Adaxes

[SOLVED]How to add a large bunch of users to several groups.

0 votes

Hi Guys,
You probably already met with a similar problem in your organization. Communications Department has dozens of distribution groups, that need to be updtaed base on some mechanism. In my organization we use attribute office and country. My current code looks like this

For demonstration purposes let's say I have just 4 groups, in "real world" we have more then 20 ones. 

Import-Module Adaxes

$EveryoneEastUS = "Everyone East US"
$EveryoneWestUS = "Everyone West US"
$EvetyoneEastUK = "Everyone West US"
$EvetyoneWestUK = "Everyone West US"

In this place I just repet below model for all groups 

    # Get all current group members of the "Everyone East US"
    $group = Get-AdmGroup $EveryoneEastUS -AdaxesService $admService -Properties member
    $members = $group.member
    if ($members)
    {
        # Remove old users from the group
        Remove-AdmGroupMember $EveryoneEastUS -Members $members -Confirm:$false -AdaxesService $admService
    }

    # Add new group members to the "Everyone East US"
    Get-AdmUser -LDAPFilter '(&(objectClass=user)(&(physicalDeliveryOfficeName=East)(c=US)))' | Foreach-object {Add-AdmGroupMember $EveryoneEastUS -Confirm:$false -AdaxesService $admService -Member $_.DistinguishedName}

Main problem that in each group, there are several thousand of users and my script need a lot of time to do the job.
Maybe you can share some better solution to achieve same goal.

by (510 points)
0

Hello,

We've asked our script guys to have a look at this. We'll update you as soon as they come up with some ideas.

by (216k points)

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

The best way to optimize your script is to reduce the number of operations in AD. Each call to AD can be a resource-intensive operation that takes up some time to complete.

We've come up with the following script that uses a smarter method to add/remove the group members. It doesn't remove/add all members at once, as your script does. The script gets the current members of the group and the user accounts that match the LDAP filter. Than, the script compares the two lists and removes / adds only those users who need to be added / removed. The script skips all users who are already members of the group and match the LDAP filter, which reduces the number of unnecessary calls to your AD.

The focal point of the script is the UpdateGroupMembers function. It actually does the whole job. You need to pass 3 parameters when calling the function:

  • $groupIdentity - identity of the group that you want to update,
  • $office - office name to be inserted in the LDAP filter,
  • $country - country code for the LDAP filter.
Import-module Adaxes

$EveryoneEastUS = "Everyone East US"
$EveryoneWestUS = "Everyone West US"
$EvetyoneEastUK = "Everyone West US"
$EvetyoneWestUK = "Everyone West US"

function UpdateGroupMembers($groupIdentity, $office, $country)
{
    # Get current members
    $members = Get-AdmGroupMember -Identity $groupIdentity -AdaxesService localhost
    $currentMemberGuids = New-Object 'System.Collections.Generic.HashSet[Guid]'
    if ($members -ne $NULL)
    {
        $members | %{$currentMemberGuids.Add([Guid]$_.ObjectGUID) | Out-Null}
    }

    # Get users baseŠ² on LDAP filter
    $users = Get-AdmUser -LDAPFilter '(&(sAMAccountType=805306368)(&(physicalDeliveryOfficeName=$office)(c=$country)))' -AdaxesService localhost
    $usersToAdd = New-Object 'System.Collections.Generic.HashSet[Guid]'
    foreach ($user in $users)
    {
        $userGuid = [Guid]$user.ObjectGUID
        if ($currentMemberGuids.Remove($userGuid))
        {
            continue
        }

        $usersToAdd.Add($userGuid) | Out-Null
    }

    # Remove users who do not meet the requirement
    if ($currentMemberGuids.Count -ne 0)
    {
        Remove-AdmGroupMember -Identity $groupIdentity -Members @($currentMemberGuids) -Confirm:$False -AdaxesService localhost
    }

    # Add new members
    if ($usersToAdd.Count -ne 0)
    {
        Add-AdmGroupMember -Identity $groupIdentity -Members @($usersToAdd) -Confirm:$False -AdaxesService localhost
    }
}

UpdateGroupMembers $EveryoneEastUS "East" "US"
UpdateGroupMembers $EveryoneWestUS "West" "US"
UpdateGroupMembers $EvetyoneEastUK "West" "US"
UpdateGroupMembers $EvetyoneWestUK "West" "US"
0

Works like a charm :D
Guys you're awesome!

by (510 points)
0

Hello,

Thank you for your good words. We really appreciate it! ;)

by (216k points)

Related questions

0 votes
1 answer
How can I add a user to multiple groups provided via a Webinterface Directory object picker parameter?

I have tried it using the Custom Commands Action "Add the user to a group", which only allows me to add the user to one group at a time, and can't use the multiple DNs that the ... I can't get it to work. Could you assist me in finding the best way to do this?

asked Jan 16 by dominik.stawny (160 points)
0 votes
1 answer
Is there a way to add users to MS Teams groups from ADAXES?

When I create a user from adaxes I also want it to be added to MS Teams groups. At this moment i create the account in adaxes after that i need to add this user in all groups that we have in MS Teams so i what to automate this when i create a new usuer.

asked Mar 29, 2022 by abisaigomezm (40 points)
0 votes
1 answer
How to import a list of users from a csv?

Have a csv file of users that I need to import into Adaxes. I had initially found an article for this, but upon going today, it gave me an error (looks like it was deleted). Thank you

asked Nov 19, 2022 by wangl (20 points)
0 votes
0 answers
How to change owner of a user's home directory

Hello, I am using this script found in the repository to remove the permissions for Adaxes service administrators from a newly provisioned user home directory: https://www. ... namespace, so the folder path is similar to \ \domain.domain.com\ServerName\Users

asked Nov 14, 2022 by GronTron (270 points)
0 votes
1 answer
How to capitalize the First and Last name of a users name

If the user name submitted is "jhon doe" all of the users properties will be lower case. We want it to force it to be "Jhon Doe" even if it was submitted in lower case.

asked Aug 31, 2022 by raul.ramirez (210 points)
3,343 questions
3,044 answers
7,766 comments
544,953 users