如何将 AD 组与 Azure AD 组进行比较并在不同时删除成员
How to Compare AD Group with Azure AD Group and remove members if different
我想比较 2 个组,如果不同,则从 Azure AD 组中删除成员,但我遇到了错误。谁能告诉我我做错了什么?
$membersofAzureADGroup = Get-AzureADGroup -Searchstring Test_Group | Get-AzureADGroupmember | Select Userprincipalname
$membersofADGroup = Get-ADGroupmember "Groupe_A" | Get-ADUser -properties Userprincipalname | Select UserPrincipalName
$RemoveUsers = Compare-Object -ReferenceObject $membersofAzureADGroup -DifferenceObject $membersofADGroup -PassThru | Where SideIndicator -eq "<="
Remove-AzureADGroupMember $RemoveUsers -Members $membersofAzureADGroup
Remove-AzureADGroupMember:找不到接受参数“@{UserPrincipalName=user@domain.com;SideIndicator=<=}”的位置参数
我在下面试过了,但还是不行...
Remove-AzureADGroupMember $RemoveUsers -MemberID (Get-AzureADUser | where {$_.Userprincipalname -eq $MembersOfGroup1}).ObjectID
我没有 AD 或 Azure AD,但我遵循了你的问题的原则,并在我的计算机上本地测试了以下内容。 见下文
你失败的原因是你的 $RemoveUsers 变量是错误的。如果您没有看过其中呈现的内容,我会感到惊讶。
为什么不起作用
$RemoveUsers = Compare-Object -ReferenceObject $membersofAzureADGroup -DifferenceObject $membersofADGroup -PassThru | Where SideIndicator -eq "<="
在本地计算机测试中比较组
## Step 1 - Place both groups into variables
$Group1 = get-localgroup -Name Administrators | Get-LocalGroupMember | Select Name
$Group2 = get-localgroup -Name Test | Get-LocalGroupMember | Select Name
## Step 2 - See All Output
$compare = Compare-Object -ReferenceObject $Group1 -DifferenceObject $Group2 -property name -passthru -IncludeEqual
## Step 3 See Only Difference in reference (source) object and select InputObject
$DifferenceInSource = (Compare-Object -ReferenceObject $Group1 -DifferenceObject $Group2 | Where SideIndicator -eq "<=" | Select -ExpandProperty InputObject)
## Step 4 Pull Out Names
$DifferenceInSourceName = $DifferenceInSource.Name
## Split WorkGroup and Account
$SplitName = $DifferenceInSourceName.Split('\')
## Step 5 Test To See If Account Resolves
Get-LocalUser -name $SplitName[1]
很明显,您随后围绕 ForEach 语句进行结构化以对多个引用进行更新。
删除属于 Azure AD 组但不属于 Active Directory 组的用户需要过滤,因此您绝对不需要 Compare-Object。
由于您要查找一个数组中不存在于另一个数组中的元素,因此 Where-Object 或 .Where(..) 方法应该绰绰有余。
$ErrorActionPreference = 'Stop'
$azGName = 'Test_Group'
$adGName = 'Test_Group'
$azGroup = Get-AzureADGroup -Searchstring $azGName
$azMembers = Get-AzureADGroupmember $azGroup
$adMembers = (Get-ADGroupMember $adGName).Where({
$_.ObjectClass -eq 'user'
}).UserPrincipalName
# NOTE: Piping Get-ADUser to Get-ADGroupMember will get you in trouble whenever
# there is a member that is not of the objectclass 'user'.
# Members of AZ Group that are not members of AD Group
$azMembers.Where({$_ -notin $adMembers.UserPrincipalName}).ForEach({
"Removing $_ from $azGName"
try
{
Remove-AzureADGroupMember -ObjectId $azGroup.ObjectId -MemberId $_.ObjectId
}
catch
{
Write-Warning $_.Exception
}
})
我想比较 2 个组,如果不同,则从 Azure AD 组中删除成员,但我遇到了错误。谁能告诉我我做错了什么?
$membersofAzureADGroup = Get-AzureADGroup -Searchstring Test_Group | Get-AzureADGroupmember | Select Userprincipalname
$membersofADGroup = Get-ADGroupmember "Groupe_A" | Get-ADUser -properties Userprincipalname | Select UserPrincipalName
$RemoveUsers = Compare-Object -ReferenceObject $membersofAzureADGroup -DifferenceObject $membersofADGroup -PassThru | Where SideIndicator -eq "<="
Remove-AzureADGroupMember $RemoveUsers -Members $membersofAzureADGroup
Remove-AzureADGroupMember:找不到接受参数“@{UserPrincipalName=user@domain.com;SideIndicator=<=}”的位置参数
我在下面试过了,但还是不行...
Remove-AzureADGroupMember $RemoveUsers -MemberID (Get-AzureADUser | where {$_.Userprincipalname -eq $MembersOfGroup1}).ObjectID
我没有 AD 或 Azure AD,但我遵循了你的问题的原则,并在我的计算机上本地测试了以下内容。 见下文
你失败的原因是你的 $RemoveUsers 变量是错误的。如果您没有看过其中呈现的内容,我会感到惊讶。
为什么不起作用
$RemoveUsers = Compare-Object -ReferenceObject $membersofAzureADGroup -DifferenceObject $membersofADGroup -PassThru | Where SideIndicator -eq "<="
在本地计算机测试中比较组
## Step 1 - Place both groups into variables
$Group1 = get-localgroup -Name Administrators | Get-LocalGroupMember | Select Name
$Group2 = get-localgroup -Name Test | Get-LocalGroupMember | Select Name
## Step 2 - See All Output
$compare = Compare-Object -ReferenceObject $Group1 -DifferenceObject $Group2 -property name -passthru -IncludeEqual
## Step 3 See Only Difference in reference (source) object and select InputObject
$DifferenceInSource = (Compare-Object -ReferenceObject $Group1 -DifferenceObject $Group2 | Where SideIndicator -eq "<=" | Select -ExpandProperty InputObject)
## Step 4 Pull Out Names
$DifferenceInSourceName = $DifferenceInSource.Name
## Split WorkGroup and Account
$SplitName = $DifferenceInSourceName.Split('\')
## Step 5 Test To See If Account Resolves
Get-LocalUser -name $SplitName[1]
很明显,您随后围绕 ForEach 语句进行结构化以对多个引用进行更新。
删除属于 Azure AD 组但不属于 Active Directory 组的用户需要过滤,因此您绝对不需要 Compare-Object。
由于您要查找一个数组中不存在于另一个数组中的元素,因此 Where-Object 或 .Where(..) 方法应该绰绰有余。
$ErrorActionPreference = 'Stop'
$azGName = 'Test_Group'
$adGName = 'Test_Group'
$azGroup = Get-AzureADGroup -Searchstring $azGName
$azMembers = Get-AzureADGroupmember $azGroup
$adMembers = (Get-ADGroupMember $adGName).Where({
$_.ObjectClass -eq 'user'
}).UserPrincipalName
# NOTE: Piping Get-ADUser to Get-ADGroupMember will get you in trouble whenever
# there is a member that is not of the objectclass 'user'.
# Members of AZ Group that are not members of AD Group
$azMembers.Where({$_ -notin $adMembers.UserPrincipalName}).ForEach({
"Removing $_ from $azGName"
try
{
Remove-AzureADGroupMember -ObjectId $azGroup.ObjectId -MemberId $_.ObjectId
}
catch
{
Write-Warning $_.Exception
}
})