Zoho Banner September 2011

***This article has been superseded by a more recent one on the same topic.  Click here for details ***

It is sometimes useful to have the ability to populate group membership based on the OU in which the prospective members are located.  A good example of where this might be useful is with Fine-Grained Password Policy (FGPP) in Windows Server 2008 AD (and later).  FGPP does not have the ability to use an OU as its scope of management – you are limited to assigning the policy to user or group objects.

The script below shadows a specified OU and populates a group’s membership based on the contents of the OU.  It is intended to be invoked by the Windows Task Scheduler (taskschd.msc).

 Note that it requires Powershell 2.0 and uses the Active Directory module.

######################################################### 
# 
# Name: OUShadow.ps1 
# Author: Tony Murray 
# Version: 1.0 
# Date: 26/03/2010 
# Comment: PowerShell 2.0 script to set the members of 
# a group based on the OU they live in 
# 
#########################################################  

#Import the Active Directory Powershell Module  

Import-Module ActiveDirectory -ErrorAction SilentlyContinue  

#Set Variables 
$Group = "OU Shadow" 
$SearchBase = "OU=User Accounts,DC=Contoso,DC=Com" 
$MbrArr = get-adgroupmember -identity $Group 
$OUArr = Get-ADUser -LDAPFilter "(samaccounttype=805306368)" -SearchBase $SearchBase  

# Loop through the Users found in the OU 
# and check to see if the user is already 
# a member of the group. 
Foreach ($User in $OUArr) 
{ 
if ($MbrArr -Match $User.distinguishedName) 
    { 
    # The user is already member - do nothing 
    } 
else 
    { 
    # We need to add the user as a member 
    Add-ADGroupMember -Identity $Group -Members $User 
    } 
}  

# Loop through the group membership and remove 
# any users that are not in the OU 
Foreach ($Mbr in $MbrArr) 
{ 
if ($OUArr -Match $Mbr.distinguishedName) 
    { 
    # Found user in OU - do nothing 
    } 
else 
    { 
    # We need to remove the user as a member 
    Remove-ADGroupMember -Identity $Group -Members $Mbr -confirm:$false 
    } 
} 
# End

6 Comments

  1. Active Directory Doings 4/2/2010 - The Experts Community says:

    [...] course I can’t do a roundup without including some PowerShell goodnees.  Tony Murray posted a PowerShell Shadow OU script that uses the new Active Directory module. The script takes members of an OU and puts them in a [...]

  2. Lance says:

    Hi,

    When using this script to update a shadow group (eg. when adding new users to the OU and then running the script) the following happens

    1. The error below is displayed.

    Windows PowerShell
    Copyright (C) 2009 Microsoft Corporation. All rights reserved.

    PS C:\Users\adminlv.PRIMARY> cd\
    PS C:\> cd .\Scripts
    PS C:\Scripts> .\OUShadow.ps1
    Add-ADGroupMember : The specified account name is already a member of the group
    At C:\Scripts\OUShadow.ps1:34 char:22
    Add-ADGroupMember <<<< -Identity $Group -Members $User
    CategoryInfo : NotSpecified: (Shadow Group09:ADGroup) [Add-ADGroupMember], ADException
    FullyQualifiedErrorId : The specified account name is already a member of the group,Microsoft.ActiveDirectory.Ma
    nagement.Commands.AddADGroupMember

    It then proceeds to delete all users from the security group execpt for the NEW users?

    Am I missing something?

  3. admin says:

    Hi Lance

    Looks like it’s failing to match correctly against your array. It’s been a while since I wrote it. I’ll test it again and will report back.

    Tony

  4. admin says:

    Hi again Lance

    Works fine for me (tried a couple of different environments).

    If you post me a copy of your script I’d be happy to take a look.

    tony [***AT***] activedir.org

  5. Ryan says:

    I’m having some difficulty with this. For some reason, when I run it on a domain controller, in an administrative powershell prompt, with a domain admin (and enterprise admin) user, the Add-ADGroupMember throws an error saying: Insufficient access rights to perform the operation. Any ideas?

  6. Mark Shoemaker says:

    Thanks for the script. I ran it in Task Scheduler and the history shows it completed, but the status still says running. Any thoughts…

Leave a Reply