Author Posts

March 4, 2015 at 9:47 am

Below is the script that I am trying to use, to create and maintain shadow groups for RODC management. I'd like to turn it into a loop.
The issue I can see is that I have to pass 3 new variables every time the loop runs, what's the easiest way to go about this?
For instance it would be a new user OU, Computer OU, and Group for each of the locations that exist.
Location1, Location2, Location3...etc
Also, I don't take credit for the code below, I found the basis of it here (http://ahultgren.blogspot.com/2011/07/shadow-groups-in-active-directory.html). I just added the computer portion.

Thank you for any help in advance,
-Rob

## Add Active Directory Powershell Module to powershell ##
Import-Module ActiveDirectory

$UserOU=”OU=Location 1,OU=Users,DC=Company,DC=LOCAL”
$CompOU=”OU=Location 1,OU=Workstations,DC=Company,DC=LOCAL”
$Group=”CN=ShadowLocation1,OU=Shadow Groups,OU=Groups,DC=Company,DC=LOCAL”

## Check Current OU Membership & Remove Wrong Memebers ##
Get-ADGroupMember –Identity $Group | Where-Object {$_.distinguishedName –NotMatch $UserOU -or $_.distinguishedName –NotMatch $CompOU} | ForEach-Object {Remove-ADPrincipalGroupMembership –Identity $_ –MemberOf $Group –Confirm:$false}

## Add Users ##
Get-ADUser –SearchBase $UserOU –SearchScope OneLevel –LDAPFilter '(!memberOf=$Group)' | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $Group}

## Add Computers ##
Get-ADComputer –SearchBase $CompOU –SearchScope OneLevel –LDAPFilter '(!memberOf=$Group)' | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $Group}

March 4, 2015 at 10:08 am

Hi,

You can try with a PSCustomObject to store your variables.

$prop = @{"UserOU"=”OU=Location 1,OU=Users,DC=Company,DC=LOCAL”;
                    "CompOU"=”OU=Location 1,OU=Workstations,DC=Company,DC=LOCAL”;
                    "Group"=”CN=ShadowLocation1,OU=Shadow Groups,OU=Groups,DC=Company,DC=LOCAL”}
$a = New-Object PSObject -property $prop

It'll helps you 🙂

March 4, 2015 at 10:17 am

Save the User/Comp/Group sets in CSV like:

"UserOU","CompOU","Group"
"OU=Location 1,OU=Users,DC=Company,DC=LOCAL","OU=Location 1,OU=Workstations,DC=Company,DC=LOCAL","CN=ShadowLocation1,OU=Shadow Groups,OU=Groups,DC=Company,DC=LOCAL"
"OU=Location 2,OU=Users,DC=Company,DC=LOCAL","OU=Location 3,OU=Workstations,DC=Company,DC=LOCAL","CN=ShadowLocation3,OU=Shadow Groups,OU=Groups,DC=Company,DC=LOCAL"

and use:

Import-Csv .\myad1.csv | % {
    $Group  = $_.Group
    $UserOU = $_.UserOU
    $CompOU = $_.CompOU
 
    ## Check Current OU Membership & Remove Wrong Memebers ##
    Get-ADGroupMember –Identity $Group | 
        Where { $_.distinguishedName –NotMatch $UserOU -or $_.distinguishedName –NotMatch $CompOU } | % { 
            Remove-ADPrincipalGroupMembership –Identity $_ –MemberOf $Group –Confirm:$false }
 
    ## Add Users ##
    Get-ADUser –SearchBase $UserOU –SearchScope OneLevel –LDAPFilter "(!memberOf=$Group)" | % { 
        Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $Group }
 
    ## Add Computers ##
    Get-ADComputer –SearchBase $CompOU –SearchScope OneLevel –LDAPFilter "(!memberOf=$Group)" | % { 
        Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $Group }
}

March 4, 2015 at 12:38 pm

Sam,
I just wanted to report back and say that worked like a charm. Thank you.