Powershell OU Shadow Script

By | March 28, 2010

***This article has been superseded by a more recent one on the same topic.  Click here for details ***

It is sometimes useful to have the ability to populate group membership based on the OU in which the prospective members are located.  A good example of where this might be useful is with Fine-Grained Password Policy (FGPP) in Windows Server 2008 AD (and later).  FGPP does not have the ability to use an OU as its scope of management – you are limited to assigning the policy to user or group objects.

The script below shadows a specified OU and populates a group’s membership based on the contents of the OU.  It is intended to be invoked by the Windows Task Scheduler (taskschd.msc).

 Note that it requires Powershell 2.0 and uses the Active Directory module.

######################################################### 
# 
# Name: OUShadow.ps1 
# Author: Tony Murray 
# Version: 1.0 
# Date: 26/03/2010 
# Comment: PowerShell 2.0 script to set the members of 
# a group based on the OU they live in 
# 
#########################################################  

#Import the Active Directory Powershell Module  

Import-Module ActiveDirectory -ErrorAction SilentlyContinue  

#Set Variables 
$Group = "OU Shadow" 
$SearchBase = "OU=User Accounts,DC=Contoso,DC=Com" 
$MbrArr = get-adgroupmember -identity $Group 
$OUArr = Get-ADUser -LDAPFilter "(samaccounttype=805306368)" -SearchBase $SearchBase  

# Loop through the Users found in the OU 
# and check to see if the user is already 
# a member of the group. 
Foreach ($User in $OUArr) 
{ 
if ($MbrArr -Match $User.distinguishedName) 
    { 
    # The user is already member - do nothing 
    } 
else 
    { 
    # We need to add the user as a member 
    Add-ADGroupMember -Identity $Group -Members $User 
    } 
}  

# Loop through the group membership and remove 
# any users that are not in the OU 
Foreach ($Mbr in $MbrArr) 
{ 
if ($OUArr -Match $Mbr.distinguishedName) 
    { 
    # Found user in OU - do nothing 
    } 
else 
    { 
    # We need to remove the user as a member 
    Remove-ADGroupMember -Identity $Group -Members $Mbr -confirm:$false 
    } 
} 
# End

8 thoughts on “Powershell OU Shadow Script

  1. Pingback: Active Directory Doings 4/2/2010 - The Experts Community

  2. Pingback: Active Directory Doings 4/2/2010 - The Experts Community

  3. Lance

    Hi,

    When using this script to update a shadow group (eg. when adding new users to the OU and then running the script) the following happens

    1. The error below is displayed.

    Windows PowerShell
    Copyright (C) 2009 Microsoft Corporation. All rights reserved.

    PS C:\Users\adminlv.PRIMARY> cd\
    PS C:\> cd .\Scripts
    PS C:\Scripts> .\OUShadow.ps1
    Add-ADGroupMember : The specified account name is already a member of the group
    At C:\Scripts\OUShadow.ps1:34 char:22
    Add-ADGroupMember <<<< -Identity $Group -Members $User
    CategoryInfo : NotSpecified: (Shadow Group09:ADGroup) [Add-ADGroupMember], ADException
    FullyQualifiedErrorId : The specified account name is already a member of the group,Microsoft.ActiveDirectory.Ma
    nagement.Commands.AddADGroupMember

    It then proceeds to delete all users from the security group execpt for the NEW users?

    Am I missing something?

    Reply
  4. admin Post author

    Hi Lance

    Looks like it’s failing to match correctly against your array. It’s been a while since I wrote it. I’ll test it again and will report back.

    Tony

    Reply
  5. admin Post author

    Hi again Lance

    Works fine for me (tried a couple of different environments).

    If you post me a copy of your script I’d be happy to take a look.

    tony [***AT***] activedir.org

    Reply
  6. Ryan

    I’m having some difficulty with this. For some reason, when I run it on a domain controller, in an administrative powershell prompt, with a domain admin (and enterprise admin) user, the Add-ADGroupMember throws an error saying: Insufficient access rights to perform the operation. Any ideas?

    Reply
  7. Mark Shoemaker

    Thanks for the script. I ran it in Task Scheduler and the history shows it completed, but the status still says running. Any thoughts…

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.