Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- function Initialize-GroupGids {
- <#
- .SYNOPSIS
- The Initialize-GroupGids cmdlet assigns unique gidNumber values to AD security groups.
- .DESCRIPTION
- The Initialize-GroupGids cmdlet assigns unique gidNumber values to AD security groups.
- If all of your groups used by unix/linux are contained within an organizational
- unit, you can specify that OU to avoid assigning gidNumbers where they aren't.
- needed. This also improves performance of the script.
- In order to use Active Directory groups from unix/linux systems, a unique
- gidNumber must be assigned to each group. According to RFC 2307, the current
- best practice is to store this value in an attribute called "gidNumber".
- However, previous versions of MS Services For Unix used different attributes.
- This script does not require you to have a correctly configured NIS domain.
- The gidNumber attribute will be populated regardless of your NIS settings.
- You should use the MinimumGid parameter to ensure that gidNumbers assigned
- in Active Directory don't overlap with other systems.
- .PARAMETER SearchBase
- Specifies an LDAP path to search under.
- .PARAMETER GidAttribute
- Specifies the attribute name where the unique gid should be written. This
- depends on your schema and the version of MS Services For Unix that is installed.
- MS SFU: msSFU2x-gidNumber
- RFC2307: gidNumber
- .PARAMETER MinimumGid
- You can specify the minimum gidNumber that will be assigned, in order to avoid
- overlapping with other ranges used for per-user groups, or defined by other systems.
- .EXAMPLE
- Initialize-GroupGids OU=Groups,DC=contoso,DC=com -GidAttribute msSFU2x-gidNumber
- If you're using an older version of MS Services for Unix, or if you're using non-
- standard attributes to store group ID, then you need to specify the attribute name.
- .EXAMPLE
- Initialize-GroupGids OU=Groups,DC=contoso,DC=com -MinimumGID 1000000
- You can specify the minimum gidNumber that will be assigned, in order to avoid
- overlapping with other ranges used for per-user groups, or defined by other systems.
- #>
- [CmdletBinding(SupportsShouldProcess=$True)]
- Param(
- [Parameter(ValueFromPipeline=$true,Position=1)]
- [String]$SearchBase,
- [Parameter(Mandatory=$true)]
- [String]$GidAttribute = "gidNumber",
- [int]$MinimumGID = 1000000
- )
- # TODO evaulate whether hash-based GID assignment has any benefits
- # TODO verify the user-provided attribute exists in the schema
- Process
- {
- # String params are never $null. Check empty string instead.
- if ($SearchBase -eq "") {
- $SearchBase = ( Get-ADDomain | Select -Expand DistinguishedName )
- }
- # If msSFU >= 3.0 is installed and NIS domains are configured correctly,
- # then it's easy to query for the highest GID in use. But in some cases
- # we can't rely on that, so this script searches all groups with GIDs.
- # http://stackoverflow.com/q/7989028/190298
- $highGid = Get-ADGroup -LDAPFilter "($GidAttribute=*)" -Properties $GidAttribute |
- Measure-Object -Property $GidAttribute -Maximum -Minimum |
- Select-Object -ExpandProperty Maximum
- # Avoid assigning GIDs below $MinimumGID
- $highGid = [Math]::max( $highGid, $minimumGID )
- [array]$groups = Get-ADGroup -LDAPFilter "(!$GidAttribute=*)" -SearchBase $SearchBase |
- ? {$_.GroupCategory -eq "Security"}
- $i = 0
- [int]$total = $groups.count
- $groups | ForEach-Object {
- Write-Progress -Activity "Assigning GIDs" -PercentComplete ($i++ * 100.0 / $total) -Status "GID = $highGid"
- $_ | Set-ADGroup -Add @{$GidAttribute=++$highGid}
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement