• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Stephanos Constantinou Blog

PowerShell Scripting

  • Home
  • Blogs
    • PowerShell Tutorials
    • PowerShell Scripts
    • PowerShell Modules
      • Modules Cmdlets
    • Software Reviews
  • About
  • Contact
You are here: Home / PowerShell Scripts / Check if AD group is in correct OU

Check if AD group is in correct OU

15/02/2018 by Stephanos 1 Comment

Check if AD group is in correct OU

Scenario:

Check if AD group is in correct OU.

In Active Directory there are two main types of groups, Distribution and Security Groups. Some organizations may want to keep these two types of groups separated. When you create a group, you can create it under the correct OU in Active Directory. After some time a distribution group might needed to be changed to Security group and the vice versa. If the organization is small you can keep track of those changes and move the group under the correct OU. In big organizations, or if there is a local IT on each location of the organization that can perform such cases, it is almost impossible to keep track of those changes. And also ensure that groups are moved under the correct OU after the group type has been changed.

I wrote the below script just to provide me with an email report if there is any group located under incorrect OU in Active Directory. We will understand better below that a more detail explanation will be given. Please note that we also assure that local IT administrators are able to create groups only under specific OUs as there is delegation on Active Directory.

Let see in more detail

The first part of the script is only the description and help information of the script that can be retrieved by using Get-Help command. We start our script by importing the Active Directory module so we will be able to use the command needed. After that we define a few variables to that will be used later. The first one is the file that holds our encrypted password, that will be used to send the email report. Then we define the key that was used to encrypt the password so we will use it for the decryption. After we have set our user that will authenticate to send the email, we are going to retrieve the password from the file, setup email credentials, from and to email addresses.

The next two commands will retrieve from Active Directory all Organisational Units, that are suppose to have Distribution groups and Security groups. We save them in a variable so we will be able to go through and check  if any groups are not under the correct Organisational Unit. After that, we define 2 more variables, that we part of the HTML emails that will send the report. The HTML code is split and will be combined later for the report. Two foreach loops are used later to check each Organisational Unit for each variable if any group is placed incorrectly. The first loop checks if there are any security groups under the Organisational Units that are suppose to have only distribution groups. The second loop checks the opposite. It checks if there are any distribution groups under the Organisational Units that are suppose to have security groups. All the values found, if there are any we will saved in variables to be used for the reporting.

Reporting

After we have gathered all the information, an email report will be send if any group is found under a wrong Organizational Unit, providing as the name of the group and the Organisational Unit that it is under. If nothing is found then no email will be sent. Also there are an error email which will be sent if there are any errors or exceptions during the process. The error email will include all errors exceptions thrown during the run of the script. Before send any HTML email out, we combine the part of the HTML code so the code will be completed.

Permissions

The user that you will run the script needs to have read permissions on Active Directory for the specific Organisational Units and Group Objects.

You can download the script here or copy it from below.

Hope you like it. If you have any questions or anything else please let me know in the comments below.

Related Links:

  • Encrypt password with key using PowerShell
  • Send Email using PowerShell
  • Email error variable in PowerShell
  • Get-Help – Microsoft Docs
  • Import-Module – Microsoft Docs
  • Get-Content – Microsoft Docs
  • ConvertTo-SecureString – Microsoft Docs
  • New-Object – Microsoft Docs
  • Get-ADOrganizationalUnit – Microsoft Docs
  • Get-ADGroup – Microsoft Docs
  • Send-MailMessage – Microsoft Docs
  • Get-Date – Microsoft Docs

Solution / Script:

<#
.SYNOPSIS
  Name: Get-GroupWringLocation.ps1
  The purpose of this script is to provide you with email report for groups in wrong Orgnanisational
  Unit.
  
.DESCRIPTION
  This is a simple script to retrieve all group objects in Active Directory and then check if the
  Organizational Unit in Active Directory that is under is correct based on group type (Distribution
  and Security 
.RELATED LINKS
  
