Forked from meoso/Shadow_Group-Generic_basic.ps1
Last active
December 3, 2020 17:47
-
-
Save ritsute/3931446dd6ad320866c6fdc06eed52d6 to your computer and use it in GitHub Desktop.
Concise PowerShell AD Group Shadow script from http://ravingroo.com/458/active-directory-shadow-group-automatically-add-ou-users-membership/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $OU="OU=TheOUName,DC=yourdomain,DC=com" | |
| $ShadowGroup="CN=ShadowGroupName,OU=TheOUName,DC=yourdomain,DC=com" | |
| Import-Module ActiveDirectory | |
| (Get-ADGroup -Identity $ShadowGroup -properties members).Members | Get-ADUser | Where-Object {$_.distinguishedName –NotMatch $OU} | ForEach-Object {Remove-ADPrincipalGroupMembership –Identity $_ –MemberOf $ShadowGroup –Confirm:$false} | |
| Get-ADUser –SearchBase $OU –SearchScope OneLevel –LDAPFilter "(!memberOf=$ShadowGroup)" | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $ShadowGroup} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $OU="OU=TheOUName,DC=yourdomain,DC=com" | |
| $ShadowGroup="CN=ShadowGroupName,OU=TheOUName,DC=yourdomain,DC=com" | |
| $WhatIf=$true #set $true for testing and $false for action | |
| Import-Module ActiveDirectory | |
| Write-Host "Removing non-existent members" | |
| #$RemoveMembers = (Get-ADGroupMember -Identity $ShadowGroup | Where-Object {$_.distinguishedName -NotMatch $OU}) #Fails for more than 5000 | |
| $RemoveMembers = ((Get-ADGroup -Identity $ShadowGroup -properties members).Members | Get-ADUser | Where-Object {$_.distinguishedName -NotMatch $OU}) #workaround for 5000 limit | |
| $RemoveMembers | ForEach-Object {Write-Host -NoNewline $_.SamAccountName ": " ; Remove-ADPrincipalGroupMembership -Identity $_ -MemberOf $ShadowGroup -Confirm:$false -WhatIf:$WhatIf -Verbose} | |
| Write-Host "Adding members" | |
| $AddMembers=(Get-ADUser -SearchBase $OU -SearchScope OneLevel -LDAPFilter "(!memberOf=$ShadowGroup)") | |
| $AddMembers | ForEach-Object {Write-Host -NoNewline $_.SamAccountName ": " ; Add-ADPrincipalGroupMembership -Identity $_ -MemberOf $ShadowGroup -WhatIf:$WhatIf -Verbose} | |
| # Emailing | |
| if ($RemoveMembers -or $AddMembers) { | |
| $adminEmailAddr="admin1@yourdomain.com","admin2@yourdomain.com" | |
| $smtpServer="mailserver.yourdomain.com" | |
| #$from = "$env:COMPUTERNAME <noreply@yourdomain.com>" | |
| $from = "sender@yourdomain.com" | |
| $password = "smtppassword" | |
| $securepass = ConvertTo-SecureString -AsPlainText -String $password -Force | |
| $credential = New-Object System.Management.Automation.PSCredential -argumentlist $from,$securepass | |
| $subject = "Automated script: ShadowGroup: "+($ShadowGroup -split ',*..=')[1] | |
| $body="The following shadows applied between: <br>" | |
| $body+="OU: $OU <br>" | |
| $body+="Group: $ShadowGroup <br><br>" | |
| if ($WhatIf) { $body+="TESTING ONLY<br><br>"} | |
| foreach ($rm in $RemoveMembers) { | |
| $sName=$rm.SamAccountName | |
| $body+="Removed $sName <br>" | |
| } | |
| if ($RemoveMembers) {$body+="<br>"} | |
| foreach ($am in $AddMembers) { | |
| $sName=$am.SamAccountName | |
| $body+="Added $sName <br>" | |
| } | |
| $body+="<br>" | |
| Write-host "Emailing $adminEmailAddr" | |
| $textEncoding = [System.Text.Encoding]::UTF8 | |
| try { | |
| Send-Mailmessage -smtpServer $smtpServer -from $from -to $adminEmailAddr -Credential $credential -subject $subject -body $body -bodyasHTML -priority High -Encoding $textEncoding -ErrorAction Stop -ErrorVariable err | |
| } catch { | |
| write-host "Error: Failed to email $adminEmailAddr via $smtpServer" | |
| } finally { | |
| if ($err.Count -eq 0) { | |
| write-host "Successfully emailed $adminEmailAddr" | |
| } | |
| } | |
| } else { | |
| Write-Host "Nothing to email." | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
added smtp auth support.