I'd like to do an access review of AD groups, but I'm not sure what approach I should take. Each user has their manager and some users have the same manager.
What I would like to do is send the list of groups for each user to their respective manager
### Access Review ###
$Users = @"
SamAccountName;
User1
User2
User3
User4
"@ | Convertfrom-csv -Delimiter ";"
$Members =
Foreach ($User in $Users) {
Get-aduser $user.samaccountname -Properties Name, samaccountname, userprincipalname, manager
}
#Get their group membership ### NOT SURE WHAT TO DO HERE
$Groupmembership = (Get-ADUser $User.SamAccountName –Properties MemberOf).MemberOf | Get-ADGroup | Select-Object name
#Group all managers for each users
$Managers = $Members | group manager
foreach($Manager in ($Managers.name) | select -Unique){
#MailManager
$MailManager = (Get-ADUser $Manager -properties mail).mail
### Send-mail message to their Manager with attachment file for each user ###
$NewMessage = "Please find attached an export of groups from the users that require approval, we ask that you verify if these groups are to remain or if any need to be removed with their change of position"
$Message = New-Object System.Net.Mail.MailMessage
$Message.From = New-Object System.Net.Mail.MailAddress '[email protected]'
$To = $MailManager
$Subject = "[Manager - Action Required] - Access Review"
$body = $NewMessage
$SMTPServer = 'mail.contoso.com'
Send-MailMessage -From $Message.From -To $To -Subject 'Access Review' -Body $body -Encoding UTF8 -SmtpServer $SMTPServer
}
CodePudding user response:
Instead of sending attachments, why not send a nice HTML email with the results in a table?
Something like this:
$Users = @'
SamAccountName;
User1
User2
User3
User4
'@ | ConvertFrom-Csv -Delimiter ';'
$Members = foreach ($User in $Users) {
$adUser = Get-ADUser -Filter "SamAccountName -eq '$($user.SamAccountName)'" -Properties Manager, MemberOf
if ($adUser) {
# get the manager object
$manager = Get-ADUser -Identity $adUser.Manager -Properties EmailAddress -ErrorAction SilentlyContinue
# get the group names
$adUser.MemberOf | ForEach-Object {
[PsCustomObject]@{
Group = (Get-ADGroup $_).Name
User = $adUser.Name
ManagerEmail = if ($manager) { $manager.EmailAddress } else { $null }
}
}
}
else {
Write-Warning "Could not find user $($user.SamAccountName)"
}
}
# define a stylesheet for the email body and table
$style = @'
<style>
body {font-family: Arial; font-size: 10pt;}
table {border: 1px solid red; border-collapse: collapse;}
th {border: 1px solid; background-color: #4CAF50; color: white; padding: 5px;}
td {border: 1px solid; padding: 5px;}
</style>
'@
# this text will be put before the table of group names and users
$preContent = @'
<p>Please find below an export of groups from the users that require approval,
we ask that you verify if these groups are to remain or if any need to be removed with their change of position.</p>
'@
# create a Hashtable with parameters used for splatting to Send-MailMessage
$mailParams = @{
From = '[email protected]'
To = $null
Subject = "[Manager - Action Required] - Access Review"
SmtpServer = 'mail.contoso.com'
Body = $null
BodyAsHtml = $true
Encoding = UTF8
}
# if you want to avoid the risk of trying to send an email to a manager WITHOUT emailaddress, use:
# $Members | Where-Object { ![string]::IsNullOrWhiteSpace($_.ManagerEmail) } | Group-Object ManagerEmail | ForEach-Object {
$Members | Group-Object ManagerEmail | ForEach-Object {
# fill in the To and Body items
$mailParams.To = $_.Name # the name of the group is the managers EmailAddress
$mailParams.Body = $_.Group |
Sort-Object Group, User |
Select-Object Group, User |
ConvertTo-Html -Head $style -PreContent $preContent | Out-String
Write-Host "Sending email to $($_.Name)"
Send-MailMessage @mailParams
}