Import User Roles (powershell)


PowerShell script to import User Roles.  Copy and save code to file with .ps1 extension.  Execute PS script from within SCOM Command Shell or PowerShell.  User input prompts will not work if copying and pasting code directly into shell.

This script works in conjunction with the ExportUserRoles script.  Otherwise, the input file must be in the following format:

Profile: <monitoringProfile>
Name: <userRoleName>
DisplayName: <userRoleDisplayName>
Description: <userRoleDescriptioin>
Users: <account1 account2 account3>

There is no validation of accounts worked into this script.  If an account cannot be queried in AD, the script will throw errors but continue to process.  Use netbios name for accounts/groups (domain\account).

 

##————————————————–##
#   Use this script to import User Roles.
#   This script requires the User Roles to have
#   already been exported using the ExportUserRoles
#   script, or a text file in the same format as the
#   output of the ExportUserRoles script.
#   Author: Jonathan Almquist
#   Name: ImportUserRoles.ps1
#   Ver: 6.0.6278.0-1
#   Date: 03/23/2008
#   Revisions:
##————————————————–##
##  Get user input
$rms = read-Host "Enter the RMS server name"
$filename = read-Host "Enter path and filename for output file (ex: c:\user_roles.txt)"
##  Check for Operations Manager Snap-in
$snapin = pssnapin | select-Object name
$added = 0
##  Loop through each instance of Snap-in
foreach ($pssnapin in $snapin)
    {
    if ($pssnapin -like "*Microsoft.EnterpriseManagement.OperationsManager.Client*")
        {
        $added = 1
        }
    }
if ($added -eq 0)
    {
    add-pssnapin "Microsoft.EnterpriseManagement.OperationsManager.Client"
    write-Host "Operations Manager Snap-in added."
    }
else
    {
    write-Host "Operations Manager Snap-in already added."
    }

set-location "OperationsManagerMonitoring::"
##  Check for Monitoring Drive
$drive = psdrive | select-Object name
$added = 0
##  Loop through each instance of Drive
foreach ($psdrive in $drive)
    {
        if ($psdrive -like "*Monitoring*")
        {
        $added = 1
        }
    }
if ($added -eq 0)
    {
    New-PSDrive -Name: Monitoring -PSProvider: OperationsManagerMonitoring -Root: \
    write-Host "Monitoring Drive added."
    }
else
    {
    write-Host "Monitoring Drive alreaded added."
    }
##  Connect to Management Group
New-ManagementGroupConnection -ConnectionString: $rms
cd Monitoring:\$rms
$mg = (get-item .).ManagementGroup
$lines = get-content $filename
foreach ($line in $lines)
    {
    if ($line.StartsWith("Profile:"))
        {
        $profile = $line -replace "Profile: ", ""
        }
    elseif ($line.startswith("Name: "))
        {
        $name = $line -replace "Name: ", ""
        }
    elseif ($line.startswith("DisplayName: "))
        {
        $displayName = $line -replace "DisplayName: ", ""
        }
    elseif ($line.startswith("Description: "))
        {
        $description = $line -replace "Description: ", ""
        }
    elseif ($line.startswith("Users: "))
        {
        $users = $line -replace "Users: ", ""
        if ($users -like "* *")
        {
        $users = $users.Split(" ")
        }
        ##  When the script reaches the Users line, this Role block is complete.
        ##  Begin Role check and creation
        $rolelist = get-userrole | select-object name
        $added = 0
        foreach ($role in $rolelist)
            {
                if ($role -like "*$name*")
                {
                $added = 1
                }
            }
        if ($added -eq 0)
            {
            $getProfile = $mg.GetMonitoringProfiles() | where {$_.Name -eq $profile}
            $obj = new-object Microsoft.EnterpriseManagement.Monitoring.Security.MonitoringUserRole
            $obj.Name = $name
            $obj.DisplayName = $displayName
            $obj.Description = $description
            $obj.MonitoringProfile = $getProfile
            $mg.InsertMonitoringUserRole($obj)
            write-Host "$name User Role added."
            }
        else
            {
            write-Host "$name Role alreaded added."
            }
        ##  Compare user list and add users
        if ($users -notlike "")
            {
            foreach ($user in $users)
                {
                write-host "Adding $user to $displayName"
                $addUser = get-userrole | where {$_.name -eq $name}
                $addUser.users.add($user)
                $addUser.update()
                }
            }
        else
            {write-Host "No users in $displayName"}
        ##  Move on to the next Role block.
        write-Host "`r`n"
        }
    }
write-Host "Process complete."
##
##


Comments (4)

  1. Anonymous says:

    I have a customer who has many management groups and wants to synchronize the user roles between them.

  2. Thanks, Jon.  I appreciate your feedback.  I haven't updated or used this script in a long time, and there are probably many ways to make this one a lot better 🙂  In fact, one of my peers did just that.

    blogs.msdn.com/…/exporting-and-importing-user-roles.aspx

    His version is a huge improvement with many enhancements.

  3. Jon Sykes says:

    Excellent post this saved me some time when moving between Management Groups and I want to thank you for that and the effort involved in writing these scripts.  Might I recommend a small change to accommodate different environments.

    AD Groups I added to the custom profiles had blanks in between them (ex. DomainThis is a Group).  The current import script doesn't handle this because you perform a split on blank space.  So there is a section of code that needs to be adjusted to account for this possibility within each script (i.e. Import and Export scripts).

    The export script should ultimately be changed to add a different delimiter between the "user" names.  I didn't have time to look exactly what needed to be changed.  But I did manually remove blank space between the groups from the export and added a comma to separate the values.  Then I needed to modify the import script to handle this change.

    The import script should then have this line change from:

           $users = $users.Split(" ")

    to

           $users = $users.Split(",")