From 4b0244468f154e86375ab2c66831aafc9207ab69 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Benouarets?= Date: Wed, 16 Jul 2025 13:51:36 +0200 Subject: [PATCH] feat: Add script to add user to a local ad group with license check --- powershell/add-usertosubgroupwithlicense.ps1 | 58 ++++++++++++++------ 1 file changed, 42 insertions(+), 16 deletions(-) diff --git a/powershell/add-usertosubgroupwithlicense.ps1 b/powershell/add-usertosubgroupwithlicense.ps1 index 710f677..25fffa4 100644 --- a/powershell/add-usertosubgroupwithlicense.ps1 +++ b/powershell/add-usertosubgroupwithlicense.ps1 @@ -1,29 +1,55 @@ -$dn = "DC=secnex,DC=local" -# Object with all license and sub groups +$user_name = "User" # Is the name of the user to add to the license and application group +$application_group_name = "Application Group" # Is the name of security group which assigned application to user +$domain = "secnex.local" # Is required for Add-ADGroupMember to work + +# Get the global catalog server +Write-Host "🚀 Getting global catalog server..." +$global_catelog = Get-ADDomainController -Discover -Service GlobalCatalog + +# Get the license groups $license_groups = @{ "E3" = "Subgroup E3" "F3" = "Subgroup F3" } -$application_group = "Application Group" -$user = "User" -# Check if user is member of one of the license groups +# Get the application group +Write-Host "🔎 Getting application group $($application_group_name)..." +$application_group = Get-ADGroup -Filter 'GroupCategory -eq "Security" -and GroupScope -eq "DomainLocal" -and Name -eq $application_group_name' -Server $global_catelog -Properties Member + +# Get the user +Write-Host "🔎 Getting user $($user_name)..." +$user = Get-ADUser -Identity $user_name -Server $global_catelog + +# Check if user is member of license group +$match = $false foreach ($license_group in $license_groups.Keys) { - $user_is_member = Get-ADGroupMember -Identity $license_group -SearchBase $dn -Filter {SamAccountName -eq $user} - - if ($user_is_member) { - Write-Host "User is already a member of the license group! Adding user to sub group..." - Add-ADGroupMember -Identity $license_groups[$license_group] -Members $user -Confirm:$false + Write-Host "🔎 Checking if user $($user.Name) is member of license group $($license_group)..." + # Get the license group + $license_group_name = $license_groups[$license_group] + # Get the license group with properties + $license_group = Get-ADGroup -Filter 'GroupCategory -eq "Security" -and GroupScope -eq "DomainLocal" -and Name -eq $license_group_name' -Server $global_catelog -Properties Member + # Check if user is member of license group + if ($license_group.Member -contains $user.DistinguishedName) { + Write-Host "✅ User $($user.Name) is a member of license group $($license_group.Name)!" + $match = $true + break } else { - Write-Host "User is not a member of the license group!" - } + Write-Host "❌ User $($user.Name) is not a member of license group $($license_group.Name)!" + } } # Check if user is member of application group -$user_is_member = Get-ADGroupMember -Identity $application_group -SearchBase $dn -Filter {SamAccountName -eq $user} +if ($match) { + Write-Host "✅ User $($user.Name) is already a member of the license group!" -if ($user_is_member) { - Write-Host "User is already a member of the application group!" + # Check if user is member of application group + if ($application_group.Member -contains $user.DistinguishedName) { + Write-Host "✅ User $($user.Name) is already a member of the application group $($application_group.Name)" + } else { + Write-Host "❌ User $($user.Name) is not a member of the application group $($application_group.Name)! Adding user to application group..." + Add-ADGroupMember -Identity $application_group -Members $user -Confirm:$false -Server $domain + Write-Host "✅ User $($user.Name) added to application group $($application_group.Name)" + } } else { - Write-Host "User is not a member of the application group! Adding user to application group..." + Write-Host "❌ User $($user.Name) is not a member of any license group! Please assign license to user manually." } \ No newline at end of file