Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- function AskJoinGroups { #Joins user to AD groups.
- $CanUseGPO = $true
- try {
- Import-Module GroupPolicy -ErrorAction Stop
- $GPO = Get-GPO -All
- }
- catch {
- Write-Host "Module GroupPolicy not Installed. Cannot match by drive letter." -ForegroundColor Yellow
- $CanUseGPO = $false
- }
- $GroupName = Read-Host "`nIf your user needs to be joined or removed from any additional groups, please name them one at a time.`nIf you know the drive letter the user needs access to, enter that instead (no colon).`nIf neither, press enter to proceed, or enter `'?`' for a list of all groups"
- if ($GroupName -eq "") {
- return
- }
- elseif ($GroupName -eq '?') {
- Get-ADGroup -Filter {Name -like "*"} | select -ExpandProperty Name | Out-Host
- }
- elseif (($GroupName.length -eq 1) -and ($GroupName -match "^[A-Za-z]+$") -and ($CanUseGPO -eq $true)) {
- $GPOResults = @{}
- $GPOPerm = @{}
- ForEach ($Policy in $GPO){
- $GPOID = $Policy.Id
- $GPODom = $Policy.DomainName
- $GPODisp = $Policy.DisplayName
- if ((Test-Path "\\$($GPODom)\SYSVOL\$($GPODom)\Policies\{$($GPOID)}\User\Preferences\Drives\Drives.xml") -and ($Policy.GpoStatus -eq "AllSettingsEnabled")) {
- [xml]$DriveXML = Get-Content "\\$($GPODom)\SYSVOL\$($GPODom)\Policies\{$($GPOID)}\User\Preferences\Drives\Drives.xml"
- ForEach ($drivemap in $DriveXML.Drives.Drive ) {
- if ($drivemap.Properties.Letter -eq $GroupName) {
- if ($drivemap.Filters.FilterGroup.Name -eq $null) {
- $PermArray = (Get-GPPermissions -Name $GPODisp -All | ?{$_.Permission -eq "GpoApply"}).Trustee.Name
- ForEach ($Perm in $PermArray) {
- $GPOPerm.$GPODisp += @("$Perm")
- }
- continue
- }
- else {
- $garbage, $GPOName = ($drivemap.Filters.FilterGroup.Name.split("`\"))
- $GPOResults.$GPODisp += @("$GPOName")
- }
- }
- }
- }
- }
- if ($GPOResults.Count -ne 0) {
- $ItemTargetResults = @($GPOResults.Values)
- }
- if (($GPOResults.Count -eq 0) -and ($GPOPerm.Count -ne 0)) {
- Write-Host "`nItem level targetting is not applied for this drive.`nThe user must be a member of any of the following groups/OU's for this drive to be mapped:"
- $GPOPerm.Keys | Select @{l='GPO Object';e={$_}},@{l='Scope OU/Group';e={$GPOPerm.$_}} | Out-Host
- }
- elseif ($GPOResults.Keys -contains "Domain Users") {
- Write-Host "`nThis drive is mapped to Domain Users and does not require explicit mapping." -ForegroundColor Yellow
- }
- elseif (($GPOResults.Count -ne 0) -and ($GPOPerm.Count -ne 0)) {
- Write-Host "`nMultiple item-level targetting and scope-targetting mappings found for the specified drive letter. Add one of the following if you dare. God help you."
- $GPOPerm.Keys | Select @{l='GPO Object';e={$_}},@{l='Scope OU/Group';e={$GPOPerm.$_}} | Out-Host
- $GPOResults.Keys | Select @{l='GPO Object';e={$_}},@{l='Group Name';e={$GPOResults.$_}} | Out-Host
- }
- elseif ($ItemTargetResults.Length -eq 1) {
- $SingleGPO = $ItemTargetResults[0]
- $Match = ProcessGroup ($SingleGPO)
- }
- elseif (($ItemTargetResults.Length -ge 2) -and ($GPOPerm.Count -eq 0)) {
- $GPOResults.Keys | Select @{l='GPO Object';e={$_}},@{l='Group Name';e={$GPOResults.$_}} | Out-Host
- $Match = $False
- $Choice = Read-Host -Prompt "`nMultiple Groups map to the specified drive letter. Please enter the appropriate group name"
- ForEach ($Listing in $GPOResults.Values) {
- if ($Choice -eq $Listing) {
- $Match = ProcessGroup ($Listing)
- }
- }
- if ($Match -eq $False) {
- Write-Host "`nInvalid selection. Please try again." -ForegroundColor Yellow
- }
- }
- else {
- $GroupName = $GroupName.ToUpper() + ":"
- Write-Host "`nNo groups found mapped to drive letter $GroupName.`nPlease try again, or enter the specific group name." -ForegroundColor Yellow
- }
- }
- elseif ((Get-ADGroup -Filter {Name -eq $GroupName}) -eq $null) {
- Write-Host "`nThat group does not exist. Please try again." -ForegroundColor Yellow
- }
- else {
- $Match = ProcessGroup ($GroupName)
- }
- AskJoinGroups
- }
- function ProcessGroup ($SingleGPO) {
- $GroupDN = (Get-ADGroup -Filter {Name -eq $SingleGPO}).DistinguishedName
- $RealGroupName = (Get-ADGroup -Filter {Name -eq $SingleGPO}).Name
- if ((Get-ADGroupMember -Identity $GroupDN).Name -contains $FullName) {
- $choose = Read-Host -Prompt "`n$Firstname already belongs to this group. Would you like to remove them from this group? y/n"
- if ($choose -eq 'y') {
- Remove-ADGroupMember -Identity $GroupDN -Members $Sam -Confirm:$false
- $script:Properties['Groups'] = @($script:Properties['Groups'] | ?{$_ -ne "$RealGroupName"})
- Write-Host "`n$Firstname has been removed from $RealGroupName"
- }
- else {
- Write-Host "`nMembership has not been changed."
- }
- }
- else {
- Add-ADGroupMember -Identity $GroupDN -Members $Sam
- Write-Host "`nSuccess! $Sam was joined to $RealGroupName."
- $script:Properties.Groups += @($RealGroupName)
- }
- return $True
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement