ADCycleGroups - Multi-Level GPO Phase-In Tool

Published on
3,510 Points
3 Endorsements
Last Modified:
Shaun Vermaak
My name is Shaun Vermaak and I have always been fascinated with technology and how we use it to enhance our lives and business.
ADCycleGroups is a multilevel GPO phase-in tool I developed to automate the moving of computers and users from one GPO version to the next, until it finally gets to the latest GPO policy. This allows me to gradually move computers and users from one version of a policy to the next.


My clients usually adopt a security framework such as Center for Internet Security (CIS).

Part of the paid subscription to CIS is what they call "CIS Remediation Kits" which are ultimately Active Directory security hardening policies. These policies are regularly updated to include new and updated hardening policies or to address identified issues.

I never apply any policy to all devices at once, in fact I find this a very bad practice. Instead, I automatically phase a policy out to computers and users by utilizing my ADRandomAddToGroup tool (See Phasing in a Group Policy

The reason I apply a policy as a phased in approach is that, no matter how many device you include in your testing environment, it is unrealistic to think that a such a sample group would be a proper representation of all production systems, especially in a larger environment.

I have, on more than one occasion, found mission critical, legacy systems that no-one supports or knows about, that do not support a particular security setting. You might even be surprised how some security suites are not capable of running on a security-hardened computer.

Using this process, you will identify issues not identified via testing earlier, without impacting the larger user community.

Essentially, out-of-the-box, you can limit a GPO to a specific group by altering the security of the GPO.

My ADRandomAddToGroup tool leverages this capability and allows me to randomly add computers or users to a group, whilst giving me the options to control how many objects are added to a group at a time, as well as setting an included/excluded Distinguished Names value.

This has worked well for me over the years for phasing in a single version GPO, but have found it challenging to maintain more than two versions of a policy. The issue is that, before I manage to get all computers/users onto a newer version of the remediation kit, a new one is released.

In large environments, it becomes a real pain to test and roll these policies out.


I decided to develop a new tool to automate the moving of computers from one version to the next, until it finally gets to the latest GPO policy. If, at any point, a new hardening policy is released, it can simply be added to the phased group list and member will move to the new group as soon as its minimum group member time is reached.

For example: The following config will move groups members, maximum of 4 per execution after they have been a member for at least 1 days, from RG-CIS_COMP_L1_v1.4.0 to CN=RG-CIS_COMP_L1_v1.4.2 and will move groups members, maximum of 2 per execution after they been a member for at least 10 days, from RG-CIS_COMP_L1_v1.4.2 to CN=RG-CIS_COMP_L1_v1.5.0

CIS COMP L1|1|CN=RG-CIS_COMP_L1_v1.4.0,OU=CIS,OU=Role Groups,OU=Groups,OU=HQ,DC=ITtelligence,DC=com|01:00:00:00|4
CIS COMP L1|2|CN=RG-CIS_COMP_L1_v1.4.2,OU=CIS,OU=Role Groups,OU=Groups,OU=HQ,DC=ITtelligence,DC=com|10:00:00:00|2
CIS COMP L1|3|CN=RG-CIS_COMP_L1_v1.5.0,OU=CIS,OU=Role Groups,OU=Groups,OU=HQ,DC=ITtelligence,DC=com|10:00:00:00|5


1) Download and extract ADCycleGroups.zip (here is VirusTotal scan) to a folder of your choice, saved on the computer on which it will be scheduled to run.

2) Run Configurator.exe (Configurator Editor).

a) On the Encrypt tab, enter the password for the account that will be performing the cleanup task. Encrypt it with key AAuPAoB1ektD4EkKBVXtdajuxsTIo9Xj and record encrypted password

b) On the Settings tab, enter the domain information, the service account user name and the encrypted password recorded in step 2a

c) Set History File to a writable location. This file will store the state of the groups during the execution of the tool

d) On the PhaseInSets tab, add the various PhaseInSets using the following notation

CIS COMP L1|1|CN=RG-CIS_COMP_L1_v1.4.2,OU=CIS,OU=Role Groups,OU=Groups,OU=HQ,DC=ITtelligence,DC=com|00:00:00:30|1

Friendly name for the phase set

Order in which groups move from one group to the next

Distinguished Name of the group to add members to

The minimum time-span that a member should remain in group (dd:hh:mm:ss or hh:mm:ss)

The maximum number of members that can move per execution

3) After that, you can schedule or manually run ADCycleGroups.exe



I hope you found this tutorial useful. You are encouraged to ask questions, report any bugs or make any other comments about it below. 


Note: If you need further "Support" about this topic, please consider using the Ask a Question feature of Experts Exchange. I monitor questions asked and would be pleased to provide any additional support required in questions asked in this manner, along with other EE experts...  


Please do not forget to press the "Thumbs Up" button if you think this article was helpful and valuable for EE members.


It also provides me with positive feedback. Thank you!

Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free