我正在尝试创建一个脚本,将我们的AD与CSV中的所有用户进行比较。我们的人力资源部门拥有所有员工的主数据库,但是当他们进行更改时,他们很少通知我们,因此他们现在将所有用户从HR数据库导出到CSV。
我需要将此与我们的广告进行比较,并修改任何已发现变更的人或任何新员工。
我有以下脚本,但它只输出所有员工,我只希望通过电子邮件发送已更改的员工或不在AD的新员工。
write-host "Using default CSV file or C:\scripts\csv\StaffChanges.csv"
$StaffCSVUPath = "C:\scripts\csv\StaffChanges.csv"
$logfile = "C:\scripts\logs\ADvsCMIS.csv"
if(test-path $logfile) {
remove-item $logfile -force
}
function Email {
#Send an email, called with recipient email address and message body
param(
[string] $emailaddress="",
[string] $bodymsg=""
)
$bodymsg += "<p>"
$bodymsg += Get-Content($logfile)
Send-MailMessage -To $emailaddress -From "email@domain.co.uk" -Subject "(AD-CMIS_errors) Errors found between Active Directory and CMIS" -Body $bodymsg -BodyAsHTML -SMTPServer "exchserver"
}
function CheckOutputFile {
#Called with folder\filename and type of file
param(
[string]$outputfilename = "",
[string]$type = ""
)
if(test-path($outputfilename)) {
} else {
write-host "Creating $outputfilename"
$msg = "Forename,Surname,Username,ID"
$msg | out-file($outputfilename)
}
}
#Snap-ins needed to use the commands within the script
if((Get-pssnapin -Name Microsoft.Exchange.Management.Powershell.E2010 -ErrorAction SilentlyContinue) -eq $null){Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010}
if((Get-pssnapin -Name Quest.activeroles.admanagement -ErrorAction SilentlyContinue)-eq $null){Add-pssnapin Quest.activeroles.admanagement}
#import users from csv file
$users = (import-Csv $StaffCSVUpath)
$count=0
$countAD=0
Get-QADUser -searchroot "domain/Users/Staff" -SizeLimit 0 -includedproperties employeeid,displayname | ForEach-Object ($_.samaccountname) {
$found = 0
$countAD+=1
ForEach ($user in $users) {
$count+=1
$inital = $user.forename.substring(0,1)
$name = $user.forename+" "+$user.surname
$dispname = $inital+" "+$user.surname
if ($user.id -eq $_.employeeid) {
if ($user.surname -eq $_.lastname) {
if ($inital -eq $_.firstname) {
if ($name -eq $_.name) {
if ($dispname -eq $_.displayname) {
$found = 1
}
}
}
}
}
if ($found -eq 1){break}
}
if ($found -eq 0) {
if(($_.company -ne "testing") -band ($_.company -ne "service")) {
CheckOutputFile $logfile "LOG"
$msg = "<p>" + $_.firstname +" " + $_.lastname + " " + $_.samaccountname + " "+$_.employeeid +"<p>"
$msg | Out-File $logfile -append
}
}
}
if (test-path $logfile) {
#If there is anything to report
write-host "Emailing Log file to ict"
#Email file if $outputB exists
$email = "email@domain.co.uk"
$body = "Action Required: The users below do not exist within HR. Contact HR Data manager to resolve issue, delete users manually if required."
