Automatic security groups for OUs in active directory

I wanted to use my OUs (Organizational Units) in security filtering (For Group Policies, share permissions etc.). But because OUs don’t have SIDs (security IDs), I had to make security groups.

I made one security group for every OU, and filled all of them with the users from that OU. I also filled the OU-group with the groups from the sub-OUs.

Take this as an example of an ad-domain with OUs:

domain: “”

OU: “Production”

– Sub-OU: “Production staff”
– Sub-OU: “Production Janitors”

For this domain I would make a group called OU_Production, another called OU_ProductionStaff and a third called OU_ProductionJanitors

I would then fill the OU-groups with the users from the OUs, and the group OU_Production with the groups OU_ProductionStaff and OU_ProductionJanitors.

To ensure that these groups are up to date, without having to manually manage the members, I created a Powershell-script that runs once a day to manage the groups.

#Import the AD-module
import-module ActiveDirectory

#Remove and add members to all OU_Groups

# OU_Production
Get-ADGroupMember OU_Production | % { Remove-ADGroupMember 'OU_Production' -Members $_ -Confirm:$false}
Get-ADUser -SearchBase 'OU=Production,DC=contoso,DC=com' -Searchscope 1 -Filter * | % { Add-ADGroupMember 'OU_Production' -Members $_ }
# OU_ProductionStaff
Get-ADGroupMember OU_ProductionStaff | % { Remove-ADGroupMember 'OU_ProductionStaff' -Members $_ -Confirm:$false}
Get-ADUser -SearchBase 'OU=Production Staff,OU=Production,DC=contoso,DC=com' -Searchscope 1 -Filter * | % { Add-ADGroupMember 'OU_ProductionStaff' -Members $_ }
# OU_ProductionJanitors
Get-ADGroupMember OU_ProductionJanitors | % { Remove-ADGroupMember 'OU_ProductionJanitors' -Members $_ -Confirm:$false}
Get-ADUser -SearchBase 'OU=Production Staff,OU=Production,DC=contoso,DC=com' -Searchscope 1 -Filter * | % { Add-ADGroupMember 'OU_ProductionJanitors' -Members $_ }

# Add OU_ProductionJanitors and OU_ProductionStaff to OU_Production
Add-ADGroupMember -Identity "OU_Production" -Members "OU_ProductionStaff", "OU_ProductionJanitors"

Creating a windows server 2008 R2 template in vmware

This is mainly a short how-to for myself, after learning a few lessons.

  1. Create a virtual machine in VMware with a max 40 GB disk. It’s easy to increase the size of a disk in VMware, but a real pain in the ass to shrink a disk. All other hardware (CPU, RAM, network+++) is easy to reconfigure as needed.
  2. Install Windows Server 2008 R2 on the machine.
  3. Install all updates for windows via windows update.
  4. Run sysprep (with “generalize” marked) and power off the machine
  5. Use vSphere to create a template from the powered down machine.

Creating a template from a machine without sysprep just been run will create problems in your domain with IP conflict and name conflict, as you’ll have two machines with the same IP and Name. The machines SID will also be the same, so changing the name and IP on one machine will not make all the problems go away. I’ve learned this the hard way.