Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import-module activedirectory
- # Get a list of all the OUs under Laptops and Desktops
- $LapOUs = Get-ADOrganizationalUnit -SearchBase "OU=Laptops,OU=Computers,OU=company,DC=company,DC=local" -Filter * -SearchScope OneLevel | select -ExpandProperty name
- $DesOUs = Get-ADOrganizationalUnit -SearchBase "OU=Desktops,OU=Computers,OU=company,DC=company,DC=local" -Filter * -SearchScope OneLevel | select -ExpandProperty name
- $OUs = $LapOUs + $DesOUs | Select-Object -Unique
- # Append -Computers to each OU name, so when the group gets created, it looks like "Department-Computers"
- $ModifiedLapOUs = $LapOUs | foreach-object{ "$_-Computers" }
- $ModifiedDesOUs = $DesOUs | foreach-object{ "$_-Computers" }
- $ModifiedOUs = $ModifiedLapOUs + $ModifiedDesOUs | Select-Object -Unique
- # Create the DNs of all the OUs
- $LapOUDN = $LapOUs | foreach-object{ "OU=$_,OU=Laptops,OU=Computers,OU=company,DC=company,DC=local" }
- $DesOUDN = $DesOUs | foreach-object{ "OU=$_,OU=Desktops,OU=Computers,OU=company,DC=company,DC=local" }
- $OUDN = $LapOUDN + $DesOUDN | Select-Object -Unique
- # All Group DNs
- $groupDN = $ModifiedOUs | ForEach-Object{ "CN=$_,OU=company,DC=company,DC=local" }
- # If the group does not exist in Active Directory, create it
- foreach ( $i in $ModifiedLapOUs ) {
- if (!(Get-ADGroup -Filter {name -eq $i} )) {
- Write-Host Will create group $i...
- New-ADGroup -Server server-name -Path "OU=Computers,OU=Groups,OU=company,DC=company,DC=local" -Name $i -GroupScope DomainLocal -GroupCategory Security
- }
- }
- foreach ( $i in $ModifiedDesOUs ) {
- if (!(Get-ADGroup -Filter {name -eq $i} )) {
- Write-Host Will create group $i...
- New-ADGroup -Server server-name -Path "OU=Computers,OU=Groups,OU=company,DC=company,DC=local" -Name $i -GroupScope DomainLocal -GroupCategory Security
- }
- }
- # Add computers to the shadow groups
- for ( $i=0;$i -lt $groupDN.Count;$i++ ) {
- Get-ADComputer -SearchBase $LapOUDN[$i] -LDAPFilter "(!memberOf=$GroupDN[$i])" | ForEach-Object {Add-ADPrincipalGroupMembership -Identity $_ -MemberOf $GroupDN[$i]}
- Get-ADGroupMember -Identity $GroupDN[$i] | Where-Object {$_.distinguishedName -NotMatch $LapOU[$i]} | ForEach-Object {Remove-ADPrincipalGroupMembership -Identity $_ -MemberOf $GroupDN[$i] -Confirm:$true}
- Get-ADComputer -SearchBase $DesOUDN[$i] -LDAPFilter "(!memberOf=$GroupDN[$i])" | ForEach-Object {Add-ADPrincipalGroupMembership -Identity $_ -MemberOf $GroupDN[$i]}
- Get-ADGroupMember -Identity $GroupDN[$i] | Where-Object {$_.distinguishedName -NotMatch $DesOU[$i]} | ForEach-Object {Remove-ADPrincipalGroupMembership -Identity $_ -MemberOf $GroupDN[$i] -Confirm:$true}
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement