# !~~~~~~~~~~~~~~~~~~~~~~~~~!
# ~~! Start of Initialization !
# !~~~~~~~~~~~~~~~~~~~~~~~~~!
write-host -f 'yellow' "####################################################"
write-host -f 'yellow' "# WHS Student Account and Folder Management Script #"
write-host -f 'yellow' "# @author: Sean Anderson #"
write-host -f 'yellow' "# @date: November 2010 #"
write-host -f 'yellow' "####################################################"
Add-PSSnapin Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue # Quest Active Roles Active Directory Management SnapIn
# CONSTANTS
set-variable -name TYPE_INTERNATIONAL -value 1 -option constant
set-variable -name TYPE_ALT_ED -value 2 -option constant
set-variable -name STATUS_NEW -value 4 -option constant
set-variable -name STATUS_LEFT -value 8 -option constant
set-variable -name INTERNET_LICENCE -value 16 -option constant
set-variable -name WEB_BANNED -value 32 -option constant
set-variable -name WEB_MAIL -value 64 -option constant
set-variable -name WEB_SPECIAL -value 128 -option constant
set-variable -name WEB_RESTRICTED -value 256 -option constant
set-variable -name COMPUTER_BANNED -value 512 -option constant
# Files $ Folders
$logDate = get-date -f hhmmddMMyyyy
$logFolder = "Logs"
$logFile = "$logfolder\Students$logdate.txt"
$csvPath1 = "newstudents.csv" # original CSV
$csvPath = "newStudentsUTF8.csv" # Path for UTF8 copy of CSV
$studentFoldersRoot = "Logs\student folders\" # Root directory for all student folders
$ou = 'Students' # OU where all users and groups exist
write-host -f 'yellow' "# File Settings:"
write-host -f 'yellow' "# @Log File: $logFile"
write-host -f 'yellow' "# @CSV File: $csvPath1"
write-host -f 'yellow' "# @Student Folder: $studentFoldersRoot"
write-host ""
$OutputEncoding = New-Object -typename System.Text.UTF8Encoding # change encoding to UTF8 to deal with universal characters.
cat $csvPath1 > $csvPath # make UTF8 copy of original file as 'import-csv' defaults to ASCII encoding
# Domain
$domainConnection = [ADSI] ""
$domain = $domainConnection.distinguishedName # Returns the name of the domain eg "dc=wanganui-high,dc=school,dc=nz"
# Profile
$profilePath = '%logonserver%\Netlogon\Profiles\Mandatory_LIVE'
$scriptPath = 'logon.bat'
$homeDrive = "z:"
write-host -f 'yellow' "# User Profile Settings:"
write-host -f 'yellow' "# @Profile Path: $profilePath"
write-host -f 'yellow' "# @Logon Script: $scriptPath"
write-host -f 'yellow' "# @Home Drive: $homeDrive"
write-host ""
# Active Directory Groups
$groupStudents = "Students"
$groupInternationalStudents = "International Students"
$groupNoInternetLicence = "No Internet Licence"
$groupWebMail = "Web Mail Students"
$groupWebBanned = "Web Banned Students"
$groupWebSpecial = "Web Special Students"
$groupWebNormal = "Web Normal Students"
$groupWebRestricted = "Web Restricted Students"
# Access Control Entry Groups (prefix 'WHS\')
$groupDomainAdmins = "WHS\Domain Admins"
$groupTeacherFull = "WHS\Teacher-Full"
$groupTeacherRead = "WHS\Teacher-Read"
# Strings - Active Directory Export
$stringAllStudents = " "
$stringAllWebMail = " "
$stringAllWebBanned = " "
$stringAllWebSpecial = " "
$stringAllWebNormal = " "
$stringAllWebRestricted = " "
# Strings - Kamar Export
$stringComputerBanned = "Banned Computer User"
$stringWebMail = "Email After School"
$stringWebBanned = "Banned Internet User"
$stringWebSpecial = "Special Internet Access"
$stringWebRestricted = "Restricted Internet Access"
