## p4remove-groupmember ## aaron bockelie <# .SYNOPSIS Removes a user from a Perforce depot group and updates the corresponding AD group. .DESCRIPTION This function simplifies removing a user to a depot group. It also keeps sync with the corresponding Active Directory group. .EXAMPLE [PS] p4remove-groupmember -userarg troy.mcclurg -grouparg p4infosys Name Type DN ---- ---- -- p4infosys group CN=p4infosys,OU=p4infosys,OU=Depots,OU=Perforce,OU=Crowd,OU=Security ... Group p4infosys updated. The command will list the corresponding Active Directory user object that is being removed from the group, and remove the user from the synchronized depot group. .PARAMETER users This is the group you are removing the user from. .FUNCTIONALITY Use this function to remove a validated user object from a relevant perforce group. .NOTES Removing the last user from a group will delete the Perforce group, but retain the empty Active Directory group. #> Function p4remove-groupmember {param([Parameter(Mandatory = $true)][array]$users,[Parameter(Mandatory = $true)]$group,[switch]$cleaninvalidgroup,[switch]$silent)#begin function p4add-groupmember $ErrorActionPreference = "Continue" $servercheck = p4get-server if ($servercheck.pingsuccess.equals($true)) { $fqgroup = $null #init this variable so we can test reliably. $fqgroup = get-qadgroup -samaccountname $group #get/validate the group we are going to modify. if ($fqgroup -eq $null) #if the returned group isn't in AD, determine the state of the group. { $p4groupobject = p4get-group $group #try and get the group from perforce. if ($p4groupobject) #if the group is in perforce, but not in AD, require a group sync first. { if ($cleaninvalidgroup -eq $true) { $message = "Function switch -cleaninvalidgroup invoked." write-warning $message p4remove-group -group $group -force } else { $message = "Group object `'" + $group + "`' exists in Perforce, but not in Active Directory. Please use p4sync-group before attempting to remove a member." write-error $message } } else #if the group is not in perforce either, this group probably does not exist. { $message = "Group object `'" + $group + "`' not found for server `'" + $servercheck.server write-error $message } } else { $p4users = New-Object System.Collections.ArrayList # array of new + old users $p4subgroups = New-Object System.Collections.ArrayList # array of new + old subgroups $p4groupobject = p4get-group $group #get the group object from the local perforce server. $fqitem = $null #set temp object Fully Qualified Item to be null. This is a var for testing validity of an user list object from $users #expand member lists into nice arrays for manipulation. foreach ($user in $p4groupobject.users) #expand p4 group object "users" into system.collections arraylist. { if ($user) { [void]$p4users.add($user) } } foreach ($subgroup in $p4groupobject.subgroups) #expand p4 group object "subgroups" into system.collections arraylist. { if ($user) { [void]$p4subgroups.add($subgroup) } } # remove the users and subgroups, throw a warning if the group isn't found, or not available in the corresponding AD object. #users and groups. foreach ($item in $users) { $fqitem = $null #set to null for each loop during users. $fqitem = get-qadobject $item #attempt to retrieve the object from AD. if ($fqitem) #if the object is an active directory user { remove-qadgroupmember -member $item $group >$null } else #if the object is NOT an active directory user { $message = "Object named `'" + $item + "`' was not returned as an Active Directory object. No action will be taken in Active Directory." write-warning $message } if ($p4users.contains($item) -eq $true) #if the list of users from the perforce group matches a user, remove from the new user list. { [void]$p4users.remove($item) } else { if ($p4subgroups.contains($item) -eq $true) #if the list of subgroups from the perforce group matches a subgroup, remove from the new subgroup list { [void]$p4subgroups.remove($item) } else { $message = "Object named `'" + $item + "`' was not returned as a member of the Perforce group `'" + $group + "`'. No action will be taken in Perforce depot." write-warning $message } } } $file = p4add-groupspec -group $fqgroup.samaccountname -users $p4users -owners $p4groupobject.owners -subgroups $p4subgroups -maxlocktime $p4groupobject.maxlocktime -timeout $p4groupobject.timeout -maxresults $p4groupobject.maxresults -maxscanrows $p4groupobject.maxscanrows# generate a groupspec if (p4get-authgroups | ?{$_.name -eq $group}) #if the group we are working on is considered an authentication group, perform special checking. { if ($p4subgroups.count -ge 1) #if the count of subgroups is greater than or equal to 1, execute the command. { $result = $file | p4 group -i #feed groupspec into perforce to update group. } else #if the count of subgroups is less than 1, check to see if the users are greater than or equal to 1 { if ($p4users.count -gt 0) #if the user count is greater than 0, execute the command. { $result = $file | p4 group -i #feed groupspec into perforce to update group. } else #if the count of subgroups AND users is less than 1, we warn about what happens. { $message = "Removal of requested users will result in deletion of authentication group `'" + $group + "`'from Perforce. This will not affect Active Directory." write-warning $message } } } else #if the group is not an auth group, carry on business as usual. { $result = $file | p4 group -i #feed groupspec into perforce to update group. } if ($silent -eq $false) #if silent is false, send result. { $result } } }#end function p4remove-groupmember }