroups) {
    $test = Get-ADGroup $ngroup.name
    $return = $?
    if ($return -eq $false){
        New-ADGroup -Name $ngroup.name   -SamAccountName $ngroup.name -GroupCategory $ngroup.groupcategory  -GroupScope $ngroup.groupscope -Path $ngroup.path -Description $ngroup.description
        Get-ADGroup $ngroup.name | Set-ADGroup -Replace @{info=$ngroup.info}
    }
}
#>

# 清空組成員
<#
foreach ($ngroup in $ngroups) {
    Remove-ADGroupMember -Identity $ngroup.name -Members (Get-ADGroupMember -Identity $ngroup.name)
}
#>

# 查詢組成員
<#
foreach ($ngroup in $ngroups) {
    Get-ADGroupMember -Identity $ngroup.name | select @{name='group';expression={$ngroup.name}},@{name='name';expression={$_.name}}
}
#>

# $ngroups = Import-Csv  D:\PS\NewGroup\201807\ngw.csv
# $nusers = Import-Csv  D:\PS\NewGroup\201807\nus.csv

# 添加成員
<#
foreach ($ngroup in $ngroups) {
    Add-ADGroupMember -Identity $ngroup.name -Members ($nusers.($ngroup.name) | Where-Object {$_ -ne ''} ) -PassThru  -Confirm:$false
}
#>

# 統計各羣組用戶數
#<
[int]$sum = 0

$re =foreach ($ngroup in $ngroups){
$user_num = (Get-ADGroupMember ($ngroup.name) | Where-Object {$_ -ne ''}).count
$user_num | select  @{name='group';ex={$ngroup.name}},@{name='num';ex={$user_num}} 
$sum += $user_num
}

echo $re
echo $sum
#>