PowerShell Version 2 script to ensure all users in specified organizational units are also members of a corresponding shadow group. Also makes sure users not in the OU's are not members of the group. A Fine Grained Password Policy can be applied to the group.

Shadow Groups are dynamic groups that include all users in a specified Organizational Unit, but no other users. In this way they shadow the OU. Because fine-Grained Password Policies can only be applied to users and groups, this is the best way to apply a FGPP to all users in an Organizational Unit. This script has been modified to allow you to shadow more than one OU.

There is no automatic mechanism in Active Directory to keep the shadow group membership up to date. A script must be run periodically to update the membership. The script must remove any members of the group that are no longer in the OU (or OU's), and add any users in the OU (or OU's) that are not in the group. This PowerShell Version 2 script is designed to accomplish this task.

A few other scripts have been found for the same purpose, but they have some shortcomings. This script has the following features.

  1. Writes a log file documenting all users removed from or added to the group.
  2. The log file documents all the specified settings, such as if child OU's are considered.
  3. Performs all updates to the group on the same domain controller to avoid any replication problems.
  4. Can include only enabled users in the group, or include all users in the OU's.
  5. Removes an array of users from the group in one bulk operation. Also adds an array of users to the group in one bulk operation.
  6. Only allows at most 4000 users to be removed or added to the group at once. This is to avoid excessive network traffic and long-running transactions. You can run the script repeatedly to process more users.
  7. The method used to determine the parent OU of the user properly handles any commas in any component of the distinguished name of the user. For example "CN=Smith\, James,OU=West,DC=domain,DC=com".
  8. The script does not consider other classes of objects. For example, the group or the OU can include computer, contact, or group objects.
  9. You can specify users in the specified OU's and all child OU's are included, or only users directly in the specified OU's.
  10. The total numbers of users added to and removed from the group is documented in the log file.
  11. You can specify $Update = $False, in which case the script only reports what it would do, without actually updating the group.

The script exits with an error message under the following conditions.

  1. A specified OU distinguished name is invalid.
  2. A specified OU is not an organizational unit.
  3. The specified group distinguished name is invalid.
  4. The specified group is not a group object.
  5. The specified domain controller is not available.
  6. The specified domain controller does not support the Active Directory modules.
  7. The log file is invalid or cannot be written to.

To run the script in your environment for your purpose, you must assign values to the following variables in the configuration section of the script.

Variable Description
$Server The DNS host name of a domain controller that supports the PowerShell AD modules.
$LogFile The path and name of a log file. If it does not exist it will be created.
$Update $False means the script only reports what it would do. $True means the script updates the group.
$EnabledOnly $True means the script only considers enabled users. $False means it considers all users.
$OUDN An array of the distinguished names of the organizational units.
$GroupDN The distinguished name of the corresponding shadow group. The group must exist, but it can be empty.

ShadowGroup.txt <<-- Click here to view or download the program