Active Directory : Shadow Groups

Active Directory : Shadow Groups

If you’ve ever wanted to base user group membership on a container within Active Directory, i.e. Organisation Unit’s, you’ll know this is not possible. Using a simple script you can create ‘Shadow Groups’ and even automate the update of their membership to reflect changes in the Active Directory structure.

First create a new group, in this case ‘UK Computer Objects‘.

Next execute the following commands, changing the OU containging the security group as highlighted in green, and the seach scope for the objects you wish to add to the group in question as highlighted in red. The -chmbr option clears the membership of the group and re-writes it, therefore be careful if there are any existing members!

dsquery computer -limit 0 “OU=Sites,OU=UK,DC=domain,DC=local” | dsmod group “CN=UK Computer Objects,OU=Shadow Groups,DC=domain,DC=local” -chrmbr

If you need to add additional objects to the group without wiping it membership use the -addmbr option:

dsquery computer -limit 0 “OU=Administrators,OU=UK,DC=domain,DC=local” | dsmod group “CN=UK Computer Objects,OU=Shadow Groups,DC=domain,DC=local” -addmbr

This script can be sceduled to run froma  server on a daily or weekly basis, ensure it is executed as a user with sufficient AD DS permissions to write membership to the group object.