0

I'm trying to check our users in AD to see if they are part of a group, and if they're not add them to it.

The script I have doesn't seem to be working.

*Import-Module ActiveDirectory

$Grpex26Month = "EX-Retention 26 Months"
$Grpex13Month = "EX-Retention 13 Months"

Function Check-IsGroupMember{

Param($user,$grp)

$strFilter = "(&(objectClass=Group)(name=" + $grp +"))"

$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Subtree"

$colResults = $objSearcher.FindOne()

$objItem = $colResults.Properties

([string]$objItem.member).contains($user)
}

$userList = get-aduser -f {surname -like 'm*'}

Foreach ($user in $userList) {
$Check = Check-IsGroupMember $user $grpex13month

If ($Check -eq 'False') {
Add-adgroupmember $grpex13month $user 
write-host $user.Name 
}
}*

Now this is a script I modified that previously removed from one group and adding to another but I thought the changes above would still be ok. I'm also only searching for just 'M' at present as I know there is a user in this section that requires this.

This user isn't even being found...this is an example of response I'm getting for all the users apart from the new ones that were set up after this script was first written. 

MLastName, FirstName 
Add-adgroupmember : The specified account name is already a member of the group
At \\ServerName\DataUsers$\DKendall\Scripts\Exchange groupremoval.ps1:31 char:1
+ Add-adgroupmember $grpex13month $user
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (EX-Retention 13 Months:ADGroup)[Add-ADGroupMember], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:1378,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember
ekad
  • 14,436
  • 26
  • 44
  • 46
DKendall
  • 3
  • 2
  • 1
    Possible duplicate of [Why does '$true -eq "string"' returns $true?](http://stackoverflow.com/questions/26545686/why-does-true-eq-string-returns-true). Look at that and its duplicate. The answer is `If ($Check -eq $False)`. Should also have a look at left hand operands which is covered in the dups dupe. – Matt Nov 19 '15 at 12:58
  • 2
    `$Check` is a boolean so 'False' gets converted to a boolean. All non zero length strings return true. – Matt Nov 19 '15 at 13:08
  • I'm a little confused by the question: are you trying to add all your users in AD to one group? – Nate Nov 19 '15 at 14:20

1 Answers1

0

To explain what Matt is getting at a little more, the issue is with this check:

If ($Check -eq 'False') {

When PowerShell is asked to evaluate a statement it looks at the type of the first object, and attempts to convert the second object to the same type. In this case $Check is [boolean] meaning its value is either $true or $false. When you echo it to the host the PowerShell formatter will convert it to a string to make it user friendly, but that's not what the object actually is.

$Check = $false

$Check.GetType()

IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     True     Boolean                                  System.ValueType

Now, as Matt stated, any string with a length longer than 0 will evaluate as $true when converted to [boolean]. So PowerShell looks at your statement, sees that $Check is [boolean] and tries to convert 'False' to [boolean] to match it. Since 'False' is a string with a length over 0 it converts to $true. Now we know that $Check = $false, and since it converted your string to a [boolean] value of $true the statement reads:

If ($false -eq $true) {

So in effect, your script is doing the exact opposite of what you want it to. Solutions to this include:

If ($Check -eq $false) {

or

If (-Not $Check) {

or the shortened version (what I would use)

If(!$Check){
TheMadTechnician
  • 34,906
  • 3
  • 42
  • 56