shadowgroups

1. import-module activedirectory
2.  
3. # Get a list of all the OUs under Laptops and Desktops
4. $LapOUs = Get-ADOrganizationalUnit -SearchBase "OU=Laptops,OU=Computers,OU=company,DC=company,DC=local" -Filter * -SearchScope OneLevel | select -ExpandProperty name
5. $DesOUs = Get-ADOrganizationalUnit -SearchBase "OU=Desktops,OU=Computers,OU=company,DC=company,DC=local" -Filter * -SearchScope OneLevel | select -ExpandProperty name
6. $OUs = $LapOUs + $DesOUs | Select-Object -Unique
7.  
8. # Append -Computers to each OU name, so when the group gets created, it looks like "Department-Computers"
9. $ModifiedLapOUs =  $LapOUs | foreach-object{ "$_-Computers" }
10. $ModifiedDesOUs =  $DesOUs | foreach-object{ "$_-Computers" }
11. $ModifiedOUs = $ModifiedLapOUs + $ModifiedDesOUs | Select-Object -Unique
12.  
13. # Create the DNs of all the OUs
14. $LapOUDN = $LapOUs | foreach-object{ "OU=$_,OU=Laptops,OU=Computers,OU=company,DC=company,DC=local" }
15. $DesOUDN = $DesOUs | foreach-object{ "OU=$_,OU=Desktops,OU=Computers,OU=company,DC=company,DC=local" }
16. $OUDN = $LapOUDN + $DesOUDN | Select-Object -Unique
17.  
18. # All Group DNs
19. $groupDN = $ModifiedOUs | ForEach-Object{ "CN=$_,OU=company,DC=company,DC=local" }
20.  
21.  
22. # If the group does not exist in Active Directory, create it
23. foreach ( $i in $ModifiedLapOUs ) {
24.     if (!(Get-ADGroup -Filter {name -eq $i} )) {
25.         Write-Host Will create group $i...
26.         New-ADGroup -Server server-name -Path "OU=Computers,OU=Groups,OU=company,DC=company,DC=local" -Name $i -GroupScope DomainLocal -GroupCategory Security    
27.     }
28. }
29. foreach ( $i in $ModifiedDesOUs ) {
30.     if (!(Get-ADGroup -Filter {name -eq $i} )) {
31.         Write-Host Will create group $i...
32.         New-ADGroup -Server server-name -Path "OU=Computers,OU=Groups,OU=company,DC=company,DC=local" -Name $i -GroupScope DomainLocal -GroupCategory Security
33.  
34.     }
35. }
36.  
37. # Add computers to the shadow groups
38. for ( $i=0;$i -lt $groupDN.Count;$i++ ) {
39.     Get-ADComputer -SearchBase $LapOUDN[$i] -LDAPFilter "(!memberOf=$GroupDN[$i])" | ForEach-Object {Add-ADPrincipalGroupMembership -Identity $_ -MemberOf $GroupDN[$i]}
40.     Get-ADGroupMember -Identity $GroupDN[$i] | Where-Object {$_.distinguishedName -NotMatch $LapOU[$i]} | ForEach-Object {Remove-ADPrincipalGroupMembership -Identity $_ -MemberOf $GroupDN[$i] -Confirm:$true}
41.     Get-ADComputer -SearchBase $DesOUDN[$i] -LDAPFilter "(!memberOf=$GroupDN[$i])" | ForEach-Object {Add-ADPrincipalGroupMembership -Identity $_ -MemberOf $GroupDN[$i]}
42.     Get-ADGroupMember -Identity $GroupDN[$i] | Where-Object {$_.distinguishedName -NotMatch $DesOU[$i]} | ForEach-Object {Remove-ADPrincipalGroupMembership -Identity $_ -MemberOf $GroupDN[$i] -Confirm:$true}
43. }