powershell - Check for user in a group in a different domain -
i stuck piece of code. have 2 ad domains users , groups in them. trying run script check if user member of group disable ev access , if not member of group add them ev enable group.
i have working 1 domain can't work across 2 domains have. want script check domain1 , add group in domain1 if doesn't find user check domain2 , add group in domain2.
below extract of code have struggling recognise domain controller looks in right domain user.
foreach ($u in $users){ foreach($domain in $domainlist) { $dom =get-addomain $domain.name $dm = $dom.distinguishedname $dname = $dom.name $domname = $dom.dnsroot $addc = get-addomaincontroller -discover -domain $domname $dc = $addc.hostname $user = get-aduser $u.name -server $dc $enablegroup = "cn=evenable,ou=users , computers," + $dom $disablegroup = "cn=evdisable,ou=users , computers," + $dom if ((get-aduser $u.name -server $dc -properties memberof).memberof -eq $disablegroup) { $name = $u.name $dm = $domain.name write-host "$name member of $dm ev disable group" -f yellow }
this not hard @ all!
basically replace 1 line following, , use powershell's try/catch syntax. try first chunk of code, if have error, second part instead.
from
$user = get-aduser $u.name -server $dc
to
try{ $user = get-aduser $u.name -server $dc -erroraction stop} catch {$user = get-aduser $u.name -server otherdc -erroraction stop $dom =get-addomain otherdomain}
the whole goal of structure handle branching logic of try this/if fails, instead, , ensure script keep running after point. so, because you're using $dom in later part of script resolve full path of security group, need change $dom value in catch block, i've done above.
just tweak these values appropriate domain , should just work. used approach similar task of own, , try/catch/finally tool job done.
Comments
Post a Comment