Jump to content

Running PS script issue with removing group memberships

Hi, currently using a script which is all fine and dandy until we come to specific groups. We were using some software that intergrates the mis software here to autoimport users into active directory but it doesn't import users into the correct groups etc... or make all changes as required (must be doing it wrong... btw I'm using ActivMan to import SIMS users into AD...)

 

Any way, the script I'm using is clashing with how the administration sets up the class groups in the school: eg:  7-2/En (Of course, these groups have a display name as such but the actual name is 7-2_En which is clashing the script I am using (because can't use / in AD etc..):

(had to replace the domain info for reasons)....

$ou = Get-ADUser -SearchBase 'OU=Intake 2016,OU=Students,OU=Users,OU=schoolou,DC=int,DC=schooldomain,DC=org' -Filter *

foreach ($user in $ou) {
    $UserDN = $user.DistinguishedName
    Get-ADGroup -LDAPFilter "(member=$UserDN)" | foreach-object {

        if ($_.name -ne "Domain Users") {remove-adgroupmember -identity $_.name -member $UserDN -Confirm:$False} 
    }
}

This script works flawlessly on other groups except the teaching groups (above example as 7-2/EN)

 

I don't want to go ahead and manually change all the group attributes because there are a lot. Can I not just pull these groups and replace the '/' character with _ and the script should run successfully?

 

I'm going to put a link to my PC specs which actually aren't my PC specs and I cry myself to sleep everyday so I can have these PC specs but I can't afford these PC specs so PC specs PC specs PC specs PC specs PC specs PC specs.

Link to comment
Share on other sites

Link to post
Share on other sites

What are you actually trying to do?

 

It looks like you are taking all the members of intake 2016 OU and then remove them from all groups except domain users? Is that correct?

 

Is so you could use

$name = $_.name -replace "/","_"

inside the last loop before using the remove group statement. Even better would be to use the group DN instead of the name.

 

However if it was my domain I would rename the groups because you will find lots of issues with scripts that don't properly sanatise their values.

Link to comment
Share on other sites

Link to post
Share on other sites

6 hours ago, NZLaurence said:

What are you actually trying to do?

 

It looks like you are taking all the members of intake 2016 OU and then remove them from all groups except domain users? Is that correct?

 

Is so you could use


$name = $_.name -replace "/","_"

inside the last loop before using the remove group statement. Even better would be to use the group DN instead of the name.

 

However if it was my domain I would rename the groups because you will find lots of issues with scripts that don't properly sanatise their values.

Thanks, I managed to do this same thing earlier then I come on and see you suggested it haha!

 

I would like to change the group names, but they were all created and pulled from the management software used in the school for the students. After diving deep into a few things, the groups are not even used in the school since I started and they are only really used to track timetables in another piece of software... I don't see the need to add them to specific groups because most permissions are done via intake groups or just the 'All students' group...

 

Although maybe it would be good to put something in place since we use google sync and teachers might want to send emails to specific classes (and it would make it so much easier if I did put them in the correct classes/groups so it automatically does it on the gmail groups)

I'm going to put a link to my PC specs which actually aren't my PC specs and I cry myself to sleep everyday so I can have these PC specs but I can't afford these PC specs so PC specs PC specs PC specs PC specs PC specs PC specs.

Link to comment
Share on other sites

Link to post
Share on other sites

22 minutes ago, BSpendlove said:

Thanks, I managed to do this same thing earlier then I come on and see you suggested it haha!

 

I would like to change the group names, but they were all created and pulled from the management software used in the school for the students. After diving deep into a few things, the groups are not even used in the school since I started and they are only really used to track timetables in another piece of software... I don't see the need to add them to specific groups because most permissions are done via intake groups or just the 'All students' group...

 

Although maybe it would be good to put something in place since we use google sync and teachers might want to send emails to specific classes (and it would make it so much easier if I did put them in the correct classes/groups so it automatically does it on the gmail groups)

What system creates the student accounts and keeps their details up to date in AD? That done directly using the student management software with it's own AD integration?

 

I've got a powershell script that I can give you that grabs a nightly export (CSV) of all students, their classes etc and creates/updates their accounts, add/removes from class groups and creates the class security group if it does not exist (new class or class name change).

 

Students that get marked as left in the school SMS system also get archived to a NAS using another script which clears out system data from their home drive, zips it then deletes the home drive and AD account.

