Don't block user from specific group in Powershell script

Question

I have logical problem how can I make script more secure to NON Block users From IT Groups By some operations users which need to block them employees from AD. I am so close to automate this process, by share to them CSV file with username,DateDisable,DateEnable.

Get-Date

Write-Host $b

$b = (Get-Date).ToString('M"/"d"/"yyyy')



Import-Csv "I:\Clients\Block Accounts\Accounts Deactivation.csv" | ForEach-Object {
    
    $SamAccountName = $_."SamAccountName"     
    
    $dateDisable = $_."dateDisable"

    $dateEnable = $_."dateEnable"


    
    #How can I search users in group like PLKAT-NON-BLOCK-USERS and don't block users from this group by IF function. Can you tell me more about this solution. I will be grateful for some clues.

if ( Get-ADPrincipalGroupMembership -And $dateDisable -eq $b) {
        
        Get-ADUser -Identity $SamAccountName | Disable-ADAccount
        
        Write-Host "-User "$SamAccountName" Disabled"
    }

    $dateEnable = $_."dateEnable"
     
     if ( $dateEnable -eq $b) {
        
        Get-ADUser -Identity $SamAccountName | Enable-ADAccount
            
            Write-Host "-User "$SamAccountName" Enable"
        }
    
    
       }

Answer 1

At the top of your script, you can get a list of all users in the PLKAT-NON-BLOCK-USERS group first.
Then in the code check if the user you are iterating is a member of this group and if so, do not disable that user.

Something like:

# get an array of SamAccountNames for users you do not wish to disable
$noDisable = (Get-ADGroupMember -Identity 'PLKAT-NON-BLOCK-USERS' -Recursive | Where-Object { $_.objectClass -eq 'user' }).SamAccountName

$refDate = (Get-Date).ToString('M"/"d"/"yyyy')
Import-Csv -Path 'I:\Clients\Block Accounts\Accounts Deactivation.csv' | ForEach-Object {
    if ($noDisable -contains $_.SamAccountName) {
        Write-Host "User '$($_.SamAccountName)' is member of group 'PLKAT-NON-BLOCK-USERS'. Skipped."
        continue  # skip this one and proceed with the next user
    }

    # try and get the AD user object
    $user = Get-ADUser -Filter "SamAccountName -eq '$($_.SamAccountName)'" -ErrorAction SilentlyContinue
    if ($user) {
        if ($_.dateEnable -eq $refDate) {
            $user | Enable-ADAccount
            Write-Host "User '$($_.SamAccountName)' Enabled"            }
        elseif ($_.dateDisable -eq $refDate) {
            $user | Disable-ADAccount
            Write-Host "User '$($_.SamAccountName)' Disabled"
        }
    }
    else {
        Write-Warning "User '$($_.SamAccountName)' does not exist.."
    }
}

Answer 2

Thank you for help, but I did this for 4 groups in AD and And I had to make three csv files for three different projects for security reasons. I import 3 csv files now to script. I had to make one loop which check PLKAT-NON-BLOCK-USERS and second loop which check members of right group from CSV file. So I created PLKAT-G-ORG-Client1-Block Users Only, PLKAT-G-ORG-Client2-Block Users Only , PLKAT-G-ORG-Client3-Block Users Only and use second loop which check every user from one of these group. This is a safeguard against blocking users from other projects.

1.Import-Csv -Path 'I:\Clients1\Block Accounts\Accounts Deactivation.csv' | ForEach-Object { 2.Import-Csv -Path 'I:\Clients2\Block Accounts\Accounts Deactivation.csv' | ForEach-Object { 3.Import-Csv -Path 'I:\Clients3\Block Accounts\Accounts Deactivation.csv' | ForEach-Object {

First loop to check PLKAT-NON-BLOCK-USERS (IT, Backoffice etc.).

You can tell me if that good or what can I improve Here there code:

$b = (Get-Date).ToString('M"/"d"/"yyyy')

$groups = 'PLKAT-G-ORG-NON Block Users'

$groupCLIENT1 = 'PLKAT-G-ORG-Client1 Block Users Only'

$groupCLIENT2 = 'PLKAT-G-ORG-Client2 Block Users Only'

$groupCLIENT3 = 'PLKAT-G-ORG-Client3 Block Users Only'





#################### Client1 ############################

Import-Csv "I:\Clients1\Block Accounts\Accounts Deactivation Test.csv" | ForEach-Object {
    
    $SamAccountName = $_."SamAccountName"     
    
    $dateDisable = $_."dateDisable"

    $dateEnable = $_."dateEnable"

    
    foreach ($group in $groups) {
        
        $members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty SamAccountName

        If ($members -contains $SamAccountName ) {
        
            Write-Host $SamAccountName" is a member of NON Block User Group" 
            
            }

       foreach ($group in $groupCLIENT1) { 
       
       $members = Get-ADGroupMember -Identity $group1 -Recursive | Select -ExpandProperty SamAccountName       
       
        if ($members -contains $SamAccountName){

            $dateDisable -eq $b

             Get-ADUser -Identity $SamAccountName | Disable-ADAccount

        
            }
       
        }
        
     }
 

    $dateEnable = $_."dateEnable"
     
     if ( $dateEnable -eq $b) {
        
        Get-ADUser -Identity $SamAccountName | Enable-ADAccount
        
        Write-Host "-User "$SamAccountName" Enable"
    }

   }

   

###################### Client2  ###########################################

   Import-Csv "I:\Clients2\Block Accounts\Accounts Deactivation Test.csv" | ForEach-Object {
    
    $SamAccountName = $_."SamAccountName"     
    
    $dateDisable = $_."dateDisable"

    $dateEnable = $_."dateEnable"

    
     foreach ($group in $groups) {
        
        $members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty SamAccountName

        If ($members -contains $SamAccountName ) {
        
            Write-Host $SamAccountName" is a member of NON Block User Group" 
            
            }

       foreach ($group in $groupCLIENT2) { 
       
       $members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty SamAccountName       
       
        if ($members -contains $SamAccountName){

            $dateDisable -eq $b

             Get-ADUser -Identity $SamAccountName | Disable-ADAccount

              Write-Host "-User "$SamAccountName" Disabled"
        
            }
       
        }
        
     }

    $dateEnable = $_."dateEnable"
     
     if ( $dateEnable -eq $b) {
        
        Get-ADUser -Identity $SamAccountName | Enable-ADAccount
        
        Write-Host "-User "$SamAccountName" Enable"
    }
    
    }

   ##################### Client3 #################

Import-Csv "I:\Clients3\Block Accounts\Accounts Deactivation Test.csv" | ForEach-Object {
    
    $SamAccountName = $_."SamAccountName"     
    
    $dateDisable = $_."dateDisable"

    $dateEnable = $_."dateEnable"

    
     foreach ($group in $groups) {
        
        $members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty SamAccountName

        If ($members -contains $SamAccountName ) {
        
            Write-Host $SamAccountName" is a member of NON Block User Group" 
            
            }

       foreach ($group in $groupCLIENT3) { 
       
       $members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty SamAccountName       
       
        if ($members -contains $SamAccountName){

            $dateDisable -eq $b

             Get-ADUser -Identity $SamAccountName | Disable-ADAccount

              Write-Host "-User "$SamAccountName" Disabled"
        
            }
       
        }
        
     }
        

    $dateEnable = $_."dateEnable"
     
     if ( $dateEnable -eq $b) {
        
        Get-ADUser -Identity $SamAccountName | Enable-ADAccount
        
        Write-Host "-User "$SamAccountName" Enable"
    }
    

}