# !~~~~~~~~~~~~~~~~~~~~~~~!
# ! End of Initialization !~~
# !~~~~~~~~~~~~~~~~~~~~~~~!
# !~~~~~~~~~~~~~~~~~~~~!
# ~~! Start of Functions !
# !~~~~~~~~~~~~~~~~~~~~!
# userAccountControlHasValue
# @Params: $userAccountControl, $value
# @Usage: userAccountControlHasValue $userAccountControlValue
# @Returns: $true if $value exists in $userAccountControl, $false otherwise
#---------------------------------------------------------------#
function userAccountControlHasValue( $userAccountControl, $value ){
$result = ( $userAccountControl -band $value ) -eq $value
$result
}
#---------------------------------------------------------------#
# createUser
# @Params: $firstName, $surname, [String]$enrol, $username, $password, $groups
# @Usage: createUser $firstName $surname $enrol $username $password $groups
# @Purpose: Main function to deal with creation of a new user
# -Active Directory user account
# -Folders
#---------------------------------------------------------------#
function createUser( [String]$firstName, [String]$surname, [String]$enrol, [String]$username, [String]$password, [Array]$groups ){
write-host -f 'yellow' "creating new user: $username"
$studentFolderPath = $studentFoldersRoot+$username
write-host -f 'yellow' "Student Folder Path: $studentFolderPath"
write-host -f 'yellow' "Creating new account: $username"
$newUser = new-QADUser -parentContainer "ou=$ou,$domain"`
-name "$username"`
-Description "Enrolment Number: $enrol"`
-FirstName "$firstName" -LastName "$surname"`
-DisplayName "$firstName $surname"`
-sAMAccountName "$username"`
-UserPrincipalName "$username@wanganui-high.school.nz"`
-HomeDrive "$HomeDrive" -HomeDirectory "$StudentFolderPath"`
-UserPassword "$password"`
-LogonScript "$scriptPath" -ProfilePath "$profilePath"
$newUser|Set-QADUser -PasswordNeverExpires $true # Set Password Never Expires
$newUser|Add-QADPermission -Account SELF,Everyone -ExtendedRight "User-Change-Password" -Deny -ApplyTo ThisObjectOnly # Set User Cannot Change Password.
write-host -f 'green' "Adding user to groups..."
foreach( $group in $groups){ addToGroup $username $group } # Add user to each group
# Create Student Folder
write-host -f 'green' "Creating student folder..."
createFolder $studentFolderPath
# Apply Folder Permissions
write-host -f 'green' "Applying permissions to student folder..."
setFolderPermissions $studentFolderPath $newUser
}
#---------------------------------------------------------------#
# createFolder
# @Params: $path
# @Usage: createFolder $path
# @Purpose: Creates a folder at $path
#---------------------------------------------------------------#
function createFolder( [String]$path ){
if( !(test-path $path) ){ # Path does not exist
write-host -f 'yellow' "Attempting to create folder: $path"
New-Item $path -type directory
}
else{ write-host -f 'yellow' "Folder: $path already exists" } # Path exists
}
#---------------------------------------------------------------#
# checkLeft
# @Params: $leavingDate
# @Usage: checkLeft $leavingDate
# @Returns: $true if a $leavingDate is before current date, $false otherwise
#---------------------------------------------------------------#
function checkLeft( $leavingDate ){
if( $leavingDate -lt (get-date) ){ $true } # Leaving Date is in the past
else { $false } # Leaving Date is in the future
}
#---------------------------------------------------------------#
# checkNew
# @Params: $username
# @Usage: checkNew $username
# @Returns: $true if $username -NOT- in Active Directory, $false otherwise
#---------------------------------------------------------------#
function checkNew( $username ){
if( !( $stringAllStudents.contains("$username") ) ){ $true } # username NOT found
else { $false } # username found
}
#---------------------------------------------------------------#
# getCorrectGroup
# @Params: $userAccountControl
# @Usage: getCorrectGroup $userAccountControl
# @Returns: Name of group user should be in based on $userAcountControl
#---------------------------------------------------------------#
function getCorrectGroup( $userAccountControl ){
if( ( userAccountControlHasValue $userAccountControl $WEB_BANNED ) -or !( userAccountControlHasValue $userAccountControl $INTERNET_LICENCE ) ){ # Student is Web Banned or No Internet Licence
