• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 51
  • Last Modified:

Script to Create AD Security Groups based on OU Membership

Hey Guys -

Quick question - we have a domain with numerous OUs nested within each other.  Most are in the format below:

- AD Root
   - Site
      - Location
         - Workstations
         - Users
         - Groups

The "Location" parent is the name of physical location and we have many across the country.  What I am trying to do is create / locate a script or tool which will do the following:
- Obtain a list of members (device) in a specific "Location" OU (including children)
- Create an AD security group named after the "Location" which contains the same members

I can see where this may be doable fairly easily if I wanted to make a group named after an OU which the devices were immediately in, but am actually needing it to be the name of the OU one level up.  I've got about 200 - 300 of these I want to create.

Any suggestions?  Thanks!
0
BzowK
Asked:
BzowK
Advertise Here
  • 2
1 Solution
 
Dustin SaundersDirector of OperationsCommented:
Something like this.  Will look at adroot, get all the sites, then locations in each site.  Then create 3 groups, one for users, one for computers, one for both.  Then adds the users to the user group, computers to the computer group, and then those groups to the all objects group.

Be sure to test on a dummy OU.

$adRoot = "OU=Sites,DC=yourdomain,DC=local"

$sites = Get-ADOrganizationalUnit -Filter * -SearchBase $adRoot -SearchScope OneLevel

foreach ($site in $sites)
{
    $locations = Get-ADOrganizationalUnit -Filter * -SearchBase $site.DistinguishedName -SearchScope OneLevel
    
    foreach ($location in $locations)
    {

        $computerGroup = $location.Name + " - Computers"
        $userGroup = $location.Name + " - Users"
        $allGroup = $location.Name + " - All Objects"
        $groupOU = "OU=Groups," + $location.DistinguishedName

        
        New-ADGroup -Name $computerGroup -SamAccountName $computerGroup -Path $groupOU -GroupScope Global
        New-ADGroup -Name $userGroup -SamAccountName $userGroup -Path $groupOU -GroupScope Global
        New-ADGroup -Name $allGroup -SamAccountName $allGroup -Path $groupOU -GroupScope Global
        

        Add-ADGroupMember -Identity $allGroup -Members $userGroup
        Add-ADGroupMember -Identity $allGroup -Members $computerGroup
                
        Get-ADUser -searchbase $location.distinguishedName -filter * | %{Add-ADGroupMember -Identity $userGroup -Members $_}
        Get-ADComputer -searchbase $location.distinguishedName  -filter * | %{Add-ADGroupMember -Identity $computerGroup -Members $_}

    }

}

Open in new window

0
 
Dustin SaundersDirector of OperationsCommented:
The code provided works as intended (I've tested and verified on a test DC).
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

Start This Course
  • 2
Advertise Here
Tackle projects and never again get stuck behind a technical roadblock.
Join Now