PowerShell Version 2.0 script to fix "legacy" members of a specified Active Directory group. This allows the member attribute of the group to take advantage of Link Value Replication (LVR). If the members were assigned before the forest functional level was at least Windows Server 2003, the member attribute may not take advantage of link value replication (LVR). These values are called "legacy". Without LVR, any updates to the membership of the group requires that the entire member attribute be replicated. For example, if the group has 1000 members, and you add one more, all 1001 values must be replicated. With LVR, only the updated or new members are replicated.

The script prompts for the sAMAccountName of the group and a text file containing the output from the repadmin command. This file can be created at the command prompt of a domain controller with a statement similar to:

repadmin /showobjmeta mydc "cn=My Group,ou=West,dc=domain,dc=com" > report.txt

where "mydc" is the host name of a domain controller and the distinguished name is that of the group to be processed. The file "report.txt" contains the output and is the file the script prompts for.

The script first checks that the group object exists in Active Directory. Then the script parses the file for lines containing the string "LEGACY". This means the repadmin tool identified the value of a linked multi-valued attribute that does not take advantage of LVR. The script parses this line for the lDAPDisplayName of the attribute to make sure it is "member". Then the script reads the value of the member attribute on the next line. This will be the distinguished name of a member of the group. This value is added to an array of member DN's. The script uses this array with the Remove-ADGroupMember cmdlet to remove all such identified members from the group. Finally. after a short pause, the script uses the Add-ADGroupMember cmdlet to add the members back into the group.

When the script has finished, all members that repadmin previously identified as "LEGACY" will now be identified as "PRESENT". This means they take advantage of link value replication.


# FixLegacyMembers.ps1 
# PowerShell Version 2 script to fix "Legacy" members of a specified group. 
# This allows the group to take advantage of Link Value Replication (LVR) 
# for all members after the Forest Functional Level (FFL) is raised from 
# Windows 2000 Server to Windows Server 2003 (or above). 
# Author: Richard L. Mueller 
# This script prompts for either the sAMAccountName or the distinguished name 
# of the group and a text file containing the output from the repadmin command. 
# This file can be created at the command prompt of a domain controller 
# with a statement similar to: 
# repadmin /showobjmeta mydc "cn=My Group,ou=West,dc=domain,dc=com" > report.txt 
# where mydc is the host name of a domain controller and the distinguished 
# name is that of the group to be processed. The script processes the members 
# in blocks of 4000 at most, to avoid excessive network traffic. 
# Version 1.0 - September 22015 
# Version 2.0 - September 72015 - Process members in blocks of 4000 at most. 
# Modify the server name to match the DNS Name of a domain controller in your domain. 
$Server = mydc.domain.com 
# Prompt for the group. 
$GroupName = Read-Host "Enter the group sAMAccountName or distinguishedName" 
Import-Module ActiveDirectory 
# Make sure the group exists on the specified domain controller. 
$Group = $Null 
$Group = Get-ADGroup -Identity $GroupName -Server $Server 
If ($Group -eq $Null) 
    "Group $GroupName not found" 
# Prompt for output file from repadmin. 
$File = Read-Host "Enter file containing output from repadmin command" 
# Retrieve the contents of the file. 
$RepAdm = Get-Content $File 
$k = 0 
$Count = 0 
$Total = 0 
# Array of group member DN's. 
$LegacyMembers = @() 
ForEach ($Line In $RepAdm) 
    $k = $k + 1 
    If ($Line.Length -ge 6) 
        # Find lines identifying "Legacy" members of the group. 
        # These members cannot take advantage of LVR. 
        If ($Line.Substring(06) -eq "LEGACY") 
            # Parse this line for the attribute lDAPDisplayName. 
            $Attr = $Line.Substring(7).Trim() 
            # Ignore if the attribute is not "member". 
            If ($Attr.ToLower() -eq "member") 
                # Add the member DN on the next line to the array. 
                $Member = $RepAdm[$k + 1].Trim() 
                $LegacyMembers = $LegacyMembers + $Member 
                $Count = $Count + 1 
                $Total = $Total + 1 
                # Process no more than 4000 members at a time. 
                If ($Count -eq 4000) 
                    # Remove all legacy members from the group. 
                    Remove-ADGroupMember -Identity $GroupName ` 
                        -Members $LegacyMembers -Server $Server 
                    Start-Sleep -Seconds 10 
                    # Add the members back into the group. 
                    Add-ADGroupMember -Identity $GroupName ` 
                        -Members $LegacyMembers -Server $Server 
                    # Initialize the array and the counter. 
                    $LegacyMembers = @() 
                    $Count = 0 
                    Start-Sleep -Seconds 10 
# Process any remaining members. 
If ($Count -gt 0{ 
    # Remove all legacy members from the group. 
    Remove-ADGroupMember -Identity $GroupName -Members $LegacyMembers ` 
        -Server $Server 
    Start-Sleep -Seconds 10 
    # Add the members back into the group. 
    Add-ADGroupMember -Identity $GroupName -Members $LegacyMembers ` 
        -Server $Server 
"$Total values of member attribute of $GroupName fixed"