Automatic security groups for OUs in active directory

I wanted to use my OUs (Organizational Units) in security filtering (For Group Policies, share permissions etc.). But because OUs don’t have SIDs (security IDs), I had to make security groups.

I made one security group for every OU, and filled all of them with the users from that OU. I also filled the OU-group with the groups from the sub-OUs.

Take this as an example of an ad-domain with OUs:

domain: “contoso.com”

OU: “Production”

– Sub-OU: “Production staff”
– Sub-OU: “Production Janitors”

For this domain I would make a group called OU_Production, another called OU_ProductionStaff and a third called OU_ProductionJanitors

I would then fill the OU-groups with the users from the OUs, and the group OU_Production with the groups OU_ProductionStaff and OU_ProductionJanitors.

To ensure that these groups are up to date, without having to manually manage the members, I created a Powershell-script that runs once a day to manage the groups.

#Import the AD-module
import-module ActiveDirectory

#Remove and add members to all OU_Groups

# OU_Production
Get-ADGroupMember OU_Production | % { Remove-ADGroupMember 'OU_Production' -Members $_ -Confirm:$false}
Get-ADUser -SearchBase 'OU=Production,DC=contoso,DC=com' -Searchscope 1 -Filter * | % { Add-ADGroupMember 'OU_Production' -Members $_ }
# OU_ProductionStaff
Get-ADGroupMember OU_ProductionStaff | % { Remove-ADGroupMember 'OU_ProductionStaff' -Members $_ -Confirm:$false}
Get-ADUser -SearchBase 'OU=Production Staff,OU=Production,DC=contoso,DC=com' -Searchscope 1 -Filter * | % { Add-ADGroupMember 'OU_ProductionStaff' -Members $_ }
# OU_ProductionJanitors
Get-ADGroupMember OU_ProductionJanitors | % { Remove-ADGroupMember 'OU_ProductionJanitors' -Members $_ -Confirm:$false}
Get-ADUser -SearchBase 'OU=Production Staff,OU=Production,DC=contoso,DC=com' -Searchscope 1 -Filter * | % { Add-ADGroupMember 'OU_ProductionJanitors' -Members $_ }

# Add OU_ProductionJanitors and OU_ProductionStaff to OU_Production
Add-ADGroupMember -Identity "OU_Production" -Members "OU_ProductionStaff", "OU_ProductionJanitors"
Advertisements