Don't block user from specific group in Powershell script-CodePudding

I have logical problem how can I make script more secure to NON Block users From IT Groups By some operations users which need to block them employees from AD. I am so close to automate this process, by share to them CSV file with username,DateDisable,DateEnable.

Get-Date

Write-Host $b

$b = (Get-Date).ToString('M"/"d"/"yyyy')



Import-Csv "I:\Clients\Block Accounts\Accounts Deactivation.csv" | ForEach-Object {
    
    $SamAccountName = $_."SamAccountName"     
    
    $dateDisable = $_."dateDisable"

    $dateEnable = $_."dateEnable"


    
    #How can I search users in group like PLKAT-NON-BLOCK-USERS and don't block users from this group by IF function. Can you tell me more about this solution. I will be grateful for some clues.

if ( Get-ADPrincipalGroupMembership -And $dateDisable -eq $b) {
        
        Get-ADUser -Identity $SamAccountName | Disable-ADAccount
        
        Write-Host "-User "$SamAccountName" Disabled"
    }

    $dateEnable = $_."dateEnable"
     
     if ( $dateEnable -eq $b) {
        
        Get-ADUser -Identity $SamAccountName | Enable-ADAccount
            
            Write-Host "-User "$SamAccountName" Enable"
        }
    
    
       }

CodePudding user response：

$b = (Get-Date).ToString('M"/"d"/"yyyy')

$groups = 'PLKAT-G-ORG-NON Block Users'

Import-Csv "C:\it\blokady\Accounts Deactivation Test.csv" | ForEach-Object {
    
    $SamAccountName = $_."SamAccountName"     
    
    $dateDisable = $_."dateDisable"

    $dateEnable = $_."dateEnable"

    
    foreach ($group in $groups) {
        
        $members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty SamAccountName

        If ($members -contains $SamAccountName) {
        
            Write-Host "$user is a member of NON Block User Group"
        
        } 
        Else {
        
            $dateDisable -eq $b

             Get-ADUser -Identity $SamAccountName | Disable-ADAccount

              Write-Host "-User "$SamAccountName" Disabled"
        
        }
        
        }
        

    $dateEnable = $_."dateEnable"
     
     if ( $dateEnable -eq $b) {
        
        Get-ADUser -Identity $SamAccountName | Enable-ADAccount
        
        Write-Host "-User "$SamAccountName" Enable"
    }
    
    

   }

CodePudding user response：

At the top of your script, you can get a list of all users in the PLKAT-NON-BLOCK-USERS group first.
Then in the code check if the user you are iterating is a member of this group and if so, do not disable that user.

Something like:

# get an array of SamAccountNames for users you do not wish to disable
$noDisable = (Get-ADGroupMember -Identity 'PLKAT-NON-BLOCK-USERS' -Recursive | Where-Object { $_.objectClass -eq 'user' }).SamAccountName

$refDate = (Get-Date).ToString('M"/"d"/"yyyy')
Import-Csv -Path 'I:\Clients\Block Accounts\Accounts Deactivation.csv' | ForEach-Object {
    if ($noDisable -contains $_.SamAccountName) {
        Write-Host "User '$($_.SamAccountName)' is member of group 'PLKAT-NON-BLOCK-USERS'. Skipped."
        continue  # skip this one and proceed with the next user
    }

    # try and get the AD user object
    $user = Get-ADUser -Filter "SamAccountName -eq '$($_.SamAccountName)'" -ErrorAction SilentlyContinue
    if ($user) {
        if ($_.dateEnable -eq $refDate) {
            $user | Enable-ADAccount
            Write-Host "User '$($_.SamAccountName)' Enabled"            }
        elseif ($_.dateDisable -eq $refDate) {
            $user | Disable-ADAccount
            Write-Host "User '$($_.SamAccountName)' Disabled"
        }
    }
    else {
        Write-Warning "User '$($_.SamAccountName)' does not exist.."
    }
}