Can I have an automated security group?

Recently I faced a request from a client wanting a Dynamic Security Group in Active Directory which automatically update its members.. However we do have the concept of dynamic objects in Active Directory (I promise to speak on that on another articleWink), but this one was completely different. The client wanted to have a security group which automatically removes the disabled users from it. So I started a lovely conversation with my lovely friend PowerShell. Cool

Basically what you have to do is to write a multi function PowerSell script. We will need more than a couple of Pipes in this script. In order to understand the code, let's translate it to human language:

Find Group1 in AD | Find Disabled members in the Member List | Remove them

Now if you want to have a fully automated one, you need to schedule this script to run hourly in your domain controller. Here is the script:

Get-ADGroupMemberGroupTest|%{Get-ADUser-Identity $_.distinguishedName 
-PropertiesEnabled,samaccountname |?{$_.Enabled-eq $false}|?
{
Remove-ADGroupMember-IdentityGroupTest-Members
$_
.samaccountname -Confirm:$false}}

Have fun automating..

About Mahdi

Post Archive

Limit Active Directory user login to 1 session

Written By Mahdi Tehrani on Wednesday, 02 August 2017 10:21

The auditor of auditors: 'LepideAuditor Suite'

Written By Mahdi Tehrani on Tuesday, 23 May 2017 10:56

Protect your domain against WannaCry malware

Written By Mahdi Tehrani on Sunday, 14 May 2017 09:42

‘List Object Mode’ in Active Directory, a myth or future settings?

Written By Mahdi Tehrani on Thursday, 13 April 2017 08:47

Fix Group Policy error 1058

Written By Mahdi Tehrani on Saturday, 30 April 2016 09:32

Statistics

Map