0 votes

Hi Guys,
You probably already met with a similar problem in your organization. Communications Department has dozens of distribution groups, that need to be updtaed base on some mechanism. In my organization we use attribute office and country. My current code looks like this

For demonstration purposes let's say I have just 4 groups, in "real world" we have more then 20 ones.

Import-Module Adaxes

$EveryoneEastUS = "Everyone East US"
$EveryoneWestUS = "Everyone West US"
$EvetyoneEastUK = "Everyone West US"
$EvetyoneWestUK = "Everyone West US"

In this place I just repet below model for all groups

    # Get all current group members of the "Everyone East US"
    $group = Get-AdmGroup $EveryoneEastUS -AdaxesService $admService -Properties member
    $members = $group.member
    if ($members)
    {
        # Remove old users from the group
        Remove-AdmGroupMember $EveryoneEastUS -Members $members -Confirm:$false -AdaxesService $admService
    }

    # Add new group members to the "Everyone East US"
    Get-AdmUser -LDAPFilter '(&(objectClass=user)(&(physicalDeliveryOfficeName=East)(c=US)))' | Foreach-object {Add-AdmGroupMember $EveryoneEastUS -Confirm:$false -AdaxesService $admService -Member $_.DistinguishedName}

Main problem that in each group, there are several thousand of users and my script need a lot of time to do the job.
Maybe you can share some better solution to achieve same goal.

by (510 points)
0

Hello,

We've asked our script guys to have a look at this. We'll update you as soon as they come up with some ideas.

1 Answer

0 votes
by (215k points)
selected by
Best answer

Hello,

The best way to optimize your script is to reduce the number of operations in AD. Each call to AD can be a resource-intensive operation that takes up some time to complete.

We've come up with the following script that uses a smarter method to add/remove the group members. It doesn't remove/add all members at once, as your script does. The script gets the current members of the group and the user accounts that match the LDAP filter. Than, the script compares the two lists and removes / adds only those users who need to be added / removed. The script skips all users who are already members of the group and match the LDAP filter, which reduces the number of unnecessary calls to your AD.

The focal point of the script is the UpdateGroupMembers function. It actually does the whole job. You need to pass 3 parameters when calling the function:

  • $groupIdentity - identity of the group that you want to update,
  • $office - office name to be inserted in the LDAP filter,
  • $country - country code for the LDAP filter.
Import-module Adaxes

$EveryoneEastUS = "Everyone East US"
$EveryoneWestUS = "Everyone West US"
$EvetyoneEastUK = "Everyone West US"
$EvetyoneWestUK = "Everyone West US"

function UpdateGroupMembers($groupIdentity, $office, $country)
{
    # Get current members
    $members = Get-AdmGroupMember -Identity $groupIdentity -AdaxesService localhost
    $currentMemberGuids = New-Object 'System.Collections.Generic.HashSet[Guid]'
    if ($members -ne $NULL)
    {
        $members | %{$currentMemberGuids.Add([Guid]$_.ObjectGUID) | Out-Null}
    }

    # Get users baseŠ² on LDAP filter
    $users = Get-AdmUser -LDAPFilter '(&(sAMAccountType=805306368)(&(physicalDeliveryOfficeName=$office)(c=$country)))' -AdaxesService localhost
    $usersToAdd = New-Object 'System.Collections.Generic.HashSet[Guid]'
    foreach ($user in $users)
    {
        $userGuid = [Guid]$user.ObjectGUID
        if ($currentMemberGuids.Remove($userGuid))
        {
            continue
        }

        $usersToAdd.Add($userGuid) | Out-Null
    }

    # Remove users who do not meet the requirement
    if ($currentMemberGuids.Count -ne 0)
    {
        Remove-AdmGroupMember -Identity $groupIdentity -Members @($currentMemberGuids) -Confirm:$False -AdaxesService localhost
    }

    # Add new members
    if ($usersToAdd.Count -ne 0)
    {
        Add-AdmGroupMember -Identity $groupIdentity -Members @($usersToAdd) -Confirm:$False -AdaxesService localhost
    }
}

UpdateGroupMembers $EveryoneEastUS "East" "US"
UpdateGroupMembers $EveryoneWestUS "West" "US"
UpdateGroupMembers $EvetyoneEastUK "West" "US"
UpdateGroupMembers $EvetyoneWestUK "West" "US"
0

Works like a charm :D
Guys you're awesome!

0

Hello,

Thank you for your good words. We really appreciate it! ;)

Related questions

0 votes
1 answer

When I create a user from adaxes I also want it to be added to MS Teams groups. At this moment i create the account in adaxes after that i need to add this user in all groups that we have in MS Teams so i what to automate this when i create a new usuer.

asked Mar 29 by abisaigomezm (20 points)
0 votes
1 answer

Hello, We have users who never log to AD on a workstation but only use Outlook OWA. The Exchange value Last Logon is not an AD attribute. How can we disabled these users after a certain amount of time of inactivites ? Thank you :) TB

asked Jan 25 by tentaal (1.1k points)
0 votes
1 answer

EDIT: Actually, it would be better if I could just add the ownerDN to the groups automatically regardless of the initiator! Would that make it easier? Hi All, I have ... for approval for users being added to groups, can this request bypass that? Thanks John.

asked Sep 29, 2015 by bistromath (840 points)
0 votes
1 answer

We have some dynamic groups with roughly 1800 members. Get-AdmGroup returns the member property OK for small groups, but for these large groups it returns null ... by calling Get-AdmGroupMember for those groups? Thanks, Randy Lindsey Colorado Springs Utilities

asked Aug 1, 2013 by rlindsey (20 points)
0 votes
1 answer

Hi We would like to allow Managers of Users to add their Users to Security Groups. Currently, we always get the following error: Currently our Security for Managers looks like ... User XY can add UserXY to Group AB, then trigger the Business Rule Thanks, Mario

asked Jun 25, 2021 by m.car (80 points)
2,733 questions
2,469 answers
6,460 comments
1,336,573 users