RobinBeismann/Correct-ADPrimaryGroup.ps1

## Correct-ADPrimaryGroup.ps1
#region Variable Definition
$dryRun = $true
$searchBase = (Get-ADDomain).DistinguishedName
#endregion

#region Code below
#Gather the DomainSID
$domainSID = (Get-ADDomain).DomainSid.Value

#Fix on one DC so we don't run into replication problems after adding a user to a group
[string]$DCName = (Get-ADDomainController -NextClosestSite -Writable -Discover | Select-Object -First 1).Hostname

Get-ADUser -Filter * -Server $DCName -SearchBase $searchBase -Properties objectSid,sAMAccountName,primaryGroupID |
Where-Object {
    #Sort out all users whose primaryGroup is not Domain-Users and not Domain-Guests
    ($_.PrimaryGroupID -ne "513" -and $_.PrimaryGroupID -ne "514") -or
    #Handle the default Domain Guest Account
    (
        !($_.objectSid.Value -eq ($domainSID + "-501")) -xor
        !($_.PrimaryGroupID -eq "514")
    )
} |
ForEach-Object {
    #Set a variable to the user object, since we won't be able to access it within the catch logic
    $user = $_
    $sAMAccountName = $user.sAMAccountName

    try{
        #Get current primaryGroup
        $oldPrimaryGroupID = $_.primaryGroupID
        $expectedPrimaryGroupSID = ($domainSID + "-" + $oldPrimaryGroupID)
        $expectedPrimaryGroup = Get-ADGroup -Filter { objectSid -eq $expectedPrimaryGroupSID } -Properties Member,sAMAccountName,distinguishedName -Server $DCName

        #Determinate proper primary group
        if($_.ObjectSid.Value -eq ($domainSID + "-501")){
            $expectedPrimaryGroupID = 514
            Write-Warning("Care: Default Domain Guest '$sAMAccountName' User was modified, please take a deeper look at this user.")
        }else{
            $expectedPrimaryGroupID = 513
        }

        #Set the primaryGroupID
        Write-Host($sAMAccountName + ": Changing primaryGroupID")
        if(!$dryRun){
            $user | Set-ADUser -Replace @{ primaryGroupID = $expectedPrimaryGroupID } -Server $DCName
        }

        #Check if the user is already member of this group, otherwise add him
        #We can't use Get-ADGroupMember as the cmdlet also returns users which only got this group set as primaryGroupSID
        if(!($expectedPrimaryGroup.Member -contains $user.distinguishedName)){
            #Add the user to his prior primaryGroup
            Write-Host($sAMAccountName + ": Added user to $($expectedPrimaryGroup.sAMAccountName)")
            if(!$dryRun){
                Add-ADGroupMember -Identity $expectedPrimaryGroup -Members $user -Server $DCName
            }
        }

        Write-Host($sAMAccountName + ": Successfully corrected primaryGroup.")
    }catch{
        #Looks like it didn't work -> Set the primarySID to the old Value so we don't mess up anything
        if(!$dryRun){
            $user | Set-ADUser -Replace @{ primaryGroupID = $oldPrimaryGroupID } -Server $DCName
        }
        Write-Host($sAMAccountName + ": Failed to corrected primaryGroup, Error: " + $_.Exception.Message)
    }
}
#endregion
	#region Variable Definition
	$dryRun = $true
	$searchBase = (Get-ADDomain).DistinguishedName
	#endregion

	#region Code below
	#Gather the DomainSID
	$domainSID = (Get-ADDomain).DomainSid.Value

	#Fix on one DC so we don't run into replication problems after adding a user to a group
	[string]$DCName = (Get-ADDomainController -NextClosestSite -Writable -Discover \| Select-Object -First 1).Hostname

	Get-ADUser -Filter * -Server $DCName -SearchBase $searchBase -Properties objectSid,sAMAccountName,primaryGroupID \|
	Where-Object {
	#Sort out all users whose primaryGroup is not Domain-Users and not Domain-Guests
	($_.PrimaryGroupID -ne "513" -and $_.PrimaryGroupID -ne "514") -or
	#Handle the default Domain Guest Account
	(
	!($_.objectSid.Value -eq ($domainSID + "-501")) -xor
	!($_.PrimaryGroupID -eq "514")
	)
	} \|
	ForEach-Object {
	#Set a variable to the user object, since we won't be able to access it within the catch logic
	$user = $_
	$sAMAccountName = $user.sAMAccountName

	try{
	#Get current primaryGroup
	$oldPrimaryGroupID = $_.primaryGroupID
	$expectedPrimaryGroupSID = ($domainSID + "-" + $oldPrimaryGroupID)
	$expectedPrimaryGroup = Get-ADGroup -Filter { objectSid -eq $expectedPrimaryGroupSID } -Properties Member,sAMAccountName,distinguishedName -Server $DCName

	#Determinate proper primary group
	if($_.ObjectSid.Value -eq ($domainSID + "-501")){
	$expectedPrimaryGroupID = 514
	Write-Warning("Care: Default Domain Guest '$sAMAccountName' User was modified, please take a deeper look at this user.")
	}else{
	$expectedPrimaryGroupID = 513
	}

	#Set the primaryGroupID
	Write-Host($sAMAccountName + ": Changing primaryGroupID")
	if(!$dryRun){
	$user \| Set-ADUser -Replace @{ primaryGroupID = $expectedPrimaryGroupID } -Server $DCName
	}

	#Check if the user is already member of this group, otherwise add him
	#We can't use Get-ADGroupMember as the cmdlet also returns users which only got this group set as primaryGroupSID
	if(!($expectedPrimaryGroup.Member -contains $user.distinguishedName)){
	#Add the user to his prior primaryGroup
	Write-Host($sAMAccountName + ": Added user to $($expectedPrimaryGroup.sAMAccountName)")
	if(!$dryRun){
	Add-ADGroupMember -Identity $expectedPrimaryGroup -Members $user -Server $DCName
	}
	}

	Write-Host($sAMAccountName + ": Successfully corrected primaryGroup.")
	}catch{
	#Looks like it didn't work -> Set the primarySID to the old Value so we don't mess up anything
	if(!$dryRun){
	$user \| Set-ADUser -Replace @{ primaryGroupID = $oldPrimaryGroupID } -Server $DCName
	}
	Write-Host($sAMAccountName + ": Failed to corrected primaryGroup, Error: " + $_.Exception.Message)
	}
	}
	#endregion