 

Haven't touched a student account in years other than resetting password, although at the school that this was first setup at student passwords were generated in the SMS system and students couldn't change it.

 

Edit:

Fixed a number to stupid spelling/grammar errors.

 

Edit:

Nvm wasn't sure what ActivMan was, I prefer my script way to using someone else's application but I'm prepared to create and maintain my own scripts and not everyone want's to do that.

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, leadeater said:

-snip-

It should be 'ActivMan' that keeps it updated in AD but it looks like the previous IT guys never set it up properly because it hasn't been used for 2 years and the school are still charged for a license key every year.. I think it pulls directly from sims (because sims has all correct information regarding classes and year groups etc..)

 

It was a mess when I started 6 weeks ago, they have no home drive (all save locally to computers so they need to use the same computers... ps its pretty much all macs with windows loaded for the class rooms, no group policies were working because a 2nd DC was just crying and didn't know what to do... urgh)

 

I'm currently using another script to grab a csv I export manually from sims.net and will clear all group memberships and readd them since I'm literally redoing the AD configuration (300+ computers still in AD that were logged in since 2012... I guess someone migrated it all over to this new server (that had 2core 4GB RAM, 2nd DC had 1core and 8GB RAM on settings in esxi/hyper V LOL)

 

I could go on forever how much stuff was wrong when I first started here but its a brilliant experience ? Away from all that, this ActivMan has to be ran manually and setup properly to export users from: eg. intake2013 to manually add them to the correct groups (Year 11, Curriculum year 11, then it should add them to the class groups eg. 11-1/EN) but obviously not)

I'm going to put a link to my PC specs which actually aren't my PC specs and I cry myself to sleep everyday so I can have these PC specs but I can't afford these PC specs so PC specs PC specs PC specs PC specs PC specs PC specs.

Link to comment
Share on other sites

Link to post
Share on other sites

plus they have like 4TB of space on a server that is barely used so I think this will be good to setup folder redirection for the common folders and a home drive... The infrastructure is good, has 10gb fibre between 3 buildings, core switch infrastructure pretty much made of 4x3750x stacked which all the fibre goes to...

 

Although it might be worth changing something since this server is located in another building (backup server which is only used around 9pm) although not sure if its a good idea to have all students redirected/home folder on the backup server? also I think just a 1gb link from this server to the switch (then the 10gb fibre to the server room)

I'm going to put a link to my PC specs which actually aren't my PC specs and I cry myself to sleep everyday so I can have these PC specs but I can't afford these PC specs so PC specs PC specs PC specs PC specs PC specs PC specs.

Link to comment
Share on other sites

Link to post
Share on other sites

@BSpendlove

Damn, glad that's not my mess to clean up. If it were me at year end I'd just clean slate everything and build a totally new AD and re-image ever computer. If ActivMan needs to be manually run then yea screw that I'd take the script way any day.

Link to comment
Share on other sites

Link to post
Share on other sites

Going a bit off topic, maybe I'll rant in another topic soon haha

 

But I'm not sure about this ActivMan since I can't find much documentation, but its a work in progress and I guess with the new year 7 starting in September, I only care about getting them up and running for now

I'm going to put a link to my PC specs which actually aren't my PC specs and I cry myself to sleep everyday so I can have these PC specs but I can't afford these PC specs so PC specs PC specs PC specs PC specs PC specs PC specs.

Link to comment
Share on other sites

Link to post
Share on other sites

2 minutes ago, leadeater said:

@BSpendlove

Damn, glad that's not my mess to clean up. If it were me at year end I'd just clean slate everything and build a totally new AD and re-image ever computer. If ActivMan needs to be manually run then yea screw that I'd take the script way any day.

We have no solution for installing these macs since I can't deploy from wds server, although it looks like previous IT guys had a mac mini server in the back to deploy captured dmg's but I don't have the slightest clue when it comes to apple stuff (slowly learning) so I am dreading it haha

I'm going to put a link to my PC specs which actually aren't my PC specs and I cry myself to sleep everyday so I can have these PC specs but I can't afford these PC specs so PC specs PC specs PC specs PC specs PC specs PC specs.

Link to comment
Share on other sites

Link to post
Share on other sites

Before going down Folder Redirection I'd make sure the server that is going to host the data is resilient enough, under warranty and has a proper backup solution in place.

