Saturday, April 25, 2020

Distribution group update based on AD attributes – PowerShell

On-premise dynamic distribution groups have limitations and you as a admin need to create contacts to make them work with hybrid environments as mentioned in the below article.
There are other issues as well like you can not use these for Sharepoint permissions or other things like inviting the members to Microsoft Teams.
We can create Azure AD dynamic groups but not all Active Directory attributes for an organization are synchronized to Azure AD.
Powershell is magical and  flexible enough to update group on any criteria and can fill all these gaps.
Distribution group will still be Static but can be updated daily on schedule with adds and remove of members based on the criteria that you will define inside the script.
I am sharing a sample script to achieve this, which you modify as per your requirements.
The method used in this script is super fast, I am running this same method with the org sizes of 100000 users and it takes 5-10 mins.
Here is the sample script that I have uploaded to GITHUB.


Download the script from above link:
Prerequisites: CSVDE and Active Directory Module
Go to variables and log section that starts at line number:102
See the $csvdefilter –> it is selecting all user mailboxes on-premise or online which is not hidden in GAL and account is not disabled.
define smtp server for sending error and logs
$count is the threshold to detect the number of updates (add or removes) – just to be on safe if it exceeds that number than script will stop and will send an alert.
For first time run, you need to make this number large and then you can decrease it to the threshold according to your environment. (500, 100, 1000 etc)
$dl1 is the Distribution group that you have created and want to update it daily with certain criteria. (add one user to it for first run only as I am using compare function)
$div for this sample script is the division which is in particular attribute of AD for this organization.
$loc  for this sample script is the location which is stored in City attribute in AD.
#############Variables/Logs####################################
$log = Write-Log -Name “DLautomationADattributes” -folder “logs” -Ext “log”
$Csvde = (Get-Location).path + “\temp\csvdeexport.csv”
$csvdefilter = “(&(objectClass=user)(objectCategory=person)(|(msExchHomeServerName=*)(msExchRecipientTypeDetails=2147483648))(!msExchHideFromAddressLists=TRUE)(!useraccountcontrol:1.2.840.113556.1.4.803:=2))”
$smtpserver = “smtpserver”
$erroremail = “Reports@labtest.com”
$from = “DoNotReply@labtest.com”
$count = “3000”
$dl1 = “DynamicStaticDL”
$div = “Tech”
$loc = “Galway”
########################Start main script##########################
Now go to line number 34, update the attributes from AD that you want to utilize for distribution group update criteria (samaccountname should always be there as that is used for adding and removing members)
try {CSVDE -f $Csvde -r $csvdefilter -l “mail,sAMAccountName,employeeType,extensionattribute3,l”}
Last line to update is Line number : 154 which is the criteria
if((($_.EmployeeType -eq “Employee”) -or ($_.EmployeeType -eq “Non-Employee”)) -and (($_.extensionattribute3.trim() -eq $div) -or ($_.l.trim() -eq $loc))) #condition for creating dymanic DL
Here it says that employeetype is employee or non-employee  and extenstionattribute3 equals division or location is galway then take add or remove action.
Now we are ready to execute the script, please update the group with one member just for first run , may be just yourself (do not  worry this member will be removed if it does not met the criteria)
Script uses two important methods to make it super sonic for large AD environments and even for large distribution groups.
  1. CSVDE which first exports the filtered ad attributes in CSV file, place it in temp location. – script imports this csv file and then process the updates.
  2. Use of compare method to just update the incremental changes to the distribution group.
Code of this script ends with deleting the csv file created by csvde, recycling of logs (created more than 60 days ago) and sending the execution log to the email address you have defined in the beginning.
#################################Completed Distribution group code###########
Remove-Item -Path $Csvde
########################Recycle reports & logs##############################
$path2 = (Get-Location).path + “\Logs\”
$limit = (Get-Date).AddDays(-60) #for report recycling
Get-ChildItem -Path $path2 |
Where-Object {$_.CreationTime -lt $limit} |
Remove-Item -recurse -Force
Get-Date
Write-Log -Message “Script — Finished” -path $log
Send-MailMessage -SmtpServer $smtpserver -From $from -To $erroremail -Subject “Transcript Log – DlautomationADattributes” -Body “Transcript Log – DlautomationADattributes” -Attachments $log
###########################################################################
This is end of this magical spell, hope you can modify it according to your needs.

Thanks for reading …
Tech Wizard

No comments:

Post a Comment