grenade · August 29, 2015 14:00
diff --git a/create-vmm-admins.ps1 b/create-vmm-admins.ps1
 <#
 .Synopsis
 - Create an AD group to manage adding and removing computers to or from a domain under a specific AD scope.
 - Add user accounts to the new group.
 .Link
 http://serverfault.com/a/146436/9144
 .Link
 http://technet.microsoft.com/en-us/library/ee617210.aspx
 .Link
 http://damianflynn.com/2011/08/23/ad-delegating-control-in-powershell/
 #>
 param (
    [string] $ldapRoot = "dc=example,dc=com",
    [string] $hostScope = ("ou=Application Servers,ou=development,ou=servers,ou=london,ou=accounts computer,{0}" -f $ldapRoot),
    [string] $groupScope = ("cn=Users,{0}" -f $ldapRoot),
    [string] $groupName = "VMM Administrators",
    [string] $groupDescription = "Members of this group are Hyper-V VMM Administrators",
    [string[]] $groupMembers = @("svc_tcbuild_int", "admin_rt")
 )
 # Constants and prerequisites
 $guidNull = New-Object Guid 00000000-0000-0000-0000-000000000000
 $guidComp = New-Object Guid bf967a86-0de6-11d0-a285-00aa003049e2
 Import-Module ActiveDirectory
 
 # Create VMM Administrators group:
 New-ADGroup -Name $groupName -SamAccountName $groupName.Replace(" ", "_") -GroupCategory Security -GroupScope Global -DisplayName $groupName -Path $groupScope -Description $groupDescription
 $group = Get-ADGroup $groupName.Replace(" ", "_")
 $groupSID = New-Object System.Security.Principal.SecurityIdentifier $group.SID
 
 # Grant create, delete computer accounts under scope to new group
 $accessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID,"GenericAll","Allow",$guidNull,"Descendents",$guidComp
 $hostsOU = [ADSI]("LDAP://{0}" -f $hostScope)
 $hostsOU.ObjectSecurity.AddAccessRule($accessRule)
 $hostsOU.CommitChanges()
 
 # Add users to new group
 Add-ADGroupMember -Identity $groupSID -Members $groupMembers
	<#
	.Synopsis
	- Create an AD group to manage adding and removing computers to or from a domain under a specific AD scope.
	- Add user accounts to the new group.
	.Link
	http://serverfault.com/a/146436/9144
	.Link
	http://technet.microsoft.com/en-us/library/ee617210.aspx
	.Link
	http://damianflynn.com/2011/08/23/ad-delegating-control-in-powershell/
	#>
	param (
	[string] $ldapRoot = "dc=example,dc=com",
	[string] $hostScope = ("ou=Application Servers,ou=development,ou=servers,ou=london,ou=accounts computer,{0}" -f $ldapRoot),
	[string] $groupScope = ("cn=Users,{0}" -f $ldapRoot),
	[string] $groupName = "VMM Administrators",
	[string] $groupDescription = "Members of this group are Hyper-V VMM Administrators",
	[string[]] $groupMembers = @("svc_tcbuild_int", "admin_rt")
	)
	# Constants and prerequisites
	$guidNull = New-Object Guid 00000000-0000-0000-0000-000000000000
	$guidComp = New-Object Guid bf967a86-0de6-11d0-a285-00aa003049e2
	Import-Module ActiveDirectory

	# Create VMM Administrators group:
	New-ADGroup -Name $groupName -SamAccountName $groupName.Replace(" ", "_") -GroupCategory Security -GroupScope Global -DisplayName $groupName -Path $groupScope -Description $groupDescription
	$group = Get-ADGroup $groupName.Replace(" ", "_")
	$groupSID = New-Object System.Security.Principal.SecurityIdentifier $group.SID

	# Grant create, delete computer accounts under scope to new group
	$accessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $groupSID,"GenericAll","Allow",$guidNull,"Descendents",$guidComp
	$hostsOU = [ADSI]("LDAP://{0}" -f $hostScope)
	$hostsOU.ObjectSecurity.AddAccessRule($accessRule)
	$hostsOU.CommitChanges()

	# Add users to new group
	Add-ADGroupMember -Identity $groupSID -Members $groupMembers