######################################################### # # Name: SIDHistoryBasedGroupMembership.ps1 # Author: Tony Murray # Version: 1.0 # Date: 11/07/2010 # Comment: PowerShell 2.0 script to # populate group membership based on sIDHistory values # ######################################################### #Import the Active Directory Powershell Module Import-Module ActiveDirectory -ErrorAction SilentlyContinue #Create a new Event log source for the script (only needs to be run once) New-EventLog -logName Application -Source "Legacy Users Group Management" -ErrorAction SilentlyContinue $SearchBase = "OU=User Objects,DC=fabrikam,DC=local" $OUArr = Get-ADUser -LDAPFilter "(samaccounttype=805306368)" -SearchBase $SearchBase -SearchScope SubTree # Now we need the domain security identifier or at least a portion of it $DomSID = "S-1-5-21-1584567894-2535104369-4141123456" $Group = "Legacy Users" $MbrArr = get-adgroupmember -identity $Group # Loop through the Users found beneach the OU tree # and check to see if the user is already # a member of the group. If so, do nothing. # If not, then add the user as a member. Foreach ($User in $OUArr) { $object = [ADSI]"LDAP://$User" $objectsidh = $object.sIDHistory.value If (!$objectsidh) { # write-host "sIDHistory is blank" } Else { $objectsidh = $Object.getex(“sidhistory”) trap { #write-host "Error: $_" continue } foreach($sid in $objectSidh) { $sidh = new-object System.Security.Principal.SecurityIdentifier $sid,0 if ($sidh -Match $DomSID) { if ($MbrArr -Match $User.distinguishedName) { #The user is already member - do nothing } else { # We need to add the user as a member write-eventlog -logname Application -source "Legacy Users Group Management" ` -eventID 3001 -entrytype Information -message "$User added to $Group" Add-ADGroupMember -Identity $Group -Members $User } } else { # No match with sidHistory - do nothing } } } }