$correctGroup = $groupWebBanned
$correctGroup
break
}
if( userAccountControlHasValue $userAccountControl $WEB_RESTRICTED ){ # Student is Web Restricted
$correctGroup = $groupWebRestricted
$correctGroup
break
}
if( userAccountControlHasValue $userAccountControl $WEB_SPECIAL ){ # Student is Web Special
$correctGroup = $groupWebSpecial
$correctGroup
break
}
if( ( userAccountControlHasValue $userAccountControl $WEB_MAIL ) -or ( userAccountControlHasValue $userAccountControl $TYPE_INTERNATIONAL ) ){ # Student is Web Mail or International
$correctGroup = $groupWebMail
$correctGroup
break
}
$correctGroup = $groupWebNormal # Student is Web Normal
$correctGroup
}
#---------------------------------------------------------------#
# addToGroup
# @Params: $username, $group
# @Usage: addToGroup $username $group
# @Purpose: adds $username to $group
#---------------------------------------------------------------#
function addToGroup( $username, $group ){
write-host -f 'yellow' "Adding $username to $group"
add-QADGroupMember -identity "cn=$group,ou=$ou,$domain" -member "cn=$username,ou=$ou,$domain"
}
#---------------------------------------------------------------#
# removeFromGroup
# @Params: $username, $group
# @Usage: removeFromGroup $username $group
# @Purpose: removes $username from $group
#---------------------------------------------------------------#
function removeFromGroup( $username, $group ){
write-host -f 'yellow' "Removing $username from $group"
remove-QADGroupMember -identity "cn=$group,ou=$ou,$domain" -member "cn=$username,ou=$ou,$domain"
}
#---------------------------------------------------------------#
# correctGroups
# @Params: $username, $correctGroup
# @Usage: correctGroups $username $group
# @Purpose: adds $username to $correctGroup, remove from other groups
#---------------------------------------------------------------#
function correctGroups( $username, $correctGroup ){
if( $correctGroup -ieq $groupWebNormal ){ # correct group is groupWebNormal
if( !( $stringAllWebNormal.contains( "$username" ) ) ){ addToGroup $username $groupWebNormal } # Username is NOT in groupWebNormal, add it
if( $stringAllWebMail.contains( "$username" ) ){ removeFromGroup $username $groupWebMail } # Username is in groupWebMail, remove it
if( $stringAllWebSpecial.contains( "$username" )){ removeFromGroup $username $groupWebSpecial } # Username is in groupSpecial, remove it
if( $stringAllWebBanned.contains( "$username" ) ){ removeFromGroup $username $groupWebBanned } # Username is in groupWebBanned, remove it
if( $stringAllWebRestricted.contains( "$username" ) ){ removeFromGroup $username $groupWebRestricted } # Username is in groupWebRestricted, remove it
break # No need to continue
} #-----------------------------------------------------
if( $correctGroup -ieq $groupWebMail ){ # correct group is groupWebMail
if( $stringAllWebNormal.contains( "$username" ) ){ removeFromGroup $username $groupWebNormal } # Username is in groupWebMail, remove it
if( !( $stringAllWebMail.contains( "$username" ) ) ){ addToGroup $username $groupWebMail } # Username is NOT in groupWebMail, add it
if( $stringAllWebSpecial.contains( "$username" ) ){ removeFromGroup $username $groupWebSpecial } # Username is in groupWebSpecial, remove it
if( $stringAllWebBanned.contains( "$username" ) ){ removeFromGroup $username $groupWebBanned } # Username is in groupWebBanned, remove it
if( $stringAllWebRestricted.contains( "$username" ) ){ removeFromGroup $username $groupWebRestricted} # Username is in groupWebRestricted, remove it
break # No need to continue
} #-----------------------------------------------------
if( $correctGroup -ieq $groupWebSpecial ){ # correct group is groupWebSpecial
if( $stringAllWebNormal.contains( "$username" ) ){ removeFromGroup $username $groupWebNormal } # Username is in groupWebNormal, remove it
if( $stringAllWebMail.contains( "$username" ) ){ removeFromGroup $username $groupWebMail } # Username is in groupWebMail, remove it
if( !($stringAllWebSpecial.contains( "$username" ) ) ){ addToGroup $username $groupWebSpecial } # Username is NOT in groupWebSpecial, add it
