Backup User GroupMembership

‘Sup PSHomies,

When implementing or updating a Role Based Access Control (RBAC) model, being able to do a roll back has to be part of your process.

I’ve seen junior admins break out in a sweat when asked to roll back a user’s membership. “Eh… which groups was the user a member of again?”

It’s a rookie mistake… Hehe…

Here’s how to make a JIT backup before you start changing user membership.

	<#
	Author: I.C.A. Strachan
	Version:
	Version History:
	Purpose: Backup User group membership to file on a per user base
	#>
	[CmdletBinding()]
	param(
	[string]
	$csvFile='users.csv',
	[string]
	$exportFolder = '.\export\dsa\UserMemberOf\backup\',
	[Microsoft.PowerShell.Commands.FileSystemCmdletProviderEncoding]
	$Encoding = 'UTF8',
	$Delimiter = "`t"
	)
	#region Verify folder exists
	$LogDate = get-date –uformat '%d-%m-%Y'
	if(!(test-path "$exportFolder\$logDate")) {
	$null = New-Item "$exportFolder\$logDate" –ItemType Directory –Force
	}
	#endregion
	#region Define Hashtables for splatting
	$csvParam = @{
	Path = ".\source\csv\$csvFile"
	Delimiter = $Delimiter
	Encoding = $Encoding
	}
	$exportParam = @{
	Delimiter = $Delimiter
	Encoding = $Encoding
	NoTypeInformation = $true
	}
	#endregion
	#region Main
	Import-Csv @csvParam |
	ForEach-Object{
	Get-ADUser –Identity $_.SamAccountName –Properties MemberOf |
	Select-Object –ExpandProperty Memberof |
	Get-ADGroup |
	Select-Object SamAccountName, DistinguishedName |
	Export-Csv @exportParam –Path "$exportFolder\$logDate\$($_.SamAccountName).csv"
	}
	#endregion

view raw

Backup-ADUserMembership.ps1

hosted with ❤ by GitHub

The csv should have a SamAccountName column.

$csvContent = @'
SamAccountName
user1
user2
user3
'@

This will get you all the direct group memberships and save them to a file named SamAccountName.csv, per user.

Next blog I’ll show you how to restore! 😉

Hope it’s worth something to you.

Ttyl,

Urv

Advertisement