Update Shadow Group with Users in Specified Organizational Units

PowerShell Version 2 script to ensure all users in specified OUs are also members of a corresponding shadow group. Also makes sure users not in the OUs are not members of the group. A Fine Grained Password Policy can be applied to the group.

5 Star
692 times
Add to favorites
Active Directory
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question

  • Just Stops Working
    7 Posts | Last post July 10, 2017
    • I have 5 shadow groups and 5 copies of this script running as scheduled tasks.  They just suddenly stop populating/depopulating users in the groups.  The only way to get them to work again is to remove all users from the OU and run the script again.  Once I do this, it removes all members of the group. Once, I move the users back into the OU and it populates the group again.  Server 2012 r2, domain/forest functional levels 2012 r2.       
    • I think I found the problem.  I changed If ($UsersInOU.Count -ge 1)" to "If (@($UsersInOU).Count -ge 1) and now it works if only 1 user is added/removed from the OU.
    • Any suggestion on what to change on the script to get the last user of the shadow group removed? Adding If (@($UsersInOU).Count -ge 1) fixed the single user add to group, but not I'm finding if there is only 1 user left in the shadow group, then the script will not delete it.  
    • I think I understand the problem. I will need a bit of time to test a fix.
    • Thank you very much Richard!!
    • I updated the script to fix the bug when there is only one user to either add to or remove from the shadow group. I replaced If ($UsersInOU.Count -ge 1) with If ($UsersInOU). The later is True if there is only one user in the array, of if there is more than one. If there are no users in the array, the expression is False.
    • Richard, 
      I have updated all of my shadow group scripts with Version 3.0.  They all work perfectly!!!!!!!!!!!!!!!!!!!!  Thank you so much for your help.  I greatly appreciate it. 
  • Works GREAT.
    2 Posts | Last post February 05, 2017
    • Thanks for this PowerShell script.  I have a suggestions for version 1.1 that lets you define multiple pairings of OUs to groups.  I have several groups that are now created by OU membership and each one needs to call the script separately to update membership.  Also, I can imagine scenarios where people will want to add multiple OUs to a single group.
      Much appreciated.
      Mark Ringo
    • I updated the script to maintain a shadow group with users in an array of organizational units. However, for multiple shadow groups I think it is best to have one copy of the script for each pairing.
  • Add Multiple OU's
    2 Posts | Last post February 05, 2017
    • Hello Richard
      I want to thank you for this PowerShell script, this is awesome. However, I am not the greatest at PowerShell but I am getting better. I have researched over and over a good Shadow Group setup, and this one beats them. However, how can I take this script and add multiple OU's to it? Basically, I have one group right, but I have 64 other OU's with users in it, I want to be able to add 64 OUs to this script against one group. Is this possible? 
      Thank you Marc
    • I updated the script to handle an array of organizational units. It works as expected in my tests. The shadow group includes all users in each of the specified OUs.
  • few updates and updated script to handle users from multiple OUs
    2 Posts | Last post February 05, 2017
    • 1. The script needs to be run using elevated command prompt for it to properly extract memberof attribute of an user object (  being used for group membership deletion part of the script)
      2. Change "If ($UsersInOU.Count -ge 1)" to "If (@($UsersInOU).Count -ge 1)" for it to identify even if there is a single user to be removed form the group.
      3. I have modified the script to handle users from multiple OUs as requested by many users of this script and is available at https://gallery.technet.microsoft.com/scriptcenter/Update-Shadow-Group-with-2b91afba
    • I updated the script to use the counter variables to determine if users are to be removed or added. I used ($Removed -gt 0) and ($Added -gt 0).
      If $Update is $True, the script must run with sufficient permissions to add users to and remove users from the shadow group.
  • Multiple OUs To One Group To One Scrpt
    4 Posts | Last post February 05, 2017
    • Me again, do you still look at this thread? I am stuck, I can't figure out how to multiple OUs? Help help
    • Please check https://gallery.technet.microsoft.com/scriptcenter/Update-Shadow-Group-with-2b91afba
    • Thank you so much for this. I really appreciate you updating this thread and the script. This is going to save me so much time. I am going to test this out tomorrow first thing. Thanks again for all your hard work. 
      Thanks Marc
    • I updated the script to handle an array of organizational units. It took awhile for me to figure out how to do this, but the updated script works great in my tests. The script now can maintain a shadow group with members in one or more OU's.