Last active
October 30, 2017 18:19
-
-
Save jschlackman/72a95570be1aa69628ecd92fa0c443cb to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Sync-GSuite2SV-Users.ps1 | |
# ----------------------- | |
# Syncs the list of users currently enrolled in 2-step verification in G Suite with an AD group. | |
# Reading the user list from G Suite requires a working install of the GAM tool (https://github.com/jay0lee/GAM) | |
# User account used to run script must have write acess to the folder contianing g | |
# | |
# Author: James Schlackman | |
# | |
# V1.1 - 2017-10-30 - Write last sync time to group for diagnostics | |
# V1.0 - 2017-10-11 - First version | |
Import-Module ActiveDirectory | |
$AdGroupPath = "OU=Groups,DC=cesjds,DC=org" | |
$AdGroupName = "Google 2SV Users" | |
$Ad2SvGroup = "CN=$AdGroupName,$AdGroupPath" | |
$GamExe = "$env:ProgramFiles\gam-64\gam.exe" | |
# Create AD group if it does not exist | |
If (![boolean](Get-ADGroup -Filter {distinguishedName -eq $ad2svgroup})) { | |
New-ADGroup -Name $AdGroupName -Path $AdGroupPath -GroupScope Global -GroupCategory Security | |
} | |
# Call gam, parse the CSV output, and store the list of users with 2SV enabled | |
Write-Host "Getting 2SV status from G Suite... " -NoNewline | |
$Using2Sv = (&$GamExe print users is2svenrolled 2>$null | ConvertFrom-CSV | Where-Object {$_.isEnrolledIn2Sv -eq $true} | Select -ExpandProperty primaryEmail) | |
Write-Host "done." | |
# Only proceed if we got at least 1 user from the GAM call | |
If ([boolean]$Using2Sv) { | |
# Get list of users currently marked in AD as using 2SV | |
$CurrentAdMembers = Get-ADUser –LDAPFilter ("(memberOf=$Ad2SvGroup)") -Properties mail | |
# Check if current members are still using 2SV in G Suite | |
$CurrentAdMembers | ForEach-Object { | |
# If this user is using 2SV in G Suite, remove them from the AD group | |
If ($Using2Sv -notcontains $_.mail) { | |
Write-Host "Removing user " -NoNewline | |
Write-Host $_.mail -ForegroundColor Yellow | |
Remove-ADGroupMember -Identity $Ad2SvGroup -Members $_ -Confirm:$false | |
} | |
} | |
# Reduce current membership list to just email addresses | |
$CurrentAdMembers = $CurrentAdMembers | Select -ExpandProperty mail | |
# Check all G Suite 2SV users are in the AD group | |
$Using2Sv | ForEach-Object { | |
# If this user is not already in the AD group, find them in AD and add them | |
If ($CurrentAdMembers -notcontains $_) { | |
Write-Host "Adding user " -NoNewline | |
Write-Host $_ -ForegroundColor Yellow | |
Add-ADPrincipalGroupMembership -Identity (Get-ADUser –LDAPFilter ("(mail=$_)")) -MemberOf $Ad2SvGroup | |
} | |
} | |
# Write confirmation of the update to an attribute of the group for diagnostics | |
Set-ADGroup -Identity $Ad2SvGroup -Replace @{adminDescription="Last sync: $(Get-Date)"} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This script parses output from GAM - it does not interface directly with G Suite. It must be run with an account that has access to a working GAM install, and that has permission to create and modify groups in the configured AD path.