Fix Legacy Members of AD Group

PowerShell Version 2.0 script to fix "legacy" members of a specified Active Directory group. This allows the member attribute of the group to take advantage of Linked Value Replication (LVR). If the members were assigned before the forest functional level was at least Windows Server 2003, the member attribute may not take advantage of link value replication (LVR). These values are called "legacy". Without LVR, any updates to the membership of the group requires that the entire member attribute be replicated. For example, if the group has 1000 members, and you add one more, all 1001 values must be replicated. With LVR, only the updated or new members are replicated.

The script prompts for the sAMAccountName of the group and a text file containing the output from the repadmin command. This file can be created at the command prompt of a domain controller with a statement similar to:

repadmin /showobjmeta mydc "cn=My Group,ou=West,dc=domain,dc=com" > report.txt

where "mydc" is the host name of a domain controller and the distinguished name is that of the group to be processed. The file "report.txt" contains the output and is the file the script prompts for.

The script first checks that the group object exists in Active Directory. Then the script parses the file for lines containing the string "LEGACY". This means the repadmin tool identified the value of a linked multi-valued attribute that does not take advantage of LVR. The script parses this line for the lDAPDisplayName of the attribute to make sure it is "member". Then the script reads the value of the member attribute on the next line. This will be the distinguished name of a member of the group. This value is added to an array of member DN's. The script uses this array with the Remove-ADGroupMember cmdlet to remove all such identified members from the group. Finally. after a short pause, the script uses the Add-ADGroupMember cmdlet to add the members back into the group.

When the script has finished, all members that repadmin previously identified as "LEGACY" will now be identified as "PRESENT". This means they take advantage of link value replication.

FixLegacyMembers.txt <<-- Click here to view or download the program