Windows Tip Sheet

Syncing OUs to Groups

Keep your objects in order with a couple command-line tools.

It’s a common enough Active Directory design technique to set up OUs that represent the various organizations in your company: Perhaps you’ll have an IT OU, an OU for Sales, and so forth. Of course, the main purpose of OUs is to organize AD objects by the way those objects will be managed, and by how Group Policy objects will be applied. Security Groups (and Distribution Groups, for that matter) provide parallel purposes, grouping AD objects by the way they’ll be assigned security permissions, or by the way they’ll be used in your Exchange Server address book. It’s not surprising, therefore, that many companies have security and distribution groups that mimic their OUs in terms of contents: an IT group, a Sales group, and so on.

It’s unfortunate that you can’t just drag user objects into a group, because that’d be an easy way of getting all members of an OU into a group. However, thanks to a tip at JSI FAQ, you can use AD command-line tools and a simple batch file to add all users in a specified OU into a specified group. The batch file will even create the group for you (as a global security group) if it doesn’t already exist.

Of course, keeping the OUs and groups in sync can be tricky, which is why you might consider writing another script that is used to add users to an OU and the matching group simultaneously. By using your script instead of the GUI tools, this multi-step process can be accomplished in one step, and your OUs and groups will always contain the correct members.

More Resources:

Micro-Tips
Here’s another trick help to more effectively manage unused user accounts. When someone leaves, disable their user account; use a script to list disabled user accounts that haven’t been used in several weeks. The script can then delete those unneeded accounts from AD, and advise you of which OUs and groups were affected, for recordkeeping purposes. The Microsoft TechNet Script Center contains snippets that perform these various functions; just string them together for a complete script.

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author/Evangelist for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.

comments powered by Disqus

SharePoint Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.