if( $stringAllWebBanned.contains( "$username" ) ){ removeFromGroup $username $groupWebBanned } # Username is in groupWebBanned, remove it
if( $stringAllWebRestricted.contains( "$username" ) ){ removeFromGroup $username $groupWebRestricted } # Username is in groupWebRestricted, remove it
break # No need to continue
} #-----------------------------------------------------
if( $correctGroup -ieq $groupWebBanned ){ # correct group is groupWebBanned
if( $stringAllWebNormal.contains( "$username" ) ){ removeFromGroup $username $groupWebNormal } # Username is in groupWebNormal, remove it
if( $stringAllWebMail.contains( "$username" ) ){ removeFromGroup $username $groupWebMail } # Username is in groupWebMail, remove it
if( $stringAllWebSpecial.contains( "$username" ) ){ removeFromGroup $username $groupWebSpecial } # Username is in groupWebSpecial, remove it
if( !( $stringAllWebBanned.contains( "$username" ) ) ){ addToGroup $username $groupWebBanned } # Username is NOT in groupWebBanned, add it
if( $stringAllWebRestricted.contains( "$username" ) ){ removeFromGroup $username $groupWebRestricted } # Username is in groupWebRestricted, remove it
break # No need to continue
} #-----------------------------------------------------
if($correctGroup -ieq $groupWebRestricted){ # correct group is groupWebRestricted
if( $stringAllWebNormal.contains( "$username" ) ){ removeFromGroup $username $groupWebNormal } # Username is in groupWebNormal, remove it
if( $stringAllWebMail.contains( "$username" ) ){ removeFromGroup $username $groupWebMail } # Username is in groupWebMail, remove it
if( $stringAllWebSpecial.contains( "$username" ) ){ removeFromGroup $username $groupWebSpecial } # Username is in groupWebSpecial, remove it
if( $stringAllWebBanned.contains( "$username" ) ){ removeFromGroup $username $groupWebBanned } # Username is in groupWebBanned
if( !( $stringAllWebRestricted.contains( "$username" ) ) ){ addToGroup $username $groupWebRestricted } # Username is NOT in groupWebRestricted, add it
break # No need to continue
} #-----------------------------------------------------
}
#---------------------------------------------------------------#
# disableUser
# @Params: $username
# @Usage: disableUser $username
# @Purpose: disable $username account
#---------------------------------------------------------------#
function disableUser( $username ){
write-host -f 'yellow' "Disabling account: $username"
disable-QADuser -identity $username
}
#---------------------------------------------------------------#
# enableUser
# @Params: $username
# @Usage: enableUser $username
# @Purpose: enable $username account
#---------------------------------------------------------------#
function enableUser( $username ){
write-host -f 'yellow' "Enabling account: $username"
enable-QADuser -identity $username
}
#---------------------------------------------------------------#
# seperateNonKAMAR
# @Params: $students, $csvKAMAR
# @Usage: seperateNonKamar $students $csvKamar
# @Purpose: returns an array containing:
# [0] students in $students AND in $csvKAMAR
# [1] students in $students AND NOT $csvKAMAR
#---------------------------------------------------------------#
function seperateNonKAMAR( $students, $csvKAMAR ){
$notFoundArray = New-Object System.Collections.ArrayList # Arraylist objects to allow for easy addition and removal of items to the collection
$foundArray = New-Object System.Collections.ArrayList
foreach($a in $students){ # Loop through users exported from Active Directory
foreach($b in $csvKAMAR){ # Loop through users exported from KAMAR
$firstName = $b."First Name (Preferred)"
$surname = $b."Surname (Preferred)"
$enrol = $b."ID Number"
$username = $b."Internet - Unique Logon".toLower()
if( $surname.length -ge 6){ $username2 = $surname.Substring(0,6) + "." + $firstName.substring(0,1) + "." + $enrol }
else{ $username2 = $surname + "." + $firstName.substring(0,1) + "." + $enrol } # Account for existing malformed usernames
if( ( ( ($a).name ) -like $username ) -or ( ( ($a).name ) -like $username2 ) ){ [void]$foundArray.add($a) } # Student found in KAMAR and AD
else{ # No match
if( $notFoundArray.contains( $a ) ){ } # Already in the not found array, do nothing
else{ [void]$notFoundArray.add( $a ) } # Add to array of notFound students.
