Security Groups for OU

Welcome Forums General PowerShell Q&A Security Groups for OU

This topic contains 10 replies, has 4 voices, and was last updated by

 
Participant
3 months ago.

  • Author
    Posts
  • #111346

    Participant
    Points: 0
    Rank: Member

    I am attempting to write a script that will create OU's for each new customer my company gets, and thus each customer OU needs to be a part of specific Security Groups. Is there any way to script this? I have been trying for a few days with no success.

  • #111502

    Participant
    Points: 261
    Helping Hand
    Rank: Contributor

    Is there any way to script this?

    There's almost always a way. 😉 😀
    You might show what you have so far and we'll try to improve it. We don't like to deliver productive code on request for free. 😉 😉

  • #111530

    Participant
    Points: 0
    Rank: Member

    Of course, I am however new to scripting so it's not the most clean code. What I am trying to do is add the last two groups I have made to the OU made at the start of the script.

    $MPID = Read-Host -Prompt "Input the company's MPID"
    
    $Company = Read-Host -Prompt "Input the company's full name"
    
    $OUName = "$MPID ($Company)"
    
    $CSVLocation = "C:\Users\ben.wilson.admin\Documents\Scripts\Resources\New-ADHostingUser"
    
    $OUCSVLocation = "$CSVLocation\OU.csv"
    
    $MPIDCSVLocation = "$CSVLocation\MPIDs.csv"
    
    $DomainName = (Get-AdDomain).DistinguishedName
    
    $Location = "OU=Customers,OU=Hosting,$DomainName"
    
    $GroupLocation= "OU=Groups,OU=$OUName,$Location"
    
    $AddGroup = "CN=$OUName,$Location"
    
    Add-content "$OUCSVLocation" "$OUName"
    
    Add-Content "$MPIDCSVLocation" "$MPID"
    
     
    
    ##OU
    
     
    
    New-ADOrganizationalUnit -Name "$OUName" -Path "$Location" -ProtectedFromAccidentalDeletion $false
    
    New-ADOrganizationalUnit -Name "Computers" -Path "OU=$OUName,$Location" -ProtectedFromAccidentalDeletion $false
    
    New-ADOrganizationalUnit -Name "FTP Users" -Path "OU=$OUName,$Location" -ProtectedFromAccidentalDeletion $false
    
    New-ADOrganizationalUnit -Name "Groups" -Path "OU=$OUName,$Location" -ProtectedFromAccidentalDeletion $false
    
    New-ADOrganizationalUnit -Name "Service" -Path "OU=$OUName,$Location" -ProtectedFromAccidentalDeletion $false
    
    New-ADOrganizationalUnit -Name "Users" -Path "OU=$OUName,$Location" -ProtectedFromAccidentalDeletion $false
    
     
    
    ##Group
    
    $GroupName = "$MPID Shared Access (Read-Write)"
    
    New-ADGroup -Name "$GroupName" -GroupCategory Security -GroupScope DomainLocal -DisplayName "$GroupName" -Path "$GroupLocation"
    
    $GroupName = "$MPID Shared Access (Read-Only)"
    
    New-ADGroup -Name "$GroupName" -GroupCategory Security -GroupScope DomainLocal -DisplayName "$GroupName" -Path "$GroupLocation"
    
    $GroupName = "$MPID FTP Users"
    
    New-ADGroup -Name "$GroupName" -GroupCategory Security -GroupScope Global -DisplayName "$GroupName" -Path "$GroupLocation"
    
    $GroupName = "$MPID FTP Folder Access (Read-Write)"
    
    New-ADGroup -Name "$GroupName" -GroupCategory Security -GroupScope DomainLocal -DisplayName "$GroupName" -Path "$GroupLocation"
    
    $GroupName = "$MPID Data Share Access (Read-Write)"
    
    New-ADGroup -Name "$GroupName" -GroupCategory Security -GroupScope DomainLocal -DisplayName "$GroupName" -Path "$GroupLocation"
    
    $GroupName = "$MPID Data Share Access (Read-Only)"
    
    New-ADGroup -Name "$GroupName" -GroupCategory Security -GroupScope DomainLocal -DisplayName "$GroupName" -Path "$GroupLocation"
    
    $GroupName = "$MPID Customer Users"
    
    New-ADGroup -Name "$GroupName" -GroupCategory Security -GroupScope Global -DisplayName "$GroupName" -Path "$GroupLocation"
    
    $GroupName = "$MPID Billing Share Access"
    
    New-ADGroup -Name "$GroupName" -GroupCategory Security -GroupScope DomainLocal -DisplayName "$GroupName" -Path "$GroupLocation"
    
    $GroupName = "$MPID All Users"
    
    New-ADGroup -Name "$GroupName" -GroupCategory Security -GroupScope DomainLocal -DisplayName "$GroupName" -Path "$GroupLocation"
    
    $GroupName = "$MPID All Computers"
    
    New-ADGroup -Name "$GroupName" -GroupCategory Security -GroupScope Global -DisplayName "$GroupName" -Path "$GroupLocation"
  • #111535

    Participant
    Points: 261
    Helping Hand
    Rank: Contributor

    Please edit your post again and format the code as code. This way it is hard to read and hard to copy because there are unwanted line breaks.
    Thanks
    (You use the "pre" buttons in the edit bar to format code as code here in the forum)

  • #111536

    Participant
    Points: 0
    Rank: Member

    Sorry, it's my first time using a forum for code.

