Have you ever spent time troubleshooting a problem only to discover that a computer or user wasn’t in the right security group? Shadow Groups (sometimes called dynamic security groups) can stop this problem! They work by automatically adding objects to a group based on a name, Organizational Unit, or another attribute. So get ready to embrace the dark side of Active Directory – we are about to set up some shadow security groups!
What are Shadow Groups?
When talking about groups in Active Directory, you tend to talk about security groups or distribution groups. Occasionally, you might mention mail-enabled security groups (security groups with an email). Shadows Groups are security groups that are updated through a scheduled script and managed automatically.
To get started, you will need a dedicated machine running PowerShell 3. This machine should have the Quest AD CMDLETS installed. You will also need a dedicated user account that can modify group membership. For testing purposes, it is fine to use your account.
Select a Security Group
Think of a security group that should contain a predictable set of members. For example, you might have a security group for each location that you support. This group would contain all computers beginning with a certain naming prefix.
Now, Open PowerShell ISE and paste in the following script:
#Add Computers to Group Based on OU Membership
Get-QADComputer -SearchRoot "OU=NAME,DC=DOMAIN,DC=local" -SizeLimit 0 | Add-QADMemberOf -Group "DOMAIN\Site Computers"
#Add Computers to Group Based on Name
Get-QADComputer -Name SITE* -SizeLimit 0 | Add-QADMemberOf -Group "DOMAIN\Site Computers"
#Add User to Group Based on OU Membership
Get-QADUser -SearchRoot "OU=NAME,DC=DOMAIN,DC=local" -SizeLimit 0 | Add-QADMemberOf -Group "DOMAIN\Site Users"
#Add User to Group Based on Attribute
Get-QADUser -Name * -Title "Math Teacher" -SizeLimit 0 | Add-QADMemberOf -Group "DOMAIN\Math Teachers"
This script provides four common searches that you might need when creating a shadow group:
- Adding Computer Based on OU Membership
- Adding Computers Based on Name
- Adding Users Based on OU Membership
- Adding Users Based on an Attribute.
Let’s take that security group that you picked out (from above). Take the first command and modify it to point at your desired OU location. Then change the Add-QADMemberof section to point to your site’s security group. Bam! You just created a shadow group! Easy right?
Now list out all of yourbuilding/site security groups. Copy your modified Get-QADComputer command and turn those groups into shadow groups. In 5 minutes of work, you just automated every location/site security group that you have! And if you automatically move computers to an OU based on their names, you’ve created a system that automated the tedious parts of Active Directory Management!
All that you need to do now is to create a scheduled task on your dedicated machine. Have this script run every 5 (or 10) minutes. For reference, the Action for your task will be: powershell.exe -noprofile “PATHTOSCRIPT.PS1”
Once you are done with that, start automating other common group additions. For example, your HR department might populate certain AD attributes for your users. The last example shows a query that finds every users with the Title of Math Teacher. It then puts those users into the Math teachers Group. This group can be a mail enabled security group or even linked to multiple user-side applications!
Shadow Groups are very powerful! Once setup, common group management is a thing of the past! Now go forth and slay
younglings those stupid group management issues you face!