}
}
}
foreach( $a in $foundArray ){ # Loop through found students. Compare to notFound and remove from notFound if in $foundArray too.
while( $notFoundArray.contains( $a ) ){ $notFoundArray.remove( $a ) } # While notFound array contains a found item, remove it from notFound
}
$result = @($foundArray,$notFoundArray) # Add the 2 arrays to another array to return
$result
}
#---------------------------------------------------------------#
# setFolderPermissions
# @Params: $folderpath, $user
# @Usage: setFolderPermissions $folderPath $user
# @Purpose: Set ACL for student folder
#---------------------------------------------------------------#
function setFolderPermissions( $folderPath, $user ){
$ACL = New-Object System.Security.AccessControl.DirectorySecurity # Create new Security Descriptor. This will remove all existing ACE's
$userObject = $groupDomainAdmins # Domain Admin ACE (Allow Full Control)
$rights = [System.Security.AccessControl.FileSystemRights]::FullControl # 'Full Control' rights
$inherit = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
$propogation = [System.Security.AccessControl.PropagationFlags]::None
$access = [System.Security.AccessControl.AccessControlType]::Allow # Allow this ACE
$accessRule = new-object System.Security.AccessControl.FileSystemAccessRule( $userObject,$rights,$inherit,$propogation,$access )
$ACL.AddAccessRule( $accessRule )
$UserObject = $groupTeacherFull # Teacher-Full ACE (Allow Full Control)
$rights = [System.Security.AccessControl.FileSystemRights]::FullControl # 'Full Control' rights
$inherit = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
$propogation = [System.Security.AccessControl.PropagationFlags]::None
$access = [System.Security.AccessControl.AccessControlType]::Allow # Allow this ACE
$accessRule = new-object System.Security.AccessControl.FileSystemAccessRule( $userObject,$rights,$inherit,$propogation,$access )
$ACL.AddAccessRule( $accessRule )
$userObject = $groupTeacherRead # Teacher-Read ACE (Allow Read and Execute)
$rights = [System.Security.AccessControl.FileSystemRights]::ReadAndExecute # 'Read and Execute' rights
$inherit = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
$propogation = [System.Security.AccessControl.PropagationFlags]::None
$access = [System.Security.AccessControl.AccessControlType]::Allow # Allow this ACE
$accessRule = new-object System.Security.AccessControl.FileSystemAccessRule( $userObject,$rights,$inherit,$propogation,$access )
$ACL.AddAccessRule( $accessRule )
$userObject = $user # User ACE (Deny delete self)
$rights = [System.Security.AccessControl.FileSystemRights]::Delete # 'Delete' rights
$inherit = [System.Security.AccessControl.InheritanceFlags]::None # No inheritance. This container only.
$propogation = [System.Security.AccessControl.PropagationFlags]::None
$access = [System.Security.AccessControl.AccessControlType]::Deny # Deny this ACE
$accessRule = new-object System.Security.AccessControl.FileSystemAccessRule( $UserObject.sid,$rights,$inherit,$propogation,$access )
$ACL.AddAccessRule( $accessRule )
# User ACE (Allow Modify Sub)
$rights = [System.Security.AccessControl.FileSystemRights]::Modify # 'Modify' rights
$inherit = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
$propogation = [System.Security.AccessControl.PropagationFlags]::None
$access = [System.Security.AccessControl.AccessControlType]::Allow # Allow this ACE
$accessRule = new-object System.Security.AccessControl.FileSystemAccessRule( $userObject.sid,$rights,$inherit,$propogation,$access )
$ACL.AddAccessRule( $accessRule )
$ACL.SetAccessRuleProtection( 1,0 ) # Protect ACL from modification via inheritance
write-host -f 'yellow' "Attempting to set ACL on $folderPath"
Set-ACL $folderPath $ACL # Apply the ACL to the folder
}
#---------------------------------------------------------------#
# !~~~~~~~~~~~~~~~~~~!
# ! End of Functions !~~
# !~~~~~~~~~~~~~~~~~~!
# !~~~~~~~~~~~~~~~~~!
# ~~! Start of Script !
# !~~~~~~~~~~~~~~~~~!
$startTime = get-date # Start time
write-host -f 'yellow' "# @Start Time: $startTime"
out-file $logFile # Create empty file for logging
write-host -f 'green' "Importing the CSV..."
