LDAP Query Group Membership and Create Useraccounts Other Domain - Need Help reversing the lookup

hi

i determined figure out myself, deadline has been brought forward, appreciate.

i have script connects via ldap , queries group it's member users, looks each users attributes , converts new user accounts in new domain , adds them security group.

what need is, to query same group members, and remove user accounts new domain no longer members of it.

i hoping its really simple, or can comment on work far, im new , feedback good.

heres have far:

import-module activedirectory  $cred = get-credential  $pwd = [runtime.interopservices.marshal]::ptrtostringauto(  [runtime.interopservices.marshal]::securestringtobstr($cred.password))  $domain = new-object directoryservices.directoryentry(  "ldap://olddomain.net:389/dc=olddomain,dc=net",$cred.username, $pwd)  $searcher = new-object system.directoryservices.directorysearcher  $searcher.searchroot = $domain  $searcher.pagesize = 20000  $searcher.searchscope = "subtree"  $searcher.filter = "(&(memberof=cn=global_group,ou=security groups,dc=olddomain,dc=net))"  $results = $searcher.findall()  set-strictmode -off  $oubind = (cd ad:'\ou=new_users,dc=newdomain,dc=net')    $users = @($results | select-object -property "path")    foreach($user in $users)  {      $userdn = $user.path.trimstart("ldap://olddomain.net:389/")          $searcher.filter = "(distinguishedname=$userdn)"      $newusers = $searcher.findone()              foreach ($newuser in $newusers)      {              $displayname = $newuser.properties.item("displayname")              $samaccountname = $newuser.properties.item("samaccountname")              $givenname = $newuser.properties.item("givenname")              $sn = $newuser.properties.item("sn")              $mail = $newuser.properties.item("mail")              $name = $newuser.properties.item("name")              $employeeid = $newuser.properties.item("employeeid")              new-aduser $samaccountname -displayname "$displayname" -givenname "$givenname" -surname "$sn" -userprincipalname $samaccountname@newdomain.net -emailaddress "$mail" -employeeid "$employeeid" -accountpassword(convertto-securestring -asplaintext "pa$$w0rd5" -force) -enabled $true -passthru              add-adgroupmember -members "$samaccountname" g_newgroup   	}  }

i cannot test, have 1 domain, powershell script should close:

import-module activedirectory
$cred = get-credential
$pwd = [runtime.interopservices.marshal]::ptrtostringauto([runtime.interopservices.marshal]::securestringtobstr($cred.password))
$domain = new-object directoryservices.directoryentry("ldap://olddomain.net:389/dc=olddomain,dc=net",$cred.username, $pwd)
$searcher = new-object system.directoryservices.directorysearcher
$searcher.searchroot = $domain
$searcher.pagesize = 200
$searcher.searchscope = "subtree"

# filter on user members of specified group.
$searcher.filter = "(&(objectcategory=person)(objectclass=user)(memberof=cn=global_group,ou=security groups,dc=olddomain,dc=net))"

# specify attributes retrieve.
$searcher.propertiestoload.add("displayname") > $null
$searcher.propertiestoload.add("samaccountname") > $null
$searcher.propertiestoload.add("givenname") > $null
$searcher.propertiestoload.add("sn") > $null
$searcher.propertiestoload.add("mail") > $null
$searcher.propertiestoload.add("name") > $null
$searcher.propertiestoload.add("employeeid") > $null

$results = $searcher.findall()

# hash table of members of group in old domain.
$list = @{}

set-strictmode -off
$oubind = (cd ad:'\ou=new_users,dc=newdomain,dc=net')

# use nametranslate object.
$objtrans = new-object -comobject "nametranslate"
$objnt = $objtrans.gettype()

# initialize nametranslate locating global catalog.
# assume use gc in new domain (the current domain).
$objnt.invokemember("init", "invokemethod", $null, $objtrans, (3, $null))

foreach($newuser in $results)
{
    $samaccountname = $newuser.properties.item("samaccountname")
    # check if user exists in domain specifing nt format of name.
    # trap error if user not found.
    try
    {
        $objnt.invokemember("set", "invokemethod", $null, $objtrans, (3, "newdomain\$samaccountname"))
        # user exists in new domain. retrieve distinguished name.
        $dn = $objnt.invokemember("get", "invokemethod", $null, $objtrans, 1)
        # add user dn hash table.
        $list[$dn] = $true
    }
    catch
    {
        # user not yet exist in new domain.
        $displayname = $newuser.properties.item("displayname")
        $givenname = $newuser.properties.item("givenname")
        $sn = $newuser.properties.item("sn")
        $mail = $newuser.properties.item("mail")
        $name = $newuser.properties.item("name")
        $employeeid = $newuser.properties.item("employeeid")
        # create new user object.
        new-aduser $samaccountname -displayname $displayname -givenname $givenname -surname $sn -userprincipalname "$samaccountname@newdomain.net" -emailaddress $mail -employeeid $employeeid -accountpassword(convertto-securestring -asplaintext "pa$$w0rd5" -force) -enabled $true -passthru
        # add new user group.
        add-adgroupmember -members $samaccountname -identity g_newgroup
        # new user object assumed in "ou=new_users" ou.
        # assume cn , samaccountname attributes same.
        # add user dn hash table.
        $dn = "cn=$samaccountname,ou=new_users,dc=newdomain,dc=net"
        $list[$dn] = $true
    }
}

# enumerate members of group in new domain.
$group = [adsi]"ldap://cn=g_newgroup,ou=new_users,dc=newdomain,dc=net"
$members  = $group.memberof
foreach ($member in $members)
{
    # check if existing member in hash table.
    if ($list.containskey($member) -eq $false)
    {
        # remove member group.
        remove-adgroupmember -identity $member
        # delete user object in new domain.
        remove-aduser -identity $member
    }
}

-----

---

richard mueller - mvp directory services

Windows Server  >  Windows PowerShell