0

I am attempting to add a group of users to a failover cluster in windows 2012r2 I need to add the nodes as administrator to each other. I have put them into their own OU. However I was hoping to script this per powershell and a csv import. Ideas?

My google fu has not gotten me anywhere.

Example. 

Import-Csv "C:\Users\me\Desktop\users.csv" | Where-Object {$_.Name} |`
 ForEach-Object {`
New-ADUser `
-Name $_."Name" `
-GivenName $_."GivenName" `
-Surname $_."Surname" `
-Description $_."Department" `
-SamAccountName $_."Logon_Username" `
-UserPrincipalName $_."UPN" `
-DisplayName $_."Display_Name" `
-AccountPassword (ConvertTo-SecureString -AsPlainText "P@ssw0rd1!" -Force) `
-Path "OU=Users,OU=Head Office,OU=International,DC=company,DC=com" `
-ChangePasswordAtLogon $true `
-Enabled $true | Enable-ADAccount | `
Add-ADGroupMember "QA_Users" $_."Logon_Username";
}

This is what I use currently.

WHereIwantToChange

Jeter-work
  • 825
  • 4
  • 15
mikedopp
  • 229
  • 2
  • 7
  • 16
  • Got farther with this. still not able to get it. https://blogs.technet.microsoft.com/heyscriptingguy/2012/03/12/use-powershell-to-explore-active-directory-security/ – mikedopp Aug 19 '16 at 19:53
  • Im still not sure with your question, on what you're trying to achieve. Can you post your csv header lines, so that i can try out the same & update you. – Alan Jebakumar Aug 21 '16 at 16:38
  • If you're goal is to add/remove members, you do not need to modify ACL's in AD to do that. Do you realzie the code you're running it CREATING new users? If you're trying to modify members of the LOCAL administrators group on a cluster node `Add-ADGroupMember` cannot help there, it only does domain groups. – Clayton Aug 22 '16 at 15:54
  • For posterity's sake, please copy out the code portion of your question, and use markdown for the code (indent each line by 4) and paste it back in? – Jeter-work Aug 24 '16 at 15:53
  • Two things...you're using pipeline to create a very complicated oneliner. Consider using actual variables and building this as a script. Also, I see several instances of `$.variable`. I think you mean `$_.variable`. – Jeter-work Aug 24 '16 at 15:57
  • Also, please clarify your goal, and your question. If you want each machine to be admin for the other, just log into each machine and add the other machine (AD computer object) as a member of the Computer Group Witness Access. You're creating user objects and adding them to a domain group, which is fine if you're trying to assign a bunch of users as administrators, and you've put that domain group in the local admin group of the server. – Jeter-work Aug 24 '16 at 15:59
  • So what I am attempting to do is create an OU then add Users (objects) as well as Computer Account(objects). Then in the same OU change the security setting to full access to each Object. Example: computer1 should have full access (security) to User1. User1 should have full access to computer1. This is being used in a failover cluster setup. Please tell me I am over complicating this. – mikedopp Aug 24 '16 at 17:40
  • Found answer: http://stackoverflow.com/questions/31375506/set-acl-on-ad-computer-object – mikedopp Sep 22 '16 at 20:52

1 Answers1

1

There is no error handling in this. It is provided as a starting point. Craft your CSV to simplify the work by making the csv headings exactly match the AD user object property names. Then the object imported is basically a user object.

$AccountList = Import-Csv "C:\Users\me\Desktop\users.csv"
$UserOU = "OU=Users,OU=Head Office,OU=International,DC=company,DC=com"
$AccountPassword = (ConvertTo-SecureString -AsPlainText "P@ssw0rd1!" -Force)

Foreach ($Account in $AccountList) {
    New-ADUser $Account -ChangePasswordAtLogon $True -AccountPassword $AccountPassword -Enabled $True -Path
    (Get-ADUser $Account.UserPrincipalName).UserPrincipalName + "Created"
    }
Jeter-work
  • 825
  • 4
  • 15