    $MPID = Read-Host -Prompt "Input the company's MPID"
    $Company = Read-Host -Prompt "Input the company's full name"
    $OUName = "$MPID ($Company)"
    $CSVLocation = "C:\Users\ben.wilson.admin\Documents\Scripts\Resources\New-ADHostingUser"
    $OUCSVLocation = "$CSVLocation\OU.csv"
    $MPIDCSVLocation = "$CSVLocation\MPIDs.csv"
    $DomainName = (Get-AdDomain).DistinguishedName
    $Location = "OU=Customers,OU=Hosting,$DomainName"
    $GroupLocation= "OU=Groups,OU=$OUName,$Location"
    $AddGroup = "CN=$OUName,$Location"
    Add-content "$OUCSVLocation" "$OUName"
    Add-Content "$MPIDCSVLocation" "$MPID"
    
    ##OU
    
    New-ADOrganizationalUnit -Name "$OUName" -Path "$Location" -ProtectedFromAccidentalDeletion $false
    New-ADOrganizationalUnit -Name "Computers" -Path "OU=$OUName,$Location" -ProtectedFromAccidentalDeletion $false
    New-ADOrganizationalUnit -Name "FTP Users" -Path "OU=$OUName,$Location" -ProtectedFromAccidentalDeletion $false
    New-ADOrganizationalUnit -Name "Groups" -Path "OU=$OUName,$Location" -ProtectedFromAccidentalDeletion $false
    New-ADOrganizationalUnit -Name "Service" -Path "OU=$OUName,$Location" -ProtectedFromAccidentalDeletion $false
    New-ADOrganizationalUnit -Name "Users" -Path "OU=$OUName,$Location" -ProtectedFromAccidentalDeletion $false
    
    ##Group
    $GroupName = "$MPID Shared Access (Read-Write)"
    New-ADGroup -Name "$GroupName" -GroupCategory Security -GroupScope DomainLocal -DisplayName "$GroupName" -Path "$GroupLocation"
    $GroupName = "$MPID Shared Access (Read-Only)"
    New-ADGroup -Name "$GroupName" -GroupCategory Security -GroupScope DomainLocal -DisplayName "$GroupName" -Path "$GroupLocation"
    $GroupName = "$MPID FTP Users"
    New-ADGroup -Name "$GroupName" -GroupCategory Security -GroupScope Global -DisplayName "$GroupName" -Path "$GroupLocation"
    $GroupName = "$MPID FTP Folder Access (Read-Write)"
    New-ADGroup -Name "$GroupName" -GroupCategory Security -GroupScope DomainLocal -DisplayName "$GroupName" -Path "$GroupLocation"
    $GroupName = "$MPID Data Share Access (Read-Write)"
    New-ADGroup -Name "$GroupName" -GroupCategory Security -GroupScope DomainLocal -DisplayName "$GroupName" -Path "$GroupLocation"
    $GroupName = "$MPID Data Share Access (Read-Only)"
    New-ADGroup -Name "$GroupName" -GroupCategory Security -GroupScope DomainLocal -DisplayName "$GroupName" -Path "$GroupLocation"
    $GroupName = "$MPID Customer Users"
    New-ADGroup -Name "$GroupName" -GroupCategory Security -GroupScope Global -DisplayName "$GroupName" -Path "$GroupLocation"
    $GroupName = "$MPID Billing Share Access"
    New-ADGroup -Name "$GroupName" -GroupCategory Security -GroupScope DomainLocal -DisplayName "$GroupName" -Path "$GroupLocation"
    $GroupName = "$MPID All Users"
    New-ADGroup -Name "$GroupName" -GroupCategory Security -GroupScope DomainLocal -DisplayName "$GroupName" -Path "$GroupLocation"
    $GroupName = "$MPID All Computers"
    New-ADGroup -Name "$GroupName" -GroupCategory Security -GroupScope Global -DisplayName "$GroupName" -Path "$GroupLocation"
    
    • #111542

      Participant
      Points: 92
      Rank: Member

      So from the code you have posted, it looks like you are creating a parent OU, and then creating child OUs for Computers, FTP Users, Groups, Service, Users. Then you create new security groups of various scope.

      From what I can see – the piece that is missing is — adding members to the group. Your original post states:

      each customer OU needs to be a part of specific Security Groups

      The code you have posted above does not deal with any group membership assignments.

      Add-ADGroupMember

      is probably what you are looking for. But with the given example / description, it isn't clear where you are stuck?

  • #111544

    Participant
    Points: 0
    Rank: Member

    Sorry i meant to mention, I actually left out that line of code as it wasn't working. I am trying to add the last 2 groups I have made to the parent OU. Should have been more clear.

  • #111560

    Participant
    Points: 27
    Rank: Member

    So you need to add the "MPID All Users" and MPID All Computers" groups to that parent OU's ACL?

  • #111566

    Participant
    Points: 92
    Rank: Member

    I think the part that I am confused by in your original post is that you need "each customer OU needs to be part of specific security groups" — you can't add OUs to security groups. Are you talking about shadow groups? Or are you talking about OU permissions with ACL as @matt-howard mentioned?

  • #111569

    Participant
    Points: 0
    Rank: Member

    I would assume ACL, I am new to scripting so these terms are all new too.

  • #111571

    Participant
    Points: 92
    Rank: Member

    Well – if you weren't scripting this — how would you accomplish this task? Adding users to a group? Modifying the permission of the OU?

The topic ‘Security Groups for OU’ is closed to new replies.