 

iSCSI disk to a NAS/backup server and Windows Backup works very well. I use iSCSI since Windows Backup doesn't support multiple copies of backups when using a UNC/network share unless that has changed.

Link to comment
Share on other sites

Link to post
Share on other sites

3 minutes ago, BSpendlove said:

We have no solution for installing these macs since I can't deploy from wds server, although it looks like previous IT guys had a mac mini server in the back to deploy captured dmg's but I don't have the slightest clue when it comes to apple stuff (slowly learning) so I am dreading it haha

Most likely the Mac Mini is running DeployStudio, really good software for imaging Mac. If that isn't being used the I'd highly suggest using that.

 

I do think recently Apple did some stuff to seriously limit the ability to run Windows on newer Mac hardware, better check that out in case forward planning is needed due to that.

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, leadeater said:

Before going down Folder Redirection I'd make sure the server that is going to host the data is resilient enough, under warranty and has a proper backup solution in place.

 

iSCSI disk to a NAS/backup server and Windows Backup works very well. I use iSCSI since Windows Backup doesn't support multiple copies of backups when using a UNC/network share unless that has changed.

Yeah I think it would be nice to just make all teachers tell the students to save everything on home drive and not do folder redirection... None of the servers have a warranty xD Will need to test the average profile size to put on home folders, although they liked it when I mentioned having a different amount on each year (or year 10-11's having a bit more since coursework and etc..)

I'm going to put a link to my PC specs which actually aren't my PC specs and I cry myself to sleep everyday so I can have these PC specs but I can't afford these PC specs so PC specs PC specs PC specs PC specs PC specs PC specs.

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, leadeater said:

-snip

Yes! That rings a bell, I've just looked at the server at it has deploy studio and I will need to watch a few videos on it... I tried booting to it on a few macs a week ago but they wasn't working and I noticed online that some old macs have issues when booting from the network so you need to load the base mac on via internet recovery then go onto the startup disk to change to network? What a pain!!

I'm going to put a link to my PC specs which actually aren't my PC specs and I cry myself to sleep everyday so I can have these PC specs but I can't afford these PC specs so PC specs PC specs PC specs PC specs PC specs PC specs.

Link to comment
Share on other sites

Link to post
Share on other sites

5 minutes ago, BSpendlove said:

Yeah I think it would be nice to just make all teachers tell the students to save everything on home drive and not do folder redirection... None of the servers have a warranty xD Will need to test the average profile size to put on home folders, although they liked it when I mentioned having a different amount on each year (or year 10-11's having a bit more since coursework and etc..)

Folder Redirection and Home Drive go to the same place so the same advice applies. You'd be putting all the data in to a single place and a fault with that server means that everything is down and all data could go with it. Even with a backup on the resiliency side of things if the server currently goes down at least you can save the work locally which is not something I actually allow on networks I build. I use GPO to restrict access to C drive and even hide it from My Computer completely.

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, BSpendlove said:

Yes! That rings a bell, I've just looked at the server at it has deploy studio and I will need to watch a few videos on it... I tried booting to it on a few macs a week ago but they wasn't working and I noticed online that some old macs have issues when booting from the network so you need to load the base mac on via internet recovery then go onto the startup disk to change to network? What a pain!!

You just need to create the Netboot image on the problem hardware, load that on to the mac server and add it to the Netboot images then when booting a Mac hold down Option/Alt and you'll get multiple Netboot options to pick from.

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, leadeater said:

You just need to create the Netboot image on the problem hardware, load that on to the mac server and add it to the Netboot images then when booting a Mac hold down Option/Alt and you'll get multiple Netboot options to pick from.

Ah I see, I'll look into that and see what I can do (Do I create this netboot image directly from the mac when its loaded?), would you know if it is a pain to capture a mac image with dual boot preconfigured?

I'm going to put a link to my PC specs which actually aren't my PC specs and I cry myself to sleep everyday so I can have these PC specs but I can't afford these PC specs so PC specs PC specs PC specs PC specs PC specs PC specs.

Link to comment
Share on other sites

Link to post
Share on other sites

@BSpendlove

Just realized I normally change for this kind of service lol. Anyway if you want any advice on anything at any time or guidance, even a step by step guide let me know and I'll be happy to supply it.

