0 votes

Hi Guys,
You probably already met with a similar problem in your organization. Communications Department has dozens of distribution groups, that need to be updtaed base on some mechanism. In my organization we use attribute office and country. My current code looks like this

For demonstration purposes let's say I have just 4 groups, in "real world" we have more then 20 ones.

Import-Module Adaxes

$EveryoneEastUS = "Everyone East US"
$EveryoneWestUS = "Everyone West US"
$EvetyoneEastUK = "Everyone West US"
$EvetyoneWestUK = "Everyone West US"

In this place I just repet below model for all groups

    # Get all current group members of the "Everyone East US"
    $group = Get-AdmGroup $EveryoneEastUS -AdaxesService $admService -Properties member
    $members = $group.member
    if ($members)
    {
        # Remove old users from the group
        Remove-AdmGroupMember $EveryoneEastUS -Members $members -Confirm:$false -AdaxesService $admService
    }

    # Add new group members to the "Everyone East US"
    Get-AdmUser -LDAPFilter '(&(objectClass=user)(&(physicalDeliveryOfficeName=East)(c=US)))' | Foreach-object {Add-AdmGroupMember $EveryoneEastUS -Confirm:$false -AdaxesService $admService -Member $_.DistinguishedName}

Main problem that in each group, there are several thousand of users and my script need a lot of time to do the job.
Maybe you can share some better solution to achieve same goal.

by (510 points)
0

Hello,

We've asked our script guys to have a look at this. We'll update you as soon as they come up with some ideas.

1 Answer

0 votes
by (216k points)
selected by
Best answer

Hello,

The best way to optimize your script is to reduce the number of operations in AD. Each call to AD can be a resource-intensive operation that takes up some time to complete.

We've come up with the following script that uses a smarter method to add/remove the group members. It doesn't remove/add all members at once, as your script does. The script gets the current members of the group and the user accounts that match the LDAP filter. Than, the script compares the two lists and removes / adds only those users who need to be added / removed. The script skips all users who are already members of the group and match the LDAP filter, which reduces the number of unnecessary calls to your AD.

The focal point of the script is the UpdateGroupMembers function. It actually does the whole job. You need to pass 3 parameters when calling the function:

  • $groupIdentity - identity of the group that you want to update,
  • $office - office name to be inserted in the LDAP filter,
  • $country - country code for the LDAP filter.
Import-module Adaxes

$EveryoneEastUS = "Everyone East US"
$EveryoneWestUS = "Everyone West US"
$EvetyoneEastUK = "Everyone West US"
$EvetyoneWestUK = "Everyone West US"

function UpdateGroupMembers($groupIdentity, $office, $country)
{
    # Get current members
    $members = Get-AdmGroupMember -Identity $groupIdentity -AdaxesService localhost
    $currentMemberGuids = New-Object 'System.Collections.Generic.HashSet[Guid]'
    if ($members -ne $NULL)
    {
        $members | %{$currentMemberGuids.Add([Guid]$_.ObjectGUID) | Out-Null}
    }

    # Get users baseŠ² on LDAP filter
    $users = Get-AdmUser -LDAPFilter '(&(sAMAccountType=805306368)(&(physicalDeliveryOfficeName=$office)(c=$country)))' -AdaxesService localhost
    $usersToAdd = New-Object 'System.Collections.Generic.HashSet[Guid]'
    foreach ($user in $users)
    {
        $userGuid = [Guid]$user.ObjectGUID
        if ($currentMemberGuids.Remove($userGuid))
        {
            continue
        }

        $usersToAdd.Add($userGuid) | Out-Null
    }

    # Remove users who do not meet the requirement
    if ($currentMemberGuids.Count -ne 0)
    {
        Remove-AdmGroupMember -Identity $groupIdentity -Members @($currentMemberGuids) -Confirm:$False -AdaxesService localhost
    }

    # Add new members
    if ($usersToAdd.Count -ne 0)
    {
        Add-AdmGroupMember -Identity $groupIdentity -Members @($usersToAdd) -Confirm:$False -AdaxesService localhost
    }
}

UpdateGroupMembers $EveryoneEastUS "East" "US"
UpdateGroupMembers $EveryoneWestUS "West" "US"
UpdateGroupMembers $EvetyoneEastUK "West" "US"
UpdateGroupMembers $EvetyoneWestUK "West" "US"
0

Works like a charm :D
Guys you're awesome!

0

Hello,

Thank you for your good words. We really appreciate it! ;)

Related questions

0 votes
1 answer

When I create a user from adaxes I also want it to be added to MS Teams groups. At this moment i create the account in adaxes after that i need to add this user in all groups that we have in MS Teams so i what to automate this when i create a new usuer.

asked Mar 29, 2022 by abisaigomezm (40 points)
0 votes
1 answer

I have tried it using the Custom Commands Action "Add the user to a group", which only allows me to add the user to one group at a time, and can't use the multiple DNs that the ... I can't get it to work. Could you assist me in finding the best way to do this?

asked Jan 16 by dominik.stawny (280 points)
0 votes
1 answer

As part of offboarding a user I need to generate a report of all AD groups, Entra groups and all Azure / M365 roles and licenses the user has before they ... about keeping a record of the leavers configured profile to simplify cloning them onto new starters.

asked Jun 24 by dhardyuk (20 points)
0 votes
1 answer

I am trying to make a custom report that is basically the "Members of Groups" default report but instead of selecting Directory Objects, I want to select groups. The Members of ... will not work in Adaxes 2023 and later. I am running 2023.2 -- Suggestions?

asked Aug 13 by AvenuesRecovery (20 points)
0 votes
1 answer

I need to send an e-mail to the owner ("managed by") for each group. The e-mail should contain a list of group members. What is the best way to do that?

asked May 9 by akindy (40 points)
3,589 questions
3,278 answers
8,303 comments
548,123 users