Script to Create AD Security Groups based on OU Membership

Hey Guys -

Quick question - we have a domain with numerous OUs nested within each other.  Most are in the format below:

- AD Root
   - Site
      - Location
         - Workstations
         - Users
         - Groups

The "Location" parent is the name of physical location and we have many across the country.  What I am trying to do is create / locate a script or tool which will do the following:
- Obtain a list of members (device) in a specific "Location" OU (including children)
- Create an AD security group named after the "Location" which contains the same members

I can see where this may be doable fairly easily if I wanted to make a group named after an OU which the devices were immediately in, but am actually needing it to be the name of the OU one level up.  I've got about 200 - 300 of these I want to create.

Any suggestions?  Thanks!
BzowKAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dustin SaundersDirector of OperationsCommented:
Something like this.  Will look at adroot, get all the sites, then locations in each site.  Then create 3 groups, one for users, one for computers, one for both.  Then adds the users to the user group, computers to the computer group, and then those groups to the all objects group.

Be sure to test on a dummy OU.

$adRoot = "OU=Sites,DC=yourdomain,DC=local"

$sites = Get-ADOrganizationalUnit -Filter * -SearchBase $adRoot -SearchScope OneLevel

foreach ($site in $sites)
{
    $locations = Get-ADOrganizationalUnit -Filter * -SearchBase $site.DistinguishedName -SearchScope OneLevel
    
    foreach ($location in $locations)
    {

        $computerGroup = $location.Name + " - Computers"
        $userGroup = $location.Name + " - Users"
        $allGroup = $location.Name + " - All Objects"
        $groupOU = "OU=Groups," + $location.DistinguishedName

        
        New-ADGroup -Name $computerGroup -SamAccountName $computerGroup -Path $groupOU -GroupScope Global
        New-ADGroup -Name $userGroup -SamAccountName $userGroup -Path $groupOU -GroupScope Global
        New-ADGroup -Name $allGroup -SamAccountName $allGroup -Path $groupOU -GroupScope Global
        

        Add-ADGroupMember -Identity $allGroup -Members $userGroup
        Add-ADGroupMember -Identity $allGroup -Members $computerGroup
                
        Get-ADUser -searchbase $location.distinguishedName -filter * | %{Add-ADGroupMember -Identity $userGroup -Members $_}
        Get-ADComputer -searchbase $location.distinguishedName  -filter * | %{Add-ADGroupMember -Identity $computerGroup -Members $_}

    }

}

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dustin SaundersDirector of OperationsCommented:
The code provided works as intended (I've tested and verified on a test DC).
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.