Automatic security groups for OUs in active directory

I wanted to use my OUs (Organizational Units) in security filtering (For Group Policies, share permissions etc.). But because OUs don’t have SIDs (security IDs), I had to make security groups.

I made one security group for every OU, and filled all of them with the users from that OU. I also filled the OU-group with the groups from the sub-OUs.

Take this as an example of an ad-domain with OUs:

domain: “”

OU: “Production”

– Sub-OU: “Production staff”
– Sub-OU: “Production Janitors”

For this domain I would make a group called OU_Production, another called OU_ProductionStaff and a third called OU_ProductionJanitors

I would then fill the OU-groups with the users from the OUs, and the group OU_Production with the groups OU_ProductionStaff and OU_ProductionJanitors.

To ensure that these groups are up to date, without having to manually manage the members, I created a Powershell-script that runs once a day to manage the groups.

#Import the AD-module
import-module ActiveDirectory

#Remove and add members to all OU_Groups

# OU_Production
Get-ADGroupMember OU_Production | % { Remove-ADGroupMember 'OU_Production' -Members $_ -Confirm:$false}
Get-ADUser -SearchBase 'OU=Production,DC=contoso,DC=com' -Searchscope 1 -Filter * | % { Add-ADGroupMember 'OU_Production' -Members $_ }
# OU_ProductionStaff
Get-ADGroupMember OU_ProductionStaff | % { Remove-ADGroupMember 'OU_ProductionStaff' -Members $_ -Confirm:$false}
Get-ADUser -SearchBase 'OU=Production Staff,OU=Production,DC=contoso,DC=com' -Searchscope 1 -Filter * | % { Add-ADGroupMember 'OU_ProductionStaff' -Members $_ }
# OU_ProductionJanitors
Get-ADGroupMember OU_ProductionJanitors | % { Remove-ADGroupMember 'OU_ProductionJanitors' -Members $_ -Confirm:$false}
Get-ADUser -SearchBase 'OU=Production Staff,OU=Production,DC=contoso,DC=com' -Searchscope 1 -Filter * | % { Add-ADGroupMember 'OU_ProductionJanitors' -Members $_ }

# Add OU_ProductionJanitors and OU_ProductionStaff to OU_Production
Add-ADGroupMember -Identity "OU_Production" -Members "OU_ProductionStaff", "OU_ProductionJanitors"

RDP on windows server 2012

When you’re running an administrative windows server, you’re probably used to being able to log in with the administrator account in two sessions. I found out that the configuration of rdp is a bit more hidden in server 2012, compared to earlier versions like 2008 R2. This is how you do it:

1.Run gpedit.msc (local group policy editor)
2.Go to computer configuration -> Administrative Templates -> Windows Components  ->Remote Desktop Services -> Remote Desktop Session Host -> Connections.
4. Disable “Restrict Remote Desktop Services user to a single remote desktop services session”
5. Disable “Limit number of connections”
6. Go to command prompt and update the group policy using gpupdate


Shrinking a thick provisioned disk in VMWare ESXI 5.1

Being new to virtualization, I made the mistake of making the provisioned disk on my Windows 2008 template about 100 GB too large, resulting in our SAN being filled up too fast. Thinking that virtual machines were magical, and hardware could be configured as I wanted, I thought shrinking the disk should be easy. But it wasn’t. After going through a lot of guides, none that worked, I found this method to work:

Short version:
– Shrink disks in windows
– Do a V2V-conversion in VMware converter, with reconfig of the disk.

Longer version:

– Shrink the disk(s)/remove unused disks in the disk management tool in windows (a mmc snap-in in Windows S2008)
– Install VMware vCenter converter 5.0.1 (earlier versions like 5.0.0 isn’t compatible with ESXI 5.1)
– Choose “Convert machine”
– Connect to your vCenter administration machine as source
– Choose the machine you want to shrink the disk on.
– Connect to your vCenter administration machine as destination.
– Edit the disk-size (include only the drives you need) under options.
– Wait while copying
– Remove the old virtual machine (the source with too large disk)
– Profit!

Creating a windows server 2008 R2 template in vmware

This is mainly a short how-to for myself, after learning a few lessons.

  1. Create a virtual machine in VMware with a max 40 GB disk. It’s easy to increase the size of a disk in VMware, but a real pain in the ass to shrink a disk. All other hardware (CPU, RAM, network+++) is easy to reconfigure as needed.
  2. Install Windows Server 2008 R2 on the machine.
  3. Install all updates for windows via windows update.
  4. Run sysprep (with “generalize” marked) and power off the machine
  5. Use vSphere to create a template from the powered down machine.

Creating a template from a machine without sysprep just been run will create problems in your domain with IP conflict and name conflict, as you’ll have two machines with the same IP and Name. The machines SID will also be the same, so changing the name and IP on one machine will not make all the problems go away. I’ve learned this the hard way.