Fill AD groups with content from txt files (users can manage AD groups without AD console)

The estimated reading time 5 minutes

Some time ago a customer asked me to create a small powershell script which can read users from text files and add them to special Active Directory groups once a day via scheduled task. The goal is letting some “admin” users change AD groups via text file by adding the SamAccountName to these text files, the script should also do a cleanup so there is no old content stored in these AD groups. We also had to give special permissions for these users so they can only see their text file and not manipulate others (with ntfs permissions). These users don’t have any special access to ActiveDirectory. I think this is a pretty secure way to manage ad groups and also delegate the rights to do so.

Link to the script: https://github.com/blog-it-koehler-com/manageadgroupwithtxt

Before we can do the job you should do some preparations on the server you execute the script.
1. AD Powershell Module needed
2. User with rights to execute batches
3. User who has access to ad to add users to groups
4. share on any server where special users have their own section
5. a logging path
6. the script itself

Before using the complete powershell script, here are some explanations for the heart of this script.

$files = Get-ChildItem \\dc01\adgroup\*.txt -Recurse
$adgroupprefix = "g-demo-"
## get content of every file and its name 
foreach($file in $files){
$name = ($file).Name.ToString()
$noextension = ($name.Substring(0,$name.Length-4))
$path = ($file).FullName
$adgroup = $adgroupprefix+$noextension
$samaccounts = Get-Content "$path"
Write-Host "### $adgroup ###"
### get all user from ad group and remove them
$tempmembers = Get-ADGroupmember -Identity $adgroup 
foreach($tempmember in $tempmembers){
    $name = ($tempmember).name
    Write-Host "Removing user: $name" -ForegroundColor Green
    Remove-ADGroupMember -Identity $adgroup -Members $tempmember -Confirm:$false
}
### adding all users from txt files 
foreach ($newmember in $samaccounts){
    
    Write-host "Adding $newmember to $adgroup" -ForegroundColor Green
    Add-ADGroupMember -Identity $adgroup -Members $newmember
    }
   }
 

So how does it work. Lets see some environment settings for this script.

You have to create a share with special permissions for users who should be able to edit ad groups via text files.
In my case these groups are separated in folders so every department only can edit their special textfiles.

In Active Directory there have to be the corresponding groups either.
NOTE: with the names of your TXT files you control the group where to add. My script assumes that there is a group prefix for all groups and replaces the txt file name for example “group1” with “g-demo-group1”. Groups in AD should also fit into this scheme. Therefore you can find the variable “adgroupprefix”.

In the textfiles SamAccountNames of users can be added. (you can also user other attributes, but SamAccountName is the simple method for this task. The following attributes can also be used:

https://docs.microsoft.com/en-us/powershell/module/addsadministration/add-adgroupmember?view=win10-ps&viewFallbackFrom=winserver2012-ps

If you want to have this action via scheduled task, you have to create on, which executes a powershell script. After starting the task the groups should fill up with the users specified in textfiles. The complete Version of the script also creates a small logfile so you can see whether it was executed and what it did to ad groups.

The script also checks if the user is available in Active Directory and if the group exists too. If the user is not available you can see this in the log files. It also checks whether you have installed AD PowerShell Module.

How can we create a scheduled task which executes this script? First consider which user context you want to execute this script!
In my demo I created a new user and added it to domain admins (this is simple quick and dirty I know). If you don’t want to do this you have to delegate rights for this user in Active Directory and also to your server where you execute the script. On your server where to create the task execute “secpol.msc”.

Assing the right “Logon as batch job” to this special user in my case it is “adgroupimporter”

Now you should create the new task with the user “adgroupimporter”.

In my case the task started every day at 5PM.

The important step is to call the powershell script. It’s not that intuitively you may guess.
Start Programm: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Parameters : -ExecutionPolicy Bypass -File “C:\temp\adgroup.ps1”

After this step you need to type in the password of the service user and here we go. Scheduled Task is ready to fill your AD groups.

If you liked this post, please click on “helpful”. If you have questions or feature requests let me know in the comments section.
Have fun with txt files.

Was this article helpful?
YesNo
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments