Check if AD group is in correct OU
Check if AD group is in correct OU.
In Active Directory there are two main types of groups, Distribution and Security Groups. Some organizations may want to keep these two types of groups separated. When you create a group, you can create it under the correct OU in Active Directory. After some time a distribution group might needed to be changed to Security group and the vice versa. If the organization is small you can keep track of those changes and move the group under the correct OU. In big organizations, or if there is a local IT on each location of the organization that can perform such cases, it is almost impossible to keep track of those changes. And also ensure that groups are moved under the correct OU after the group type has been changed.
I wrote the below script just to provide me with an email report if there is any group located under incorrect OU in Active Directory. We will understand better below that a more detail explanation will be given. Please note that we also assure that local IT administrators are able to create groups only under specific OUs as there is delegation on Active Directory.
Let see in more detail
The first part of the script is only the description and help information of the script that can be retrieved by using Get-Help command. We start our script by importing the Active Directory module so we will be able to use the command needed. After that we define a few variables to that will be used later. The first one is the file that holds our encrypted password, that will be used to send the email report. Then we define the key that was used to encrypt the password so we will use it for the decryption. After we have set our user that will authenticate to send the email, we are going to retrieve the password from the file, setup email credentials, from and to email addresses.
The next two commands will retrieve from Active Directory all Organisational Units, that are suppose to have Distribution groups and Security groups. We save them in a variable so we will be able to go through and check if any groups are not under the correct Organisational Unit. After that, we define 2 more variables, that we part of the HTML emails that will send the report. The HTML code is split and will be combined later for the report. Two foreach loops are used later to check each Organisational Unit for each variable if any group is placed incorrectly. The first loop checks if there are any security groups under the Organisational Units that are suppose to have only distribution groups. The second loop checks the opposite. It checks if there are any distribution groups under the Organisational Units that are suppose to have security groups. All the values found, if there are any we will saved in variables to be used for the reporting.
After we have gathered all the information, an email report will be send if any group is found under a wrong Organizational Unit, providing as the name of the group and the Organisational Unit that it is under. If nothing is found then no email will be sent. Also there are an error email which will be sent if there are any errors or exceptions during the process. The error email will include all errors exceptions thrown during the run of the script. Before send any HTML email out, we combine the part of the HTML code so the code will be completed.
The user that you will run the script needs to have read permissions on Active Directory for the specific Organisational Units and Group Objects.
You can download the script here or copy it from below.
Hope you like it. If you have any questions or anything else please let me know in the comments below.
- Encrypt password with key using PowerShell
- Send Email using PowerShell
- Email error variable in PowerShell
- Get-Help – Microsoft Docs
- Import-Module – Microsoft Docs
- Get-Content – Microsoft Docs
- ConvertTo-SecureString – Microsoft Docs
- New-Object – Microsoft Docs
- Get-ADOrganizationalUnit – Microsoft Docs
- Get-ADGroup – Microsoft Docs
- Send-MailMessage – Microsoft Docs
- Get-Date – Microsoft Docs
Solution / Script:
<# .SYNOPSIS Name: Get-GroupWringLocation.ps1 The purpose of this script is to provide you with email report for groups in wrong Orgnanisational Unit. .DESCRIPTION This is a simple script to retrieve all group objects in Active Directory and then check if the Organizational Unit in Active Directory that is under is correct based on group type (Distribution and Security .RELATED LINKS