Created
July 27, 2015 17:23
-
-
Save kenaniah/5869c7939941c89abff5 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| Manages Shadow Groups in Active Directory | |
| .DESCRIPTION | |
| This script automatically manages the member users of groups placed in | |
| "OU=Shadow Groups,DC=contoso,DC=com". Users and computers that are contained | |
| by OUs that match the name of a shadow group are automatically added to that group, | |
| and users that are no longer contained by a matching OU are removed from | |
| the group. | |
| Due to http://community.office365.com/en-us/forums/148/p/225396/696200.aspx#696200, | |
| this script also manages "OU=Distribution Groups,DC=contoso,DC=com" as well. | |
| .COMPONENT | |
| ActiveDirectory | |
| .LINK | |
| Author: Kenaniah Cerny <https://github.com/kenaniah> | |
| #> | |
| Import-Module ActiveDirectory | |
| # Updates a group's membership to include only the given members (while preserving subgroup membership) | |
| Function UpdateMembership($GROUP, $VALID_MEMBERS){ | |
| $GROUP_MEMBERS = Get-ADGroupMember -Identity $GROUP | |
| # Remove users / computers that don't belong | |
| $GUIDS = $VALID_MEMBERS | Select -ExpandProperty ObjectGUID | |
| $GROUP_MEMBERS | Where-Object { $GUIDS -NotContains $_.ObjectGUID } | ForEach { | |
| if($_ -and $_.ObjectClass -ne "group"){ | |
| Remove-ADPrincipalGroupMembership -Identity $_ -MemberOf $GROUP -Confirm:$false | |
| Write-Host "Removed:" $_.name | |
| } | |
| } | |
| # Add new users / computers to the group | |
| $GUIDS = $GROUP_MEMBERS | Select -ExpandProperty ObjectGUID | |
| $VALID_MEMBERS | Where-Object { $GUIDS -NotContains $_.ObjectGUID } | ForEach { | |
| if($_ -and $_.ObjectClass -ne "group"){ | |
| Add-ADPrincipalGroupMembership -Identity $_ -MemberOf $GROUP | |
| Write-Host "Added:" $_.name | |
| } | |
| } | |
| } | |
| # Perform replication | |
| repadmin /syncall | |
| # Find the shadow groups | |
| $SHADOW_GROUPS = Get-ADGroup -Filter * -SearchBase "OU=Shadow Groups,OU=Security Groups,DC=contoso,DC=com" | |
| $SHADOW_GROUPS | ForEach { | |
| # Get current group membership | |
| $GROUP = $_ | |
| $GROUP_MEMBERS = Get-ADGroupMember -Identity $GROUP | |
| Write-Host "=== Group:", $GROUP.name, "===" | |
| # Find the users and computers that should belong in the group | |
| $NAME = $GROUP.name -replace "Shadow - ", "" | |
| $OUS = Get-ADOrganizationalUnit -Filter {Name -eq $NAME} | |
| $VALID_MEMBERS = @() | |
| $VALID_MEMBERS += $OUS | ForEach { Get-ADUser -Filter * -SearchBase $_ } | |
| $VALID_MEMBERS += $OUS | ForEach { Get-ADComputer -Filter * -SearchBase $_ } | |
| $VALID_MEMBERS += Get-ADGroup -Identity $GROUP | Get-ADGroupMember | Where-Object { $_.objectClass -eq "group" } | ForEach { Get-ADGroupMember -Identity $_ -Recursive } | |
| UpdateMembership $GROUP $VALID_MEMBERS | |
| } | |
| Write-Host | |
| # Find the distro groups | |
| $DISTRO_GROUPS = Get-ADGroup -Filter * -SearchBase "OU=Distribution Groups,DC=contoso,DC=com" | |
| $DISTRO_GROUPS | ForEach { | |
| # Get current group membership | |
| $GROUP = $_ | |
| Write-Host "=== Distro:", $GROUP.name, "===" | |
| # Find the users and computers that should belong in the group | |
| $VALID_MEMBERS = @() | |
| $VALID_MEMBERS += Get-ADGroup -Identity $GROUP | Get-ADGroupMember | Where-Object { $_.objectClass -eq "group" } | ForEach { Get-ADGroupMember -Identity $_ -Recursive } | |
| UpdateMembership $GROUP $VALID_MEMBERS | |
| } | |
| Write-Host | |
| # Perform replication | |
| repadmin /syncall |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment