Consider a situation where you’re tasked with maintaining dynamic Active Directory group membership based on the user account Office-attribute:
$users = Get-ADUser -Filter {Office -like "New York"}
foreach($user in $users)
{
Add-ADGroupMember -Identity GroupName -Members $user.samaccountname -ErrorAction SilentlyContinue
}
$members = Get-ADGroupMember -Identity GroupName
foreach($member in $members)
{
if ((Get-ADUser -identity $member -properties Office|Select-Object Office).office -notlike "New York")
{
Remove-ADGroupMember -Identity GroupName -Member $member.samaccountname -Confirm:$false
}
}Now set this to run once per day via Task Scheduler and you’re set. Make sure to check the service account used to run the scheduled task has permissions to modify the group and user objects involved.