Add users to an Active Directory group based on user attributes

A while back I visited a company to help install Specops Password Reset. They wanted a Group Policy configured for password resets using SMS to be applied to users with a corporate mobile phone. All other users should be reached by a Group Policy configured for password resets using security questions.

The best way to make this work is to filter the SMS Group Policy to a security group and make sure this GPO is in top of the Link order. So far so good right?

No, not really. This customer has thousands of users so manually handling this security group wasn’t an option.

To solve the problem I wrote this short PowerShell script and put it in Task Scheduler to run once a night. What the script does is check the Mobile attribute on all users. Any user that has something in this attribute (hopefully a mobile number) will be a member of the security group. The script will also take a look in the security group to find the users whose mobile numbers have been erased from the attribute and removes those users from the group.

Here is the script:

Import-Module ActiveDirectory
Get-ADGroupMember -Identity "SPR SMS Users" | Get-ADUser -Properties Mobile | Where-Object {$_.Mobile -eq $null} | % {Remove-ADGroupMember -Identity "SPR SMS Users" -Members $_ -Confirm:$false}
Get-ADUser -SearchBase 'OU=Users,OU=CORP,DC=domain,DC=local' -filter {mobile -ne "$null"} | % {Add-ADGroupMember "SPR SMS Users" $_.SamAccountName}

Now you too can add users to an Active Directory group based on user attributes. For more tips on using PowerShell with Specops Password Reset check out this blog post Customer Attribute Mobile.