Link to comment
Share on other sites

Link to post
Share on other sites

@leadeater haha I feel the same when I'm sitting at home, literally on a remote session in work, documenting everything and trying new things and think "Why do I do this?"... because I have nothing better to do and love my job! , many thanks for your responses and help :)

I'm going to put a link to my PC specs which actually aren't my PC specs and I cry myself to sleep everyday so I can have these PC specs but I can't afford these PC specs so PC specs PC specs PC specs PC specs PC specs PC specs.

Link to comment
Share on other sites

Link to post
Share on other sites

6 minutes ago, BSpendlove said:

Ah I see, I'll look into that and see what I can do (Do I create this netboot image directly from the mac when its loaded?), would you know if it is a pain to capture a mac image with dual boot preconfigured?

Yea you create it on the Mac once booted, there are some really good guides online already on how to do it and load it on to a Mac server. Dual boot can be done, we used to dual boot every Mac but stopped doing that after management issues and greatly increased support time. What happens is the computer will only get used in one of the OS for ages and software installs wont get done or the computer account in AD will tombstone.

Link to comment
Share on other sites

Link to post
Share on other sites

I find most places that buy Mac to run Windows on them do it because they think they have better hardware of something and compared them to some junk PC that was 1/3 the price. My rule is if you brought a Mac you did it for Mac OS and you'll damn well use it, you paid extra for it. If not spend roughly the same and you'll have just as good a computer if not better.

Link to comment
Share on other sites

Link to post
Share on other sites

2 minutes ago, leadeater said:

Yea you create it on the Mac once booted, there are some really good guide online already on how to do it and load it on to a Mac server. Dual boot can be done, we used to dual boot every Mac but stopped doing that after management issues and greatly increased support time. What happens is the computer will only get used in one of the OS for ages and software installs wont get done or the computer account in AD will tombstone.

One last question! (I feel bad ;) ) They literally only use windows so it is possible to just image Windows on the macs? (They are all 8.1 and we have like 300+ licenses for Win10 so might be a good time to get an updated image for both Macs and desktops)

I'm going to put a link to my PC specs which actually aren't my PC specs and I cry myself to sleep everyday so I can have these PC specs but I can't afford these PC specs so PC specs PC specs PC specs PC specs PC specs PC specs.

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, BSpendlove said:

One last question! (I feel bad ;) ) They literally only use windows so it is possible to just image Windows on the macs? (They are all 8.1 and we have like 300+ licenses for Win10 so might be a good time to get an updated image for both Macs and desktops)

Yep you can run Windows only just fine.

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, leadeater said:

I find most places that buy Mac to run Windows on them do it because they think they have better hardware of something and compared them to some junk PC that was 1/3 the price. My rule is if you brought a Mac you did it for Mac OS and you'll damn well use it, you paid extra for it. If not spend roughly the same and you'll have just as good a computer if not better.

That is exactly what happened, they bought loads of MACs to use Adobe master collection, finding out that they had loads of windows software they needed to use so they bought windows licenses and as I mentioned above, they only use windows now LOL (its hilarious)

I'm going to put a link to my PC specs which actually aren't my PC specs and I cry myself to sleep everyday so I can have these PC specs but I can't afford these PC specs so PC specs PC specs PC specs PC specs PC specs PC specs.

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, BSpendlove said:

That is exactly what happened, they bought loads of MACs to use Adobe master collection, finding out that they had loads of windows software they needed to use so they bought windows licenses and as I mentioned above, they only use windows now LOL (its hilarious)

Hurpa durp but Macs are for design work in stuff, durrrrr. ;)

Link to comment
Share on other sites

Link to post
Share on other sites

4 minutes ago, BSpendlove said:

That is exactly what happened, they bought loads of MACs to use Adobe master collection, finding out that they had loads of windows software they needed to use so they bought windows licenses and as I mentioned above, they only use windows now LOL (its hilarious)

I can't remember if I got it working but I tried creating a WDS boot image and loading that in to DeployStudio so I could image Macs using WDS. Was a long time ago and now I refuse to put Windows on Macs so I don't care anymore.

 

Setup auto image settings in DeployStudio which puts down a WinPE/WDS boot image then reboots the Mac which boots to WinPE then WDS auto images the Mac, joins it to AD, installs drivers then software etc etc. Really only looked in to doing it that way since it's a ton easier to create/update Windows images for WDS than it is for DeployStudio.

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×