#email ict
Email $email $body
}
答案 0 :(得分:0)
我没有使用Quest AD cmdlet,所以我的答案将基于内置的。此外,我将假设任何给定员工的(唯一)员工ID不会更改,并且没有具有空employeeId属性的用户帐户。
首先,准备这样的数据:
Import-Module ActiveDirectory
$hrUsers = @{}
Import-Csv 'C:\path\to\your.csv' |
select id, firstname, surname,
@{n='inital';e={$_.forename.substring(0,1)}},
@{n='name';e={$_.forename+" "+$_.surname}},
@{n='dispname';e={$_.forename.substring(0,1)+" "+$_.surname}} |
% { $hrUsers[$_.id] = $_ }
$adUsers = Get-ADUser -Filter * -Property employeeid |
? { 'testing', 'service' -notcontains $_.company }
这会创建一个哈希表,将每个员工ID映射到具有相应用户属性(包括衍生属性initial,name和dispname)和列表的对象AD用户(不包括服务和测试帐户)。
通过上述内容,您可以确定以下新用户:
$employeeIDs = @($adUsers | select -Expand employeeId)
$hrUsers.Values | ? { $employeeIDs -notcontains $_.id }
过时的帐户:
$adUsers | ? { $hrUsers.Keys -notcontains $_.employeeId }
并修改了这样的用户:
$adUsers | ? {
$hrUsers[$_.employeeid].surname -ne $_.lastname -or
$hrUsers[$_.employeeid].inital -ne $_.firstname -or
$hrUsers[$_.employeeid].name -ne $_.name -or
$hrUsers[$_.employeeid].dispname -ne $_.displayname
}
答案 1 :(得分:0)
我已经设法通过更改搜索字段来实现它
if($user.firstname -eq $_.firstname)
if($user.surname -eq $_.sn)
if($user.ID -eq $_.employeeID)
现在可以针对CSV检查AD,通过电子邮件发送任何差异,并排除任何名为“test”或“careers”的电子邮件
write-host "Using default CSV file or C:\scripts\csv\StaffChanges.csv"
$StaffCSVUPath = "C:\scripts\csv\StaffChanges.csv"
$logfile = "C:\scripts\logs\ADvsHR.csv"
if(test-path $logfile) {
remove-item $logfile -force
}
function Email {
#Send an email, called with recipient email address and message body
param(
[string] $emailaddress="",
[string] $bodymsg=""
)
$bodymsg += "<p>"
$bodymsg += Get-Content($logfile)
Send-MailMessage -To $emailaddress -From "email@domain.co.uk" -Subject "(AD-CMIS_errors) Errors found between Active Directory and CMIS" -Body $bodymsg -BodyAsHTML -SMTPServer "exchserver"
}
function CheckOutputFile {
#Called with folder\filename and type of file
param(
[string]$outputfilename = "",
[string]$type = ""
)
if(test-path($outputfilename)) {
} else {
write-host "Creating $outputfilename"
$msg = "Forename,Surname,Username,ID"
$msg | out-file($outputfilename)
}
}
#Snap-ins needed to use the commands within the script
if((Get-pssnapin -Name Microsoft.Exchange.Management.Powershell.E2010 -ErrorAction SilentlyContinue) -eq $null){Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010}
if((Get-pssnapin -Name Quest.activeroles.admanagement -ErrorAction SilentlyContinue)-eq $null){Add-pssnapin Quest.activeroles.admanagement}
#import users from csv file
$users = (import-Csv $StaffCSVUpath)
$count=0
$countAD=0
Get-QADUser -searchroot "domain/Users/Staff" -SizeLimit 0 -includedproperties employeeid,displayname | ForEach-Object ($_.samaccountname) {
$found = 0
$countAD+=1
ForEach ($user in $users) {
$count+=1
if ($user.firstname -eq $_.firstname) {
if ($user.surname -eq $_.sn) {
if ($user.ID -eq $_.employeeID) {
$found = 1
}
}
}
if ($found -eq 1){break}
}
if ($found -eq 0) {
if(($_.firstname -ne "careers") -band ($_.firstname -ne "test")) {
CheckOutputFile $logfile "LOG"
$msg = "<p>" + $_.firstname +" " + $_.lastname + " "+$_.employeeid +"<p>"
$msg | Out-File $logfile -append
}
}
}
if (test-path $logfile) {
#If there is anything to report
write-host "Emailing Log file to ict"
#Email file if $outputB exists
$email = "email@domain.co.uk"
$body = "Action Required: The users below do not exist within HR. Contact HR Data manager to resolve issue, delete users manually if required."
#email ict
Email $email $body
}