$importedStudents = import-csv $csvpath # Read CSV file
write-host -f 'green' "Sorting the CSV by Internet - Unique Logon..."
$importedStudents = $importedStudents|sort "Internet - Unique Logon" # Sort based on logon
$measure = ( Get-Content $csvPath | Measure-Object ) # Count the lines in CSV file
$count = $measure.Count -1 # Subtract header
write-host -f 'yellow' "Number of Students in Kamar Export: $count"
write-host -f 'green' "Reading Group Members from Active Directory..."
$webMail = get-QADGroupMember $groupWebMail -sizeLimit 3000 -Type 'user' # Get Web Mail Group
$webBanned = get-QADGroupMember $groupWebBanned -sizeLimit 3000 -Type 'user' # Get Web Banned Group
$webSpecial = get-QADGroupMember $groupWebSpecial -sizeLimit 3000 -Type 'user' # Get Web Special Group
$webNormal = get-QADGroupMember $groupWebNormal -sizeLimit 3000 -Type 'user' # Get Web Normal Group
$webRestricted = get-QADGroupMember $groupWebRestricted -sizeLimit 3000 -Type 'user' # Get Web Restricted Group
$students = get-QADGroupMember $groupStudents -sizeLimit 3000 -Type 'user' # Get Student Group
write-host -f 'green' "Adding group members to group strings..."
foreach($student in $students){ $stringAllStudents += $student.name.toLower() } # String containing All Students
foreach($student in $webMail){ $stringAllWebMail += $student.name.toLower() } # String containing Web Mail Students
foreach($student in $webBanned){ $stringAllWebBanned += $student.name.toLower() } # String containing Web Banned Students
foreach($student in $webSpecial){ $stringAllWebSpecial += $student.name.toLower() } # String containing Web Special Students
foreach($student in $webRestricted){ $stringAllWebRestricted += $student.name.toLower() } # String containing Web Restricted Students
foreach($student in $webNormal){ $stringAllWebNormal += $student.name.toLower() } # String containing Web Normal Students
write-host -f 'green' "Seperating students found in Students group but -not- in KAMAR..."
$result = seperateNonKamar $students $importedStudents # Seperate Students found in Kamar AND Active Directory
$students = $result[0] # exists in Active Directory AND Kamar
$noKamarStudents = $result[1] # exists in Active Directory ONLY
write-host -f 'green' "Sorting Students found in KAMAR -and- Active Directory by SAMAccountName"
$students = $students|sort SamAccountName # Sort students. Required for enabling incorrectly disabled Users.
$intCurrentStudent = -1 # Used for accessing existing student array.
# Start at -1, increment if student is not new.
write-host -f 'green' "Modifying Users..."
foreach($student in $importedStudents){
$userAccountControl = 0 # Set $userAccountControl value to 0. No flags set
[String]$enrol = $student."ID Number" # [String] to prevent loss of leading '0's
if($enrol.length -lt 5){ $enrol = "0$enrol" } # fix for pre 2010 enrol numbers
$firstName = $student."First Name (Preferred)"
$surname = $student."Surname (Preferred)"
$username = $student."Internet - Unique Logon".toLower() # Lower case Active Directory account
$password = $student."Internet - Password - Student"
$conditions = $student."Checklist (Enrolment)"
write-host -f 'yellow' "Current user: $username"
# Set $userAccountControl flags
if( $student.Type -ieq "FF" ){ $userAccountControl += $TYPE_INTERNATIONAL } # International Student
if( $student.Type -ieq "AE" ){ $userAccountControl += $TYPE_ALT_ED } # Alt Ed Student
if( $student."Internet - User Allowed Access" -ieq "YES" ){ $userAccountControl += $INTERNET_LICENCE } # Internet Licence
if( $student."Leaving Date" -gt "" ){
if( checkLeft ( get-date $student."Leaving Date" ) ){ $userAccountControl += $STATUS_LEFT } # Student has Left
}
if( checkNew $username ){ $userAccountControl += $STATUS_NEW } # Student is New
if( $conditions -like "*$stringComputerBanned*" ){ $userAccountControl += $COMPUTER_BANNED } # Computer Banned
if( $conditions -like "*$stringWebBanned*" ){ $userAccountControl += $WEB_BANNED } # Web Banned
if( $conditions -like "*$stringWebRestricted*" ){ $userAccountControl += $WEB_RESTRICTED } # Web Restricted
if( $conditions -like "*$stringWebMail*" ){ $userAccountControl += $WEB_MAIL } # Web Mail
if( $conditions -like "*$stringWebSpecial*" ){ $userAccountControl += $WEB_SPECIAL } # Web Special
write-host -f 'yellow' "User Account Control Value: $userAccountControl"
if( userAccountControlHasValue $userAccountControl $STATUS_NEW ){ # Student is new
write-host -f 'yellow' "$username is a new account"
$groups = @("$groupStudents") # Default groups array
if( userAccountControlHasValue $userAccountControl $TYPE_INTERNATIONAL ){ $groups += "$groupInternationalStudents" } # Add International Group
if( !( userAccountControlHasValue $userAccountControl $INTERNET_LICENCE ) ){ $groups += "$groupNoInternetLicence" } # Add No Internet Licence Group
$groups += ( getCorrectGroup $userAccountControl ) # Add correct Web Group
write-host -f 'yellow' "Groups: $groups"
write-host -f 'yellow' "creating new user"
[void] (createUser $firstName $surname $enrol $username $password $groups) # Create the user
}
else{ # student already exists.
