Windows Tip Sheet
Syncing OUs to Groups
Keep your objects in order with a couple command-line tools.
It’s a common enough Active Directory design technique to set up OUs
that represent the various organizations in your company: Perhaps you’ll
have an IT OU, an OU for Sales, and so forth. Of course, the main purpose of
OUs is to organize AD objects by the way those objects will be managed, and
by how Group Policy objects will be applied. Security Groups (and Distribution
Groups, for that matter) provide parallel purposes, grouping AD objects by the
way they’ll be assigned security permissions, or by the way they’ll
be used in your Exchange Server address book. It’s not surprising, therefore,
that many companies have security and distribution groups that mimic their OUs
in terms of contents: an IT group, a Sales group, and so on.
It’s unfortunate that you can’t just drag user objects into a group,
because that’d be an easy way of getting all members of an OU into a group.
However, thanks to a tip at JSI
FAQ, you can use AD command-line tools and a simple batch file to add
all users in a specified OU into a specified group. The batch file will even
create the group for you (as a global security group) if it doesn’t already
Of course, keeping the OUs and groups in sync can be tricky, which is why you
might consider writing another script that is used to add users to an OU and
the matching group simultaneously. By using your script instead of the GUI tools,
this multi-step process can be accomplished in one step, and your OUs and groups
will always contain the correct members.
Here’s another trick help to more effectively manage unused user accounts.
When someone leaves, disable their user account; use a script to list disabled
user accounts that haven’t been used in several weeks. The script can
then delete those unneeded accounts from AD, and advise you of which OUs and
groups were affected, for recordkeeping purposes. The Microsoft TechNet Script
Center contains snippets that perform these various functions; just string them
together for a complete script.
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author/Evangelist for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.