Powershell script to add group members based on sIDHistory

By | July 12, 2010

In a migration scenario it is sometimes useful to have a security and/or distribution Active Directory group in the target domain where the membership is comprised of migrated user objects.  Here’s a Powershell 2.0 script that I put together that populates the membership of a group based on a specific sIDHistory value.  It can be run as a one-off after the migration or can be invoked via a scheduled task to keep up to date during a migration.

The script also creates a new event log source and then writes the logging information to the application event log on the machine from which it is run.  This is not essential to the script, so scrub it out if you want to. 

You can download a copy of the script here: sidhistorybasedgroupmembership.txt

######################################################### 
# 
# Name: SIDHistoryBasedGroupMembership.ps1 
# Author: Tony Murray 
# Version: 1.0 
# Date: 11/07/2010 
# Comment: PowerShell 2.0 script to 
# populate group membership based on sIDHistory values 
# 
#########################################################  

#Import the Active Directory Powershell Module 
Import-Module ActiveDirectory -ErrorAction SilentlyContinue   

#Create a new Event log source for the script (only needs to be run once) 
New-EventLog -logName Application -Source "Legacy Users Group Management" ` 
-ErrorAction SilentlyContinue   

$SearchBase = "OU=User Objects,DC=fabrikam,DC=local" 
$OUArr = Get-ADUser -LDAPFilter "(samaccounttype=805306368)" ` 
-SearchBase $SearchBase -SearchScope SubTree   

# Now we need the domain security identifier or at least a portion of it 
$DomSID = "S-1-5-21-1584567894-2535104369-4141123456"   

$Group = "Legacy Users" 
$MbrArr = get-adgroupmember -identity $Group   

# Loop through the Users found beneach the OU tree 
# and check to see if the user is already 
# a member of the group. If so, do nothing. 
# If not, then add the user as a member. 
Foreach ($User in $OUArr) 
{ 
    $object = [ADSI]"LDAP://$User" 
    $objectsidh = $object.sIDHistory.value 
    If (!$objectsidh) 
    { 
        # write-host "sIDHistory is blank" 
    } 
    Else 
    { 
        $objectsidh = $Object.getex(“sidhistory”) 
        trap 
            { 
            #write-host "Error: $_" 
            continue 
            } 
        foreach($sid in $objectSidh) 
        { 
            $sidh = new-object System.Security.Principal.SecurityIdentifier $sid,0 
            if ($sidh -Match $DomSID) 
            { 
                if ($MbrArr -Match $User.distinguishedName) 
                { 
                    #The user is already member - do nothing 
                } 
                else 
                { 
                    # We need to add the user as a member 
                    write-eventlog -logname Application ` 
                    -source "Legacy Users Group Management" ` 
                    -eventID 3001 -entrytype Information -message "$User added to $Group" 
                    Add-ADGroupMember -Identity $Group -Members $User 
                } 
            } 
            else 
            { 
                # No match with sidHistory - do nothing 
            } 
        } 
    } 
}

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.