***This article has been superseded by a more recent one on the same topic. Click here for details ***
It is sometimes useful to have the ability to populate group membership based on the OU in which the prospective members are located. A good example of where this might be useful is with Fine-Grained Password Policy (FGPP) in Windows Server 2008 AD (and later). FGPP does not have the ability to use an OU as its scope of management – you are limited to assigning the policy to user or group objects.
The script below shadows a specified OU and populates a group’s membership based on the contents of the OU. It is intended to be invoked by the Windows Task Scheduler (taskschd.msc).
Note that it requires Powershell 2.0 and uses the Active Directory module.
#########################################################
#
# Name: OUShadow.ps1
# Author: Tony Murray
# Version: 1.0
# Date: 26/03/2010
# Comment: PowerShell 2.0 script to set the members of
# a group based on the OU they live in
#
#########################################################
#Import the Active Directory Powershell Module
Import-Module ActiveDirectory -ErrorAction SilentlyContinue
#Set Variables
$Group = "OU Shadow"
$SearchBase = "OU=User Accounts,DC=Contoso,DC=Com"
$MbrArr = get-adgroupmember -identity $Group
$OUArr = Get-ADUser -LDAPFilter "(samaccounttype=805306368)" -SearchBase $SearchBase
# Loop through the Users found in the OU
# and check to see if the user is already
# a member of the group.
Foreach ($User in $OUArr)
{
if ($MbrArr -Match $User.distinguishedName)
{
# The user is already member - do nothing
}
else
{
# We need to add the user as a member
Add-ADGroupMember -Identity $Group -Members $User
}
}
# Loop through the group membership and remove
# any users that are not in the OU
Foreach ($Mbr in $MbrArr)
{
if ($OUArr -Match $Mbr.distinguishedName)
{
# Found user in OU - do nothing
}
else
{
# We need to remove the user as a member
Remove-ADGroupMember -Identity $Group -Members $Mbr -confirm:$false
}
}
# End
Pingback: Active Directory Doings 4/2/2010 - The Experts Community
Pingback: Active Directory Doings 4/2/2010 - The Experts Community
Hi,
When using this script to update a shadow group (eg. when adding new users to the OU and then running the script) the following happens
1. The error below is displayed.
Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.
PS C:\Users\adminlv.PRIMARY> cd\
PS C:\> cd .\Scripts
PS C:\Scripts> .\OUShadow.ps1
Add-ADGroupMember : The specified account name is already a member of the group
At C:\Scripts\OUShadow.ps1:34 char:22
Add-ADGroupMember <<<< -Identity $Group -Members $User
CategoryInfo : NotSpecified: (Shadow Group09:ADGroup) [Add-ADGroupMember], ADException
FullyQualifiedErrorId : The specified account name is already a member of the group,Microsoft.ActiveDirectory.Ma
nagement.Commands.AddADGroupMember
It then proceeds to delete all users from the security group execpt for the NEW users?
Am I missing something?
Hi Lance
Looks like it’s failing to match correctly against your array. It’s been a while since I wrote it. I’ll test it again and will report back.
Tony
Hi again Lance
Works fine for me (tried a couple of different environments).
If you post me a copy of your script I’d be happy to take a look.
tony [***AT***] activedir.org
I’m having some difficulty with this. For some reason, when I run it on a domain controller, in an administrative powershell prompt, with a domain admin (and enterprise admin) user, the Add-ADGroupMember throws an error saying: Insufficient access rights to perform the operation. Any ideas?
Thanks for the script. I ran it in Task Scheduler and the history shows it completed, but the status still says running. Any thoughts…
This can be automated, so that group membership would be updated instantly after any specified changes occur in AD, using something like this: http://www.adaxes.com/tutorials_AutomatingDailyTasks_AutomaticallyChangeGroupMembershipUsingScripts.htm