在Powershell安全组脚本中捕获错误

时间:2018-06-03 04:28:31

标签: powershell

在有人请求访问组时,使脚本正常工作以节省一些时间从安全组所有者获得批准。

它运作正常,但不是很好。我们的想法是在Outlook2010中创建一个自动填充SG Manager电子邮件地址的草稿,由Analyst输入。正文包含请求用户Office,部门,经理和职位。

它完成所有这一切,但没有错误捕获,因此,例如,如果Analyst输入的组名称错误或烦恼地在末尾有空格,它将保留{{1}中保存的信息从上次你运行它(我认为$managerEmail会对此进行排序,但事实并非如此)。

此外,它仅适用于一个用户,一个组,一个电子邮件 - 实际上可能有多个用户请求访问权限或用户请求访问多个组。我正在寻找正确方向的提示 - 我是否需要在其中使用某种循环来接受多个输入并创建多个电子邮件草稿?

这是一些麻烦的脚本以及我自己极其新手的“代码”所以我确信有些部分没有任何价值,所以任何清理建议也会受到赞赏,我对此不敏感所以任何想法请分享。

-like

1 个答案:

答案 0 :(得分:0)

所以我对它进行了一次尝试并添加了验证步骤,但是你并没有太多理由让“错误处理”完全正确。由于此脚本依赖于大量用户输入,因此我清理了该过程。还解决了群组搜索的问题。过滤器不支持-match,因此我在组名的每一端添加了适当的通配符(以捕获那些不同的位)。不确定管道末尾的Select-Object是什么,但那里也是New-Object的形式。

Import-Module -Name ActiveDirectory


#region User details
do {
    $user = Read-Host -Prompt SID
    $adArgs = @{
        Identity    = $user
        Server      = 'americas.cshare.net'
        Properties  = 'Office','Department','Name','Manager','Title'
        ErrorAction = 'SilentlyContinue'
    }
    $user = Get-ADUser @adArgs

    if (-not $user) {
        'SID not found in Active Directory. Try again.'
    }
} until ($user)

$userName    = $user.Name
$userTitle   = $user.Title
$userDept    = $user.Department
$userOffice  = $user.Office
$userManager = Get-ADUser -Identity $user.Manager -Server americas.cshare.net -Properties Name |
    Select-Object -ExpandProperty Name
#endregion


#region Group details
do {
    $group = Read-Host -Prompt Group
    $adArgs = @{
        Filter      = "Name -like '*$group*'"
        Server      = 'americas.cshare.net'
        Properties  = 'ManagedBy'
        ErrorAction = 'SilentlyContinue'
    }
    $adGroup = Get-ADGroup @adArgs

    if (-not $adGroup) {
        'Group not found in Active Directory. Try again.'
    }

    if ($adGroup.Count -gt 1) {
        'Multiple groups found matching query. Try again.'
        $adGroup = $null
    }
} until ($adGroup)

try {
    $adArgs = @{
        Identity    = $adGroup.ManagedBy
        Server      = 'americas.cshare.net'
        Properties  = 'emailAddress'
        ErrorAction = 'Stop'
    }
    $groupManager = Get-ADUser @adArgs
} catch {
    "Failed to retrieve '$group' manager! $_" # prints the AD error
    Pause
    Exit
}

$groupManagerName  = $groupManager.Name
$groupManagerEmail = $groupManager.emailAddress
#endregion


$subject = Read-Host -Prompt Subject

New-Object -TypeName PSCustomObject -Property @{
    'Group Name'       = $group
    'Managed By Name'  = $groupManagerName
    'Managed By Email' = $groupManagerEmail
}


#region Draft an email
$ol = New-Object -ComObject Outlook.Application
$mail = $ol.CreateItem(0)
$null = $mail.Recipients.Add($groupManagerEmail)
$mail.Subject = $subject
$mail.Body = @"
Dear $groupManagerName,

$userName has requested to be added to the security group $group


Job Role:   $userTitle

Department: $userDept

Office:     $userOffice

Manager:    $userManager


As the owner of $group, can you review this request and approve/deny accordingly.

Please REPLY ALL when you respond.


Kind Regards,

Service Desk
"@

$mail.Save()
#endregion


Pause