Solved

Script to Create AD Security Groups based on OU Membership

Posted on 2016-08-04
2
21 Views
Last Modified: 2016-08-23
Hey Guys -

Quick question - we have a domain with numerous OUs nested within each other.  Most are in the format below:

- AD Root
   - Site
      - Location
         - Workstations
         - Users
         - Groups

The "Location" parent is the name of physical location and we have many across the country.  What I am trying to do is create / locate a script or tool which will do the following:
- Obtain a list of members (device) in a specific "Location" OU (including children)
- Create an AD security group named after the "Location" which contains the same members

I can see where this may be doable fairly easily if I wanted to make a group named after an OU which the devices were immediately in, but am actually needing it to be the name of the OU one level up.  I've got about 200 - 300 of these I want to create.

Any suggestions?  Thanks!
0
Comment
Question by:BzowK
  • 2
2 Comments
 
LVL 12

Accepted Solution

by:
Dustin Saunders earned 500 total points (awarded by participants)
ID: 41742954
Something like this.  Will look at adroot, get all the sites, then locations in each site.  Then create 3 groups, one for users, one for computers, one for both.  Then adds the users to the user group, computers to the computer group, and then those groups to the all objects group.

Be sure to test on a dummy OU.

$adRoot = "OU=Sites,DC=yourdomain,DC=local"

$sites = Get-ADOrganizationalUnit -Filter * -SearchBase $adRoot -SearchScope OneLevel

foreach ($site in $sites)
{
    $locations = Get-ADOrganizationalUnit -Filter * -SearchBase $site.DistinguishedName -SearchScope OneLevel
    
    foreach ($location in $locations)
    {

        $computerGroup = $location.Name + " - Computers"
        $userGroup = $location.Name + " - Users"
        $allGroup = $location.Name + " - All Objects"
        $groupOU = "OU=Groups," + $location.DistinguishedName

        
        New-ADGroup -Name $computerGroup -SamAccountName $computerGroup -Path $groupOU -GroupScope Global
        New-ADGroup -Name $userGroup -SamAccountName $userGroup -Path $groupOU -GroupScope Global
        New-ADGroup -Name $allGroup -SamAccountName $allGroup -Path $groupOU -GroupScope Global
        

        Add-ADGroupMember -Identity $allGroup -Members $userGroup
        Add-ADGroupMember -Identity $allGroup -Members $computerGroup
                
        Get-ADUser -searchbase $location.distinguishedName -filter * | %{Add-ADGroupMember -Identity $userGroup -Members $_}
        Get-ADComputer -searchbase $location.distinguishedName  -filter * | %{Add-ADGroupMember -Identity $computerGroup -Members $_}

    }

}

Open in new window

0
 
LVL 12

Expert Comment

by:Dustin Saunders
ID: 41766624
The code provided works as intended (I've tested and verified on a test DC).
0

Featured Post

Why won’t your email signature format correctly?

Struggling to get your corporate email signatures to format correctly? Does the logo keep resizing? Is the text appearing too big? What can you do to prevent this? Find out how you can save your signatures today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
create SRP/Applocker rules in GPO on DC 5 8
Windows 10 and WSUS 3.2 5 46
Password change 3 23
Powershell Modification Requests 17 21
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now