jschlackman/Sync-GSuite2SV-Users.ps1

## Sync-GSuite2SV-Users.ps1
# Sync-GSuite2SV-Users.ps1
# -----------------------
# Syncs the list of users currently enrolled in 2-step verification in G Suite with an AD group.
# Reading the user list from G Suite requires a working install of the GAM tool (https://github.com/jay0lee/GAM)
# User account used to run script must have write acess to the folder contianing g
#
# Author: James Schlackman
#
# V1.1 - 2017-10-30 - Write last sync time to group for diagnostics
# V1.0 - 2017-10-11 - First version

Import-Module ActiveDirectory

$AdGroupPath = "OU=Groups,DC=cesjds,DC=org"
$AdGroupName = "Google 2SV Users"
$Ad2SvGroup = "CN=$AdGroupName,$AdGroupPath"
$GamExe = "$env:ProgramFiles\gam-64\gam.exe"

# Create AD group if it does not exist
If (![boolean](Get-ADGroup -Filter {distinguishedName -eq $ad2svgroup})) {
    New-ADGroup -Name $AdGroupName -Path $AdGroupPath -GroupScope Global -GroupCategory Security
}

# Call gam, parse the CSV output, and store the list of users with 2SV enabled
Write-Host "Getting 2SV status from G Suite... " -NoNewline
$Using2Sv = (&$GamExe print users is2svenrolled 2>$null | ConvertFrom-CSV | Where-Object {$_.isEnrolledIn2Sv -eq $true} | Select -ExpandProperty primaryEmail)
Write-Host "done."

# Only proceed if we got at least 1 user from the GAM call
If ([boolean]$Using2Sv) {

    # Get list of users currently marked in AD as using 2SV
    $CurrentAdMembers = Get-ADUser –LDAPFilter ("(memberOf=$Ad2SvGroup)") -Properties mail

    # Check if current members are still using 2SV in G Suite
    $CurrentAdMembers | ForEach-Object {

        # If this user is using 2SV in G Suite, remove them from the AD group
        If ($Using2Sv -notcontains $_.mail) {
            Write-Host "Removing user " -NoNewline
            Write-Host $_.mail -ForegroundColor Yellow

            Remove-ADGroupMember -Identity $Ad2SvGroup -Members $_ -Confirm:$false
        }
    }

    # Reduce current membership list to just email addresses
    $CurrentAdMembers = $CurrentAdMembers | Select -ExpandProperty mail

    # Check all G Suite 2SV users are in the AD group
    $Using2Sv | ForEach-Object {

        # If this user is not already in the AD group, find them in AD and add them
        If ($CurrentAdMembers -notcontains $_) {
            Write-Host "Adding user " -NoNewline
            Write-Host $_ -ForegroundColor Yellow

            Add-ADPrincipalGroupMembership -Identity (Get-ADUser –LDAPFilter ("(mail=$_)")) -MemberOf $Ad2SvGroup
        }

    }

    # Write confirmation of the update to an attribute of the group for diagnostics
    Set-ADGroup -Identity $Ad2SvGroup -Replace @{adminDescription="Last sync: $(Get-Date)"}

}
	# Sync-GSuite2SV-Users.ps1
	# -----------------------
	# Syncs the list of users currently enrolled in 2-step verification in G Suite with an AD group.
	# Reading the user list from G Suite requires a working install of the GAM tool (https://github.com/jay0lee/GAM)
	# User account used to run script must have write acess to the folder contianing g
	#
	# Author: James Schlackman
	#
	# V1.1 - 2017-10-30 - Write last sync time to group for diagnostics
	# V1.0 - 2017-10-11 - First version

	Import-Module ActiveDirectory

	$AdGroupPath = "OU=Groups,DC=cesjds,DC=org"
	$AdGroupName = "Google 2SV Users"
	$Ad2SvGroup = "CN=$AdGroupName,$AdGroupPath"
	$GamExe = "$env:ProgramFiles\gam-64\gam.exe"

	# Create AD group if it does not exist
	If (![boolean](Get-ADGroup -Filter {distinguishedName -eq $ad2svgroup})) {
	New-ADGroup -Name $AdGroupName -Path $AdGroupPath -GroupScope Global -GroupCategory Security
	}

	# Call gam, parse the CSV output, and store the list of users with 2SV enabled
	Write-Host "Getting 2SV status from G Suite... " -NoNewline
	$Using2Sv = (&$GamExe print users is2svenrolled 2>$null \| ConvertFrom-CSV \| Where-Object {$_.isEnrolledIn2Sv -eq $true} \| Select -ExpandProperty primaryEmail)
	Write-Host "done."

	# Only proceed if we got at least 1 user from the GAM call
	If ([boolean]$Using2Sv) {

	# Get list of users currently marked in AD as using 2SV
	$CurrentAdMembers = Get-ADUser –LDAPFilter ("(memberOf=$Ad2SvGroup)") -Properties mail

	# Check if current members are still using 2SV in G Suite
	$CurrentAdMembers \| ForEach-Object {

	# If this user is using 2SV in G Suite, remove them from the AD group
	If ($Using2Sv -notcontains $_.mail) {
	Write-Host "Removing user " -NoNewline
	Write-Host $_.mail -ForegroundColor Yellow

	Remove-ADGroupMember -Identity $Ad2SvGroup -Members $_ -Confirm:$false
	}
	}

	# Reduce current membership list to just email addresses
	$CurrentAdMembers = $CurrentAdMembers \| Select -ExpandProperty mail

	# Check all G Suite 2SV users are in the AD group
	$Using2Sv \| ForEach-Object {

	# If this user is not already in the AD group, find them in AD and add them
	If ($CurrentAdMembers -notcontains $_) {
	Write-Host "Adding user " -NoNewline
	Write-Host $_ -ForegroundColor Yellow

	Add-ADPrincipalGroupMembership -Identity (Get-ADUser –LDAPFilter ("(mail=$_)")) -MemberOf $Ad2SvGroup
	}

	}

	# Write confirmation of the update to an attribute of the group for diagnostics
	Set-ADGroup -Identity $Ad2SvGroup -Replace @{adminDescription="Last sync: $(Get-Date)"}

	}