Have you ever spent time troubleshooting a problem only to discover that a computer or user wasn’t in the right security group? Shadow Groups (sometimes called dynamic security groups) can stop this problem! They work by automatically adding objects to a group based on a name, Organizational Unit, or another attribute. So get ready to embrace the dark side of Active Directory – we are about to set up some shadow security groups!
What are Shadow Groups?
When talking about groups in Active Directory, you tend to talk about security groups or distribution groups. Occasionally, you might mention mail-enabled security groups (security groups with an email). Shadows Groups are security groups that are updated through a scheduled script and managed automatically.
To get started, you will need a dedicated machine running PowerShell. This machine should have the AD PowerShell Module – installed as a part of RSAT. You will also need a dedicated user account that can modify group membership. For testing purposes, it is fine to use your account.
Select a Security Group
Think of a security group that should contain a predictable set of members. For example, you might have a security group for each location that you support. This group would contain all computers beginning with a certain naming prefix.
Now, Open PowerShell ISE and paste in the following script:
#Add Computers to Group Based on OU Membership $Group1 = Get-ADComputer -Filter * -SearchBase "OU= Sites,DC=TEST,DC=local" foreach ($Member in $Group1){Add-ADGroupMember -Identity "Group1" -members $Member} #Add Computers to Group Based on Name $Group2 = Get-ADComputer -filter {Name -like 'SITE*'} foreach ($Member in $Group2){Add-ADGroupMember -Identity "Group2" -members $Member} #Add User to Group Based on OU Membership $Group3 = Get-ADUser -filter * -SearchBase "OU=Sites,DC=TEST,DC=local" foreach ($Member in $Group3){Add-ADGroupMember -Identity "Group3" -members $Member} #Add User to Group Based on Attribute $Group4 = Get-ADUser -Filter * -Properties Title | where Title -EQ "Math Teacher" foreach ($Member in $Group4){Add-ADGroupMember -Identity "Group4"}
This script provides four common searches that you might need when creating a shadow group:
- Adding Computer Based on OU Membership
- Adding Computers Based on Name
- Adding Users Based on OU Membership
- Adding Users Based on an Attribute.
Let’s take that security group that you picked out (from above). Take the first command and modify it to point at your desired OU location. Then change the Add-QADMemberof section to point to your site’s security group. Bam! You just created a shadow group! Easy right?
Now list out all of yourbuilding/site security groups. Copy your modified Get-QADComputer command and turn those groups into shadow groups. In 5 minutes of work, you just automated every location/site security group that you have! And if you automatically move computers to an OU based on their names, you’ve created a system that automated the tedious parts of Active Directory Management!
All that you need to do now is to create a scheduled task on your dedicated machine. Have this script run every 5 (or 10) minutes. For reference, the Action for your task will be: powershell.exe -noprofile “PATHTOSCRIPT.PS1”
Once you are done with that, start automating other common group additions. For example, your HR department might populate certain AD attributes for your users. The last example shows a query that finds every users with the Title of Math Teacher. It then puts those users into the Math teachers Group. This group can be a mail enabled security group or even linked to multiple user-side applications!
Shadow Groups are very powerful! Once setup, common group management is a thing of the past! Now go forth and slay younglings those stupid group management issues you face!
Have used these for years to get the Fine Grained PW group populated. Works greate
The Quest AD CMDLETS are no longer located on that page
Sorry about that – Those cmdlets are no longer free since they got bought out. I re-worked the script to use the native AD cmdlets.
This is a simple solution to part of the problem, however this creates another–the removal side of things/cluttering of AD objects. You typically don’t want an additive process over the user/computer objects life time as this will result in too much access/rights/etc.
Neat concept and all but I don’t believe I’d set something like this up in production unless all the logic and automatic group membership processing is thoroughly documented for whomever has to support the environment including the future sysadmin should you win the lotto or get hit by an asteroid.
You are absolutely right about planning this! If I was setting this feature up in a new environment, I would tag each security group using this feature. This could be done in the description field of the group or simply adding a prefix/suffix to the group name.
On another note, shouldn’t we be throughly documenting everything anyways? 🙂