0 votes

Hi Guys,
You probably already met with a similar problem in your organization. Communications Department has dozens of distribution groups, that need to be updtaed base on some mechanism. In my organization we use attribute office and country. My current code looks like this

For demonstration purposes let's say I have just 4 groups, in "real world" we have more then 20 ones.

Import-Module Adaxes

$EveryoneEastUS = "Everyone East US"
$EveryoneWestUS = "Everyone West US"
$EvetyoneEastUK = "Everyone West US"
$EvetyoneWestUK = "Everyone West US"

In this place I just repet below model for all groups

    # Get all current group members of the "Everyone East US"
    $group = Get-AdmGroup $EveryoneEastUS -AdaxesService $admService -Properties member
    $members = $group.member
    if ($members)
    {
        # Remove old users from the group
        Remove-AdmGroupMember $EveryoneEastUS -Members $members -Confirm:$false -AdaxesService $admService
    }

    # Add new group members to the "Everyone East US"
    Get-AdmUser -LDAPFilter '(&(objectClass=user)(&(physicalDeliveryOfficeName=East)(c=US)))' | Foreach-object {Add-AdmGroupMember $EveryoneEastUS -Confirm:$false -AdaxesService $admService -Member $_.DistinguishedName}

Main problem that in each group, there are several thousand of users and my script need a lot of time to do the job.
Maybe you can share some better solution to achieve same goal.

by (510 points)
0

Hello,

We've asked our script guys to have a look at this. We'll update you as soon as they come up with some ideas.

1 Answer

0 votes
by (215k points)
selected by
Best answer

Hello,

The best way to optimize your script is to reduce the number of operations in AD. Each call to AD can be a resource-intensive operation that takes up some time to complete.

We've come up with the following script that uses a smarter method to add/remove the group members. It doesn't remove/add all members at once, as your script does. The script gets the current members of the group and the user accounts that match the LDAP filter. Than, the script compares the two lists and removes / adds only those users who need to be added / removed. The script skips all users who are already members of the group and match the LDAP filter, which reduces the number of unnecessary calls to your AD.

The focal point of the script is the UpdateGroupMembers function. It actually does the whole job. You need to pass 3 parameters when calling the function:

  • $groupIdentity - identity of the group that you want to update,
  • $office - office name to be inserted in the LDAP filter,
  • $country - country code for the LDAP filter.
Import-module Adaxes

$EveryoneEastUS = "Everyone East US"
$EveryoneWestUS = "Everyone West US"
$EvetyoneEastUK = "Everyone West US"
$EvetyoneWestUK = "Everyone West US"

function UpdateGroupMembers($groupIdentity, $office, $country)
{
    # Get current members
    $members = Get-AdmGroupMember -Identity $groupIdentity -AdaxesService localhost
    $currentMemberGuids = New-Object 'System.Collections.Generic.HashSet[Guid]'
    if ($members -ne $NULL)
    {
        $members | %{$currentMemberGuids.Add([Guid]$_.ObjectGUID) | Out-Null}
    }

    # Get users baseŠ² on LDAP filter
    $users = Get-AdmUser -LDAPFilter '(&(sAMAccountType=805306368)(&(physicalDeliveryOfficeName=$office)(c=$country)))' -AdaxesService localhost
    $usersToAdd = New-Object 'System.Collections.Generic.HashSet[Guid]'
    foreach ($user in $users)
    {
        $userGuid = [Guid]$user.ObjectGUID
        if ($currentMemberGuids.Remove($userGuid))
        {
            continue
        }

        $usersToAdd.Add($userGuid) | Out-Null
    }

    # Remove users who do not meet the requirement
    if ($currentMemberGuids.Count -ne 0)
    {
        Remove-AdmGroupMember -Identity $groupIdentity -Members @($currentMemberGuids) -Confirm:$False -AdaxesService localhost
    }

    # Add new members
    if ($usersToAdd.Count -ne 0)
    {
        Add-AdmGroupMember -Identity $groupIdentity -Members @($usersToAdd) -Confirm:$False -AdaxesService localhost
    }
}

UpdateGroupMembers $EveryoneEastUS "East" "US"
UpdateGroupMembers $EveryoneWestUS "West" "US"
UpdateGroupMembers $EvetyoneEastUK "West" "US"
UpdateGroupMembers $EvetyoneWestUK "West" "US"
0

Works like a charm :D
Guys you're awesome!

0

Hello,

Thank you for your good words. We really appreciate it! ;)

Related questions

0 votes
1 answer

When I create a user from adaxes I also want it to be added to MS Teams groups. At this moment i create the account in adaxes after that i need to add this user in all groups that we have in MS Teams so i what to automate this when i create a new usuer.

asked Mar 29 by abisaigomezm (40 points)
0 votes
1 answer

Have a csv file of users that I need to import into Adaxes. I had initially found an article for this, but upon going today, it gave me an error (looks like it was deleted). Thank you

asked Nov 19 by wangl (20 points)
0 votes
0 answers

Hello, I am using this script found in the repository to remove the permissions for Adaxes service administrators from a newly provisioned user home directory: https://www. ... namespace, so the folder path is similar to \ \domain.domain.com\ServerName\Users

asked Nov 14 by GronTron (70 points)
0 votes
1 answer

If the user name submitted is "jhon doe" all of the users properties will be lower case. We want it to force it to be "Jhon Doe" even if it was submitted in lower case.

asked Aug 31 by raul.ramirez (150 points)
0 votes
1 answer

Hello, We have users who never log to AD on a workstation but only use Outlook OWA. The Exchange value Last Logon is not an AD attribute. How can we disabled these users after a certain amount of time of inactivites ? Thank you :) TB

asked Jan 25 by tentaal (1.1k points)
2,887 questions
2,606 answers
6,774 comments
121,344 users