Functions/Get-SyncActiveDirectoryGroupsScriptBlocks.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
<#
.SYNOPSIS
    This function returns the script blocks used to sync Active Directory groups.
#>

function Get-SyncActiveDirectoryGroupsScriptBlocks {
    [CmdletBinding(PositionalBinding=$false)]
    [OutputType([PSCustomObject])]
    param ()

    # Return the script blocks
    return [PSCustomObject]@{
        # The script block used to create an Active Directory group
        CreateEntity = {
            # Create a hash table for the cmdlet parameters
            $newADGroupParams = @{}

            # Add the properties which are defined in the expected group
            $activeDirectoryGroupProperties = Get-ActiveDirectoryGroupPropertyList
            foreach ($property in $activeDirectoryGroupProperties) {
                if (![String]::IsNullOrWhiteSpace($entity.Expected.$property)) {
                    $newADGroupParams.Add($property, $entity.Expected.$property)
                }
            }

            # Create the group
            $newGroup = New-ADGroup @newADGroupParams -PassThru -ErrorVariable errorVariable
            if (!$newGroup) {
                throw "Failed to create Active Directory group.`r`n$($errorVariable)"
            }

            # Retrieve all Active Directory users
            $allADUsers = Get-ADUser -Filter *

            # Add the members to the group
            foreach ($member in $entity.Expected.Members) {
                Write-Information "Adding '$($member)' to '$($newGroup.Name)'."
                $memberIdentity = ($allADUsers | Where-Object { $_.UserPrincipalName -eq $member }).ObjectGUID
                $newGroupMember = Add-ADGroupMember -Identity $newGroup.ObjectGUID -Members $memberIdentity -PassThru -ErrorVariable errorVariable
                if (!$newGroupMember) {
                    throw "Failed to add '$($member)' to '$($newGroup.Name)'.`r`n$($errorVariable)"
                }
            }

            # Created the group
            "success"
        }

        # The script block used to compare two Active Directory groups for equality
        CompareEntities = {
            # The 'None' output stream is selected to suppress the difference messages
            # Only the the true/false result of the compare is required here
            return Compare-ActiveDirectoryGroups -ReferenceGroup $entity.Expected -ComparisonGroup $entity.Current -OutputStream "None"
        }

        # The script block used to update a current group's properties to match the expected group
        UpdateEntity = {
            # Create a hash table for the cmdlet parameters
            $setADGroupParams = @{
                Identity = $entity.Current.ObjectGUID
            }

            # Add the properties which are defined in the expected group and are different from the current group
            $activeDirectoryGroupProperties = Get-ActiveDirectoryGroupPropertyList
            foreach ($property in $activeDirectoryGroupProperties) {
                if (![String]::IsNullOrWhiteSpace($entity.Expected.$property) -and $entity.Expected.$property -ne $entity.Current.$property) {
                    $setADGroupParams.Add($property, $entity.Expected.$property)
                }
            }

            # Update the group
            $updatedGroup = Set-ADGroup @setADGroupParams -PassThru -ErrorVariable errorVariable
            if (!$updatedGroup) {
                throw "Failed to update Active Directory group.`r`n$($errorVariable)"
            }

            # Retrieve all Active Directory users
            $allADUsers = Get-ADUser -Filter *

            # Retrieve all current group members
            $currentGroupMembers = $entity.Current.Members
            $expectedGroupMembers = $entity.Expected.Members

            # Add members to the group
            $groupMembersToAdd = $expectedGroupMembers | Where-Object { $_ -notIn $currentGroupMembers }
            foreach ($groupMemberToAdd in $groupMembersToAdd) {
                Write-Information "Adding '$($groupMemberToAdd)' to '$($entity.Current.Name)'."
                $memberIdentity = ($allADUsers | Where-Object { $_.UserPrincipalName -eq $groupMemberToAdd }).ObjectGUID
                $newGroupMember = Add-ADGroupMember -Identity $entity.Current.ObjectGUID -Members $memberIdentity -PassThru -ErrorVariable errorVariable
                if (!$newGroupMember) {
                    throw "Failed to add '$($groupMemberToAdd)' to '$($entity.Current.Name)'.`r`n$($errorVariable)"
                }
            }

            # Remove members from the group
            $groupMembersToRemove = $currentGroupMembers | Where-Object { $_ -notIn $expectedGroupMembers }
            foreach ($groupMemberToRemove in $groupMembersToRemove) {
                Write-Information "Removing '$($groupMemberToRemove)' from '$($entity.Current.Name)'."
                $memberIdentity = ($allADUsers | Where-Object { $_.UserPrincipalName -eq $groupMemberToRemove }).ObjectGUID
                $updatedGroup = Remove-ADGroupMember -Identity $entity.Current.ObjectGUID -Members $memberIdentity -Confirm:$false -PassThru -ErrorVariable errorVariable
                if (!$updatedGroup) {
                    throw "Failed to remove '$($groupMemberToRemove)' to '$($entity.Current.Name)'.`r`n$($errorVariable)"
                }
            }

            # Updated the group
            "success"
        }

        # The script block used to delete a current group
        DeleteEntity = {
            Remove-ADGroup -Identity $entity.Current.ObjectGUID -Confirm:$false

            # Deleted the group
            "success"
        }
    }
}