[SOLVED]How to add a large bunch of users to several groups.

Question

Hi Guys,
You probably already met with a similar problem in your organization. Communications Department has dozens of distribution groups, that need to be updtaed base on some mechanism. In my organization we use attribute office and country. My current code looks like this

For demonstration purposes let's say I have just 4 groups, in "real world" we have more then 20 ones.

Import-Module Adaxes

$EveryoneEastUS = "Everyone East US"
$EveryoneWestUS = "Everyone West US"
$EvetyoneEastUK = "Everyone West US"
$EvetyoneWestUK = "Everyone West US"

In this place I just repet below model for all groups

    # Get all current group members of the "Everyone East US"
    $group = Get-AdmGroup $EveryoneEastUS -AdaxesService $admService -Properties member
    $members = $group.member
    if ($members)
    {
        # Remove old users from the group
        Remove-AdmGroupMember $EveryoneEastUS -Members $members -Confirm:$false -AdaxesService $admService
    }

    # Add new group members to the "Everyone East US"
    Get-AdmUser -LDAPFilter '(&(objectClass=user)(&(physicalDeliveryOfficeName=East)(c=US)))' | Foreach-object {Add-AdmGroupMember $EveryoneEastUS -Confirm:$false -AdaxesService $admService -Member $_.DistinguishedName}

Main problem that in each group, there are several thousand of users and my script need a lot of time to do the job.
Maybe you can share some better solution to achieve same goal.

Comments

Hello,

We've asked our script guys to have a look at this. We'll update you as soon as they come up with some ideas.

Answer 1

Hello,

The best way to optimize your script is to reduce the number of operations in AD. Each call to AD can be a resource-intensive operation that takes up some time to complete.

We've come up with the following script that uses a smarter method to add/remove the group members. It doesn't remove/add all members at once, as your script does. The script gets the current members of the group and the user accounts that match the LDAP filter. Than, the script compares the two lists and removes / adds only those users who need to be added / removed. The script skips all users who are already members of the group and match the LDAP filter, which reduces the number of unnecessary calls to your AD.

The focal point of the script is the UpdateGroupMembers function. It actually does the whole job. You need to pass 3 parameters when calling the function:

• $groupIdentity - identity of the group that you want to update,
• $office - office name to be inserted in the LDAP filter,
• $country - country code for the LDAP filter.

Import-module Adaxes

$EveryoneEastUS = "Everyone East US"
$EveryoneWestUS = "Everyone West US"
$EvetyoneEastUK = "Everyone West US"
$EvetyoneWestUK = "Everyone West US"

function UpdateGroupMembers($groupIdentity, $office, $country)
{
    # Get current members
    $members = Get-AdmGroupMember -Identity $groupIdentity -AdaxesService localhost
    $currentMemberGuids = New-Object 'System.Collections.Generic.HashSet[Guid]'
    if ($members -ne $NULL)
    {
        $members | %{$currentMemberGuids.Add([Guid]$_.ObjectGUID) | Out-Null}
    }

    # Get users baseв on LDAP filter
    $users = Get-AdmUser -LDAPFilter '(&(sAMAccountType=805306368)(&(physicalDeliveryOfficeName=$office)(c=$country)))' -AdaxesService localhost
    $usersToAdd = New-Object 'System.Collections.Generic.HashSet[Guid]'
    foreach ($user in $users)
    {
        $userGuid = [Guid]$user.ObjectGUID
        if ($currentMemberGuids.Remove($userGuid))
        {
            continue
        }

        $usersToAdd.Add($userGuid) | Out-Null
    }

    # Remove users who do not meet the requirement
    if ($currentMemberGuids.Count -ne 0)
    {
        Remove-AdmGroupMember -Identity $groupIdentity -Members @($currentMemberGuids) -Confirm:$False -AdaxesService localhost
    }

    # Add new members
    if ($usersToAdd.Count -ne 0)
    {
        Add-AdmGroupMember -Identity $groupIdentity -Members @($usersToAdd) -Confirm:$False -AdaxesService localhost
    }
}

UpdateGroupMembers $EveryoneEastUS "East" "US"
UpdateGroupMembers $EveryoneWestUS "West" "US"
UpdateGroupMembers $EvetyoneEastUK "West" "US"
UpdateGroupMembers $EvetyoneWestUK "West" "US"

Comments

Works like a charm :D
Guys you're awesome!

---

Hello,

Thank you for your good words. We really appreciate it! ;)