Forked from davegreen/shadowGroupSync to prevent unwanted edits...
A PowerShell script that provides an easy way to manage Active Directory shadow groups. This script requires the PowerShell Active Directory module from Microsoft.
- Sync user or computer objects from one or more OUs to a single group.
- Ability to filter objects included in the shadow group using the PowerShell Active Directory Filter.
- Ability to choose shadow group type (Security/Distribution).
If you plan to run this script on a Server 2008R2 or Server 2012 Domain Controller, the Active Directory PowerShell module should already be installed.
Alternatively, if you wish to run this script from a Server 2008R2 or Server 2012 member server, you will need to install the AD-PowerShell module first. To do this, run PowerShell as an Administrator, then run the following commands:
Import-Module ServerManager
Add-WindowsFeature RSAT-AD-PowerShell
If you are running Windows 7, the module can be installed with the Microsoft Remote Server Administration Tools For Windows 7. You will then need to enable it from:
Control Panel -> Programs -> Turn Windows Features On or Off
You can also use the Add-WindowsFeature cmdlet as shown above.
With Windows 8, installing the Microsoft Remote Server Administration Tools For Windows 8 is enough, as all of the features are automatically enabled when the update is installed.
By default, PowerShell will not let you run scripts and will only work in interactive mode. In order to run the shadowGroupSync script from a local drive, you will need to alter this behaviour. To do this, run PowerShell as an Administrator, then run the following command:
Set-ExecutionPolicy RemoteSigned
This will allow scripts that are stored locally and not signed by a trusted publisher to be run.
Once you have downloaded the script, you will need to create the CSV file where you specify the shadow groups you want to create. Here is a sample CSV file:
Domain,ObjType,SourceOU,DestOU,GroupName,GroupType,Recurse "contoso.com","computer","OU=A1,OU=A_Block,OU=Computers,DC=contoso,DC=com","OU=ShadowGroups,DC=contoso,DC=com","Block-A1","Security","SubTree" "contoso.com","computer","OU=A2,OU=A_Block,OU=Computers,DC=contoso,DC=com","OU=ShadowGroups,DC=contoso,DC=com","Block-A2","Security","SubTree" "contoso.com","computer","OU=A1,OU=A_Block,OU=Computers,DC=contoso,DC=com;OU=A2,OU=A_Block,OU=Computers,DC=contoso,DC=com","OU=ShadowGroups,DC=contoso,DC=com","Block-A1-A2","Security","OneLevel" "contoso.com","user","OU=A1Users,OU=Users,DC=contoso,DC=com","OU=ShadowGroups,DC=contoso,DC=com","Users-A1","Distribution","SubTree" "child.contoso.com","user-mail-enabled","OU=A2Users,DC=child,DC=contoso,DC=com","OU=ShadowGroups,DC=contoso,DC=com","Users-A2","Distribution","OneLevel"
- Domain specifies the domain to query for the source AD objects.
- ObjType is a query type that can be specified in the script to filter for objects. This can be easily extended in the script.
- SourceOU is the OU (or OUs, separated by a semicolon) to query for source objects for the shadow group.
- DestOU is the OU where you would like the shadow group to be created.
- GroupName specifies the name of the shadow group.
- GroupType specifies whether a Security or Distribution group will be created. The default is Security.
- Recurse specifies how to search the SourceOU for objects. This can be "OneLevel" or "SubTree".
You can place the CSV file anywhere on the system, as long as the script can be told where to find it.
You can run the script in a couple of ways. In most production environments, you can use a scheduled task to run the script.
The following command will run the script and log the output to a specific directory.
powershell.exe -NoProfile -ExecutionPolicy Bypass -command "%~dp0\shadowGroupSync.ps1 -verbose -file %~dp0\shadow-groups.csv" 2>&1 > %~dp0\shadowGroupSync.log"
If you want to run the script normally, you can call the PowerShell script either with or without the '-file' argument.
./shadowGroupSync.ps1 'C:\path\to\csv'
./shadowGroupSync.ps1 -file 'C:\path\to\csv'
If you are using this script with child domains, you may need to change the GroupScope of created shadow groups to Universal.
For help, feedback, suggestions or bugfixes please check out http://tookitaway.co.uk/ or contact [email protected].
- i3laze - Updated the script to deal with syncing mail-enabled users and child domains.
- Dmitry - Submitted a correction when using the script to generate groups for Fine-Grained Password Policies.
- Alex - Highlighted some bugs that needed fixing.