Add users to AD Group based on office location with Powershell

Recently i did some work for an organisation which was based out of an 8 story building. They advised me that one of the things that they needed my help with, is automating the distribution list that users get added to based on their office location.

The office location attribute they were referring to was the “Office” attribute that each user has on Active Directory.

The way that they wanted this to work is as follows.

  • When a new user joins the company, the user account is created and populated with the relevant information.
  • If the user was based out of “level 7” then the “Office” attribute would contain “Level 7”.
  • The script gets all users who have an “Office” of “Level 7” and removes them from any distribution groups for other levels. (Think users changing seating location in the office)
  • The script will then add the user to the Level 7 Distribution Group.
  • The script could be run with a scheduled task to run daily, weekly, or whenever they desired.

With a clear understanding of what the requirements were, i set out on figuring this small task.

The script that i came up with can be seen below. Here is how it works;

  1. Get the AD Users where the “Office” attribute is set to level 6, and the user account is not disabled. Pass this user to the variable $lvl6
  2. I do the same for levels 7 and 8 – passing them to their respective variables.
  3. I then run a for-each loop against each variable which does the following.
    1. Get AD Groups where the distribution group is like “Level 7” or “Level 8”
    2. Remove, from these AD Groups, members from $lvl6, then;
    3. Get AD Group, where the distribution group name is like “Level 6” and add the members from $lvl6
  4. I would do the same for Level 7 and Level 8.

Below is a screenshot of the script i created with the source code right below.

#get aduser where officename is level 6, and user account is not disabled, select name and pass it to $lvl6.
$Lvl6 = Get-ADUser -LDAPFilter "(&(&(physicaldeliveryofficename=Level 6)(useraccountcontrol=512)))" -Properties * | select -ExpandProperty samaccountname 

#get aduser where officename is level 7, and user account is not disabled, select name and pass it to $lvl7.
$Lvl7 = Get-ADUser -LDAPFilter "(&(&(physicaldeliveryofficename=Level 7)(useraccountcontrol=512)))" -Properties * | select -ExpandProperty samaccountname 

#get aduser where officename is level 8, and user account is not disabled, select name and pass it to $lvl8.
$lvl8 = Get-ADUser -LDAPFilter "(&(&(physicaldeliveryofficename=Level 8)(useraccountcontrol=512)))" -Properties * | select -ExpandProperty samaccountname

#foreach user in the level6 list, if they are in the DL groups for lvl7 or lvl8 it will remove them from the group. It will then add them to Lvl6 DL Group if they are not already added.
#This continues for the following 2 foreach loops for the respective levels.
foreach ($userobject6 in $Lvl6){ 
    Get-ADGroup -Filter {name -like "Level 7" -or name -like "Level 8"} | Remove-ADGroupMember -Members $userobject6 -Confirm:$false -EA SilentlyContinue
    Get-ADGroup -Filter {name -like "Level 6"} | Add-ADGroupMember -Members $userobject6 -Confirm:$false -EA SilentlyContinue
}


foreach ($userobject7 in $Lvl7){ 
    Get-ADGroup -Filter {name -like "Level 6" -or name -like "Level 8"} | Remove-ADGroupMember -Members $userobject7 -Confirm:$false -EA SilentlyContinue
    Get-ADGroup -Filter {name -like "Level 7"} | Add-ADGroupMember -Members $userobject7 -Confirm:$false -EA SilentlyContinue
}


foreach ($userobject8 in $Lvl8){ 
    Get-ADGroup -Filter {name -like "Level 6" -or name -like "Level 7"} | Remove-ADGroupMember -Members $userobject8 -Confirm:$false -EA SilentlyContinue
    Get-ADGroup -Filter {name -like "Level 8"} | Add-ADGroupMember -Members $userobject8 -Confirm:$false -EA SilentlyContinue
}

Hopefully this script can prove useful to you!

If you have any questions please feel free to comment and ill do what i can to help.

Thank you for reading.

Leave a Reply

Your email address will not be published.