Initialize-GroupGids

1. function Initialize-GroupGids {
2. <#
3. .SYNOPSIS
4. The Initialize-GroupGids cmdlet assigns unique gidNumber values to AD security groups.
5.  
6. .DESCRIPTION
7. The Initialize-GroupGids cmdlet assigns unique gidNumber values to AD security groups.
8.  
9. If all of your groups used by unix/linux are contained within an organizational
10. unit, you can specify that OU to avoid assigning gidNumbers where they aren't.
11. needed. This also improves performance of the script.
12.  
13. In order to use Active Directory groups from unix/linux systems, a unique
14. gidNumber must be assigned to each group. According to RFC 2307, the current
15. best practice is to store this value in an attribute called "gidNumber".
16. However, previous versions of MS Services For Unix used different attributes.
17.  
18. This script does not require you to have a correctly configured NIS domain.
19. The gidNumber attribute will be populated regardless of your NIS settings.
20. You should use the MinimumGid parameter to ensure that gidNumbers assigned
21. in Active Directory don't overlap with other systems.
22.  
23. .PARAMETER SearchBase
24. Specifies an LDAP path to search under.
25.  
26. .PARAMETER GidAttribute
27. Specifies the attribute name where the unique gid should be written. This
28. depends on your schema and the version of MS Services For Unix that is installed.
29. MS SFU:  msSFU2x-gidNumber
30. RFC2307: gidNumber
31.  
32. .PARAMETER MinimumGid
33. You can specify the minimum gidNumber that will be assigned, in order to avoid
34. overlapping with other ranges used for per-user groups, or defined by other systems.
35.  
36. .EXAMPLE
37. Initialize-GroupGids OU=Groups,DC=contoso,DC=com -GidAttribute msSFU2x-gidNumber
38. If you're using an older version of MS Services for Unix, or if you're using non-
39. standard attributes to store group ID, then you need to specify the attribute name.
40.  
41. .EXAMPLE
42. Initialize-GroupGids OU=Groups,DC=contoso,DC=com -MinimumGID 1000000
43. You can specify the minimum gidNumber that will be assigned, in order to avoid
44. overlapping with other ranges used for per-user groups, or defined by other systems.
45. #>
46.  
47.     [CmdletBinding(SupportsShouldProcess=$True)]
48.     Param(
49.         [Parameter(ValueFromPipeline=$true,Position=1)]
50.         [String]$SearchBase,
51.  
52.         [Parameter(Mandatory=$true)]
53.         [String]$GidAttribute = "gidNumber",
54.  
55.         [int]$MinimumGID = 1000000
56.     )
57.  
58.     # TODO evaulate whether hash-based GID assignment has any benefits
59.     # TODO verify the user-provided attribute exists in the schema
60.    
61.     Process
62.     {      
63.         # String params are never $null. Check empty string instead.
64.         if ($SearchBase -eq "") {
65.             $SearchBase = ( Get-ADDomain | Select -Expand DistinguishedName )
66.         }
67.        
68.         # If msSFU >= 3.0 is installed and NIS domains are configured correctly,
69.         # then it's easy to query for the highest GID in use. But in some cases
70.         # we can't rely on that, so this script searches all groups with GIDs.
71.         # http://stackoverflow.com/q/7989028/190298
72.  
73.         $highGid = Get-ADGroup -LDAPFilter "($GidAttribute=*)" -Properties $GidAttribute |
74.             Measure-Object -Property $GidAttribute -Maximum -Minimum |
75.             Select-Object -ExpandProperty Maximum
76.  
77.         # Avoid assigning GIDs below $MinimumGID
78.         $highGid = [Math]::max( $highGid, $minimumGID )
79.  
80.         [array]$groups = Get-ADGroup -LDAPFilter "(!$GidAttribute=*)" -SearchBase $SearchBase |
81.             ? {$_.GroupCategory -eq "Security"}
82.                
83.         $i = 0
84.         [int]$total = $groups.count
85.         $groups | ForEach-Object {
86.             Write-Progress -Activity "Assigning GIDs" -PercentComplete ($i++ * 100.0 / $total) -Status "GID = $highGid"
87.             $_ | Set-ADGroup -Add @{$GidAttribute=++$highGid}
88.         }
89.        
90.     }
91.    
92. }