BitTitan.Runbooks.Sync

0.1.7

Functions/Get-SyncActiveDirectoryGroupsScriptBlocks.ps1

                                <#

.SYNOPSIS

    This function returns the script blocks used to sync Active Directory groups.

#>

function Get-SyncActiveDirectoryGroupsScriptBlocks {

    [CmdletBinding(PositionalBinding=$false)]

    [OutputType([PSCustomObject])]

    param ()

    # Return the script blocks

    return [PSCustomObject]@{

        # The script block used to create an Active Directory group

        CreateEntity = {

            # Create a hash table for the cmdlet parameters

            $newADGroupParams = @{}

            # Add the properties which are defined in the expected group

            $activeDirectoryGroupProperties = Get-ActiveDirectoryGroupPropertyList

            foreach ($property in $activeDirectoryGroupProperties) {

                if (![String]::IsNullOrWhiteSpace($entity.Expected.$property)) {

                    $newADGroupParams.Add($property, $entity.Expected.$property)

                }

            }

            # Create the group

            $newGroup = New-ADGroup @newADGroupParams -PassThru -ErrorVariable errorVariable

            if (!$newGroup) {

                throw "Failed to create Active Directory group.`r`n$($errorVariable)"

            }

            # Retrieve all Active Directory users

            $allADUsers = Get-ADUser -Filter *

            # Add the members to the group

            foreach ($member in $entity.Expected.Members) {

                Write-Information "Adding '$($member)' to '$($newGroup.Name)'."

                $memberIdentity = ($allADUsers | Where-Object { $_.UserPrincipalName -eq $member }).ObjectGUID

                $newGroupMember = Add-ADGroupMember -Identity $newGroup.ObjectGUID -Members $memberIdentity -PassThru -ErrorVariable errorVariable

                if (!$newGroupMember) {

                    throw "Failed to add '$($member)' to '$($newGroup.Name)'.`r`n$($errorVariable)"

                }

            }

            # Created the group

            "success"

        }

        # The script block used to compare two Active Directory groups for equality

        CompareEntities = {

            # The 'None' output stream is selected to suppress the difference messages

            # Only the the true/false result of the compare is required here

            return Compare-ActiveDirectoryGroups -ReferenceGroup $entity.Expected -ComparisonGroup $entity.Current -OutputStream "None"

        }

        # The script block used to update a current group's properties to match the expected group

        UpdateEntity = {

            # Create a hash table for the cmdlet parameters

            $setADGroupParams = @{

                Identity = $entity.Current.ObjectGUID

            }

            # Add the properties which are defined in the expected group and are different from the current group

            $activeDirectoryGroupProperties = Get-ActiveDirectoryGroupPropertyList

            foreach ($property in $activeDirectoryGroupProperties) {

                if (![String]::IsNullOrWhiteSpace($entity.Expected.$property) -and $entity.Expected.$property -ne $entity.Current.$property) {

                    $setADGroupParams.Add($property, $entity.Expected.$property)

                }

            }

            # Update the group

            $updatedGroup = Set-ADGroup @setADGroupParams -PassThru -ErrorVariable errorVariable

            if (!$updatedGroup) {

                throw "Failed to update Active Directory group.`r`n$($errorVariable)"

            }

            # Retrieve all Active Directory users

            $allADUsers = Get-ADUser -Filter *

            # Retrieve all current group members

            $currentGroupMembers = $entity.Current.Members

            $expectedGroupMembers = $entity.Expected.Members

            # Add members to the group

            $groupMembersToAdd = $expectedGroupMembers | Where-Object { $_ -notIn $currentGroupMembers }

            foreach ($groupMemberToAdd in $groupMembersToAdd) {

                Write-Information "Adding '$($groupMemberToAdd)' to '$($entity.Current.Name)'."

                $memberIdentity = ($allADUsers | Where-Object { $_.UserPrincipalName -eq $groupMemberToAdd }).ObjectGUID

                $newGroupMember = Add-ADGroupMember -Identity $entity.Current.ObjectGUID -Members $memberIdentity -PassThru -ErrorVariable errorVariable

                if (!$newGroupMember) {

                    throw "Failed to add '$($groupMemberToAdd)' to '$($entity.Current.Name)'.`r`n$($errorVariable)"

                }

            }

            # Remove members from the group

            $groupMembersToRemove = $currentGroupMembers | Where-Object { $_ -notIn $expectedGroupMembers }

            foreach ($groupMemberToRemove in $groupMembersToRemove) {

                Write-Information "Removing '$($groupMemberToRemove)' from '$($entity.Current.Name)'."

                $memberIdentity = ($allADUsers | Where-Object { $_.UserPrincipalName -eq $groupMemberToRemove }).ObjectGUID

                $updatedGroup = Remove-ADGroupMember -Identity $entity.Current.ObjectGUID -Members $memberIdentity -Confirm:$false -PassThru -ErrorVariable errorVariable

                if (!$updatedGroup) {

                    throw "Failed to remove '$($groupMemberToRemove)' to '$($entity.Current.Name)'.`r`n$($errorVariable)"

                }

            }

            # Updated the group

            "success"

        }

        # The script block used to delete a current group

        DeleteEntity = {

            Remove-ADGroup -Identity $entity.Current.ObjectGUID -Confirm:$false

            # Deleted the group

            "success"

        }

    }

}