write-host -f 'yellow' "$username is an existing account"
$intCurrentStudent += 1 # increment count. Only incremented for existing students so that the current student in the CSV
# will match that at the index of the exported Active Directory users ($groupStudents)
# IMPORTANT NOTE:
# This relies on $students being sorted in such a way
# that $students[$intCurrentStudent] matches the current iteration of $importedStudents
if( !( $students[$intCurrentStudent].accountisdisabled ) -and ( userAccountControlHasValue $userAccountControl $STATUS_LEFT -or userAccountControlHasValue $userAccountControl $COMPUTER_BANNED ) ){ # Student has left -or- is computer banned -and- account is -not- disabled
write-host -f 'yellow' "$username has left -or- is computer banned -and- is -not- disabled"
disableUser $username # disable the account
if( userAccountControlHasValue $userAccountControl $STATUS_LEFT ){ set-QADUser -identity $username -description "[LEFT] Enrolment number: $enrol" } # Set the account description
else{ set-QADUser -identity $username -description "[BANNED] Enrolment number: $enrol" }
continue # Process next student. No need to modify disabled account.
}
else{
if( ( $students[$intCurrentStudent].accountisdisabled ) -and ( !( userAccountControlHasValue $userAccountControl $STATUS_LEFT ) ) -and ( !( userAccountControlHasValue $userAccountControl $COMPUTER_BANNED ) ) ){ # Student has -not- left -and- is not computer banned -and- the account is disabled
write-host -f 'yellow' "$username is -not- left -or- computer banned -and- account is disabled"
enableUser $username # Enable the account
set-QADUser -identity $username -description "Enrolment number: $enrol" # Set the description
}
else{ # Account is -not- disabled -and- student is -not- left -and- -not- computer banned (regular student)
write-host -f 'yellow' "$username is -not- disabled -or- computer banned -or- left"
set-QADUser -identity $username -description "Enrolment number: $enrol" # Set the description
}
}
write-host -f 'green' "Correcting group membership..."
correctGroups $username $correctGroup # Correct group membership
} # Current user complete
} # All students found in KAMAR complete
write-host -f 'green' "change users in Students group but not kamar"
foreach($noStudent in $noKamarStudents){ set-QADuser -identity $nostudent -description "Not in Kamar" } # users found in $students but not in KAMAR
$endTime = get-date # End time
write-host ""
write-host -f 'yellow' "####################################################"
write-host -f 'yellow' "# @Finish Time: $endTime"
$timeDif = $endTime - $startTime # Time taken
$timeDifSec = $timeDif.seconds # Seconds
$timeDifMin = $timeDif.minutes # Minutes
$timeDifHour = $timeDif.hours # Hours
write-host -f 'yellow' "# @Time Taken: $timeDif.hours Hours, $timeDif.minutes Minutes, $timeDif.seconds Seconds"
write-host -f 'yellow' "####################################################"
# !~~~~~~~~~~~~~~~!
# ! End of Script !~~
# !~~~~~~~~~~~~~~~!
|