Editor's Note: John Savill contributes Frequently Asked Questions about Azure, PowerShell, and other Microsoft products and services three times each week here at Windows IT Pro. He is a well-respected member of the Microsoft tech community and a frequent speaker at industry events.
His training classes through our e-learning portal will help you become more knowledgeable about these various technologies. This tip is just one example of what he will be teaching in an upcoming Master Class.
----------
I recently had a requirement to create a group for each OU and then populate with the users in that OU. As I wrote the script I thought it would be an interesting learning tool for those looking at leveraging PowerShell. So firstly, below is the script.
$RootDomain = "DC=savilltech,DC=net"
$OUs = Get-ADOrganizationalUnit -filter * -searchbase "$RootDomain" -SearchScope OneLevel foreach($OU in $OUs){ $GroupOU = "OU=Groups,$($OU.DistinguishedName)" $UserOU = "OU=Users,$($OU.DistinguishedName)"
$NewGroupName = "$($OU.Name)Users"
$NewGroup = New-ADGroup -Name $NewGroupName -GroupCategory Security -GroupScope Global ` -DisplayName $NewGroupName -Path $GroupOU ` -Description "$($OU.Name) Users Group" -PassThru
#Now add all the users to it $Users = Get-ADUser -Filter * -SearchBase $UserOU foreach($User in $Users) { $User | Add-ADPrincipalGroupMembership -MemberOf $NewGroupName }}
So what is it doing? Well the first thing is to define the root of where we want to search. In this case I'm looking at the root of my domain savilltech.net which is DC=savilltech,DC=net. I assign this to a variable. It's always good to not hardcode paths in the middle of scripts, much better to move them to the start making it easy to change them in the future.
Now I need to find all the OUs directly under that path. I can do this with Get-ADOrganizationalUnit and setting a -SearchScope of OneLevel which means it will look one level below but not search within those OUs. There are other options available if you want to search deeper, for example Subtree to see all OUs. We save the results to another variable, $OUs, which contains all the results.
Next I want to look at each OU. By using foreach the list of objects in $OUs will be placed into $OU where I can work on the object. For example attributes can be access using $OU.<attribute>. Now you will notice I have the variables in a $( ) sometimes, for example $($OU.Name) and may wonder why. It's basically because when I access an attribute of the variable inside a string by default when I use the period the reference to the variable would stop and instead the attribute would just become part of a string. By enclosing it then everything inside $( ) is treated as an object therefore the attribute.
The first actual action is the New-ADGroup. Two things to notice here.
- We have the ` line continuation characters so a single command can be split over multiple lines
- The use of -PassThru at the end of the command which tells it so continue the created object down the pipeline which in this case means it assigned to the $NewGroup variable.
Then a list of all the users are found then for each user the user object is passed down the pipeline (using the | character) down to add the user to a group.
And that's it. Very simple script but shows off a few nice features of PowerShell.
We'll cover things like this and more in my Microsoft Stack Master Class, taking place Thursdays, October 12th to December 21st. See the full agenda and register here.
