feat: Add script to add user to a local ad group with license check

2025-07-16 13:51:36 +02:00
parent be78b4327b
commit 4b0244468f
1 changed files with 42 additions and 16 deletions
--- a/powershell/add-usertosubgroupwithlicense.ps1
+++ b/powershell/add-usertosubgroupwithlicense.ps1
@@ -1,29 +1,55 @@
-$dn = "DC=secnex,DC=local"
+$user_name = "User" # Is the name of the user to add to the license and application group
-# Object with all license and sub groups
+$application_group_name = "Application Group" # Is the name of security group which assigned application to user
 $domain = "secnex.local" # Is required for Add-ADGroupMember to work
 # Get the global catalog server
 Write-Host "🚀 Getting global catalog server..."
 $global_catelog = Get-ADDomainController -Discover -Service GlobalCatalog
 # Get the license groups
 $license_groups = @{
    "E3" = "Subgroup E3"
    "F3" = "Subgroup F3"
 }
 $application_group = "Application Group"
 $user = "User"
-# Check if user is member of one of the license groups
+# Get the application group
 Write-Host "🔎 Getting application group $($application_group_name)..."
 $application_group = Get-ADGroup -Filter 'GroupCategory -eq "Security" -and GroupScope -eq "DomainLocal" -and Name -eq $application_group_name' -Server $global_catelog -Properties Member
 # Get the user
 Write-Host "🔎 Getting user $($user_name)..."
 $user = Get-ADUser -Identity $user_name -Server $global_catelog
 # Check if user is member of license group
 $match = $false
 foreach ($license_group in $license_groups.Keys) {
-    $user_is_member = Get-ADGroupMember -Identity $license_group -SearchBase $dn -Filter {SamAccountName -eq $user}
+    Write-Host "🔎 Checking if user $($user.Name) is member of license group $($license_group)..."
-
+    # Get the license group
-    if ($user_is_member) {
+    $license_group_name = $license_groups[$license_group]
-        Write-Host "User is already a member of the license group! Adding user to sub group..."    
+    # Get the license group with properties
-        Add-ADGroupMember -Identity $license_groups[$license_group] -Members $user -Confirm:$false
+    $license_group = Get-ADGroup -Filter 'GroupCategory -eq "Security" -and GroupScope -eq "DomainLocal" -and Name -eq $license_group_name' -Server $global_catelog -Properties Member
    # Check if user is member of license group
    if ($license_group.Member -contains $user.DistinguishedName) {
        Write-Host "✅ User $($user.Name) is a member of license group $($license_group.Name)!"
        $match = $true
        break
    } else {
-        Write-Host "User is not a member of the license group!"
+        Write-Host "❌ User $($user.Name) is not a member of license group $($license_group.Name)!"
    } 
 }
 # Check if user is member of application group
-$user_is_member = Get-ADGroupMember -Identity $application_group -SearchBase $dn -Filter {SamAccountName -eq $user}
+if ($match) {
    Write-Host "✅ User $($user.Name) is already a member of the license group!"
-if ($user_is_member) {
+    # Check if user is member of application group
-    Write-Host "User is already a member of the application group!"
+    if ($application_group.Member -contains $user.DistinguishedName) {
        Write-Host "✅ User $($user.Name) is already a member of the application group $($application_group.Name)"
    } else {
-    Write-Host "User is not a member of the application group! Adding user to application group..."
+        Write-Host "❌ User $($user.Name) is not a member of the application group $($application_group.Name)! Adding user to application group..."
        Add-ADGroupMember -Identity $application_group -Members $user -Confirm:$false -Server $domain
        Write-Host "✅ User $($user.Name) added to application group $($application_group.Name)"
    }
 } else {
    Write-Host "❌ User $($user.Name) is not a member of any license group! Please assign license to user manually."
 }