Home
.NOTES Update : 10-01-2018 Changed the method that Ous are collected. Release Date: 14-04-2017 Author: Stephanos Constantinou .EXAMPLE Get-GroupWringLocation.ps1 Report will be sent to the email address that you will configure in the script. #> Import-Module ActiveDirectory $file = "C:\Scripts\Password.txt" $key = (1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32) $user = "Script-User@domain.com" $password = Get-Content $file | ConvertTo-SecureString -Key $key $EmailCredentials = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user,$password $To = 'User1@domain.com' $From = 'Script-User@domain.com' $AllDistributions = (Get-ADOrganizationalUnit -Properties DistinguishedName -Filter * -SearchBase "OU=Offices,DC=domain,DC=com" | where {$_.DistinguishedName -like "OU=DistributionGroups,OU=Groups,OU=*"}).DistinguishedName $AllSecurity = (Get-ADOrganizationalUnit -Properties DistinguishedName -Filter * -SearchBase "OU=Offices,DC=domain,DC=com" | where {$_.DistinguishedName -like "OU=SecurityGroups,OU=Groups,OU=*"}).DistinguishedName $DistributionResult = "" $SecurityResult = "" $EmailUp = @" <style> body { font-family:Segoe, "Segoe UI", "DejaVu Sans", "Trebuchet MS", Verdana, sans-serif !important; color:#434242;} TABLE { font-family:Segoe, "Segoe UI", "DejaVu Sans", "Trebuchet MS", Verdana, sans-serif !important; border-width: 1px;border-style: solid;border-color: black;border-collapse: collapse;} TR {border-width: 1px;padding: 10px;border-style: solid;border-color: white; } TD {font-family:Segoe, "Segoe UI", "DejaVu Sans", "Trebuchet MS", Verdana, sans-serif !important; border-width: 1px;padding: 10px;border-style: solid;border-color: white; background-color:#C3DDDB;} .colorm {background-color:#58A09E; color:white;} .colort{background-color:#58A09E; padding:20px; color:white; font-weight:bold;} .colorn{background-color:transparent;} </style> <body> <h3>Distribution and Security Groups Check</h3> <h4>Distribution Groups Check:</h4> <table> <tr> <td class="colort">Group Name</td> <td class="colort">Active Directory Location</td> </tr> "@ $EmailMiddle = @" </table> <br> <h4>Security Groups Check:</h4> <table> <tr> <td class="colort">Group Name</td> <td class="colort">Active Directory Location</td> </tr> "@ $EmailDown = @" </table> </body> "@ cd ad: foreach ($Distribution in $AllDistributions){ $DistributionCheck = (Get-ADGroup -Filter {GroupCategory -eq "Security"} -SearchBase "$Distribution").name if ($DistributionCheck -ne $null){ $DistributionResultTemp = @" <tr> <td class="colorm">$DistributionCheck</td> <td>$Distribution</td> </tr> "@ $DistributionResult = $DistributionResult + "`r`n" + $DistributionResultTemp } } foreach ($Security in $AllSecurity){ $SecurityCheck = (Get-ADGroup -Filter {GroupCategory -eq "Distribution"} -SearchBase "$Security").name if ($SecurityCheck -ne $null){ $SecurityResultTemp = @" <tr> <td class="colorm">$SecurityCheck</td> <td>$Security</td> </tr> "@ $SecurityResult = $SecurityResult + "`r`n" + $SecurityResultTemp } } $Email = $EmailUp + $DistributionResult + $EmailMiddle + $SecurityResult + $EmailDown if (($DistributionResult -ne "") -and ($securityResult -ne "")){ send-mailmessage ` -To $To ` -Subject "Distribution and Security Groups AD Location Check Report $(Get-Date -format dd/MM/yyyy)" ` -Body $Email ` -BodyAsHtml ` -Priority high ` -UseSsl ` -Port 587 ` -SmtpServer 'smtp.office365.com' ` -From $From ` -Credential $EmailCredentials } if ($error -ne $null){ foreach ($value in $error){ $ErrorEmailTemp = @" <tr> <td class="colorm">$value</td> </tr> "@ $ErrorEmailResult = $ErrorEmailResult + "`r`n" + $ErrorEmailTemp } $ErrorEmailUp = @" <style> body {font-family:Segoe, "Segoe UI", "DejaVu Sans", "Trebuchet MS", Verdana, sans-serif !important; color:#434242;} TABLE {font-family:Segoe, "Segoe UI", "DejaVu Sans", "Trebuchet MS", Verdana, sans-serif !important; border-width: 1px;border-style: solid;border-color: black;border-collapse: collapse;} TR {border-width: 1px;padding: 10px;border-style: solid;border-color: white; } TD {font-family:Segoe, "Segoe UI", "DejaVu Sans", "Trebuchet MS", Verdana, sans-serif !important; border-width: 1px;padding: 10px;border-style: solid;border-color: white; background-color:#C3DDDB;} .colorm {background-color:#58A09E; color:white;} h3 {color:#BD3337 !important;} </style> <body> <h3 style="color:#BD3337 !important;"> WARNING!!!</h3> <p>There were errors during Distribution and Security Groups AD Location check</p> <p>Please check the errors and act accordingly</p> <table> "@ $ErrorEmailDown = @" </table> </body> "@ $ErrorEmail = $ErrorEmailUp + $ErrorEmailResult + $ErrorEmailDown send-mailmessage ` -To $To ` -Subject "Distribution and Security Groups AD Location Check Report $(Get-Date -format dd/MM/yyyy) - WARNING" ` -Body $ErrorEmail ` -BodyAsHtml ` -Priority high ` -UseSsl ` -Port 587 ` -SmtpServer 'smtp.office365.com' ` -From $From ` -Credential $EmailCredentials }

Filed Under: PowerShell Scripts Tagged With: ConvertTo-SecureString, Get-ADGroup, Get-ADOrganizationalUnit, Get-Content, Get-Date, Get-Help, Import-Module, New-Object, Send-MailMessage

Reader Interactions

Trackbacks

  1. Check if AD Group is in correct OU - How to Code .NET says:
    15/02/2018 at 23:21

    […] on February 14, 2018 submitted by /u/SConstantinou [link] [comments] Leave a […]

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Footer

Recent Posts

  • ICS Cube Product Review 26/04/2019
  • PowerShell Module SysInfo v1.2.0 15/03/2019
  • PowerShell Module SysInfo v1.1.2 13/11/2018
  • PowerShell Module SysInfo 24/10/2018
  • Get-VoltageProbe 24/10/2018
  • Get-VideoController 24/10/2018
  • Get-USBController 24/10/2018
  • Get-TrackPoint 24/10/2018
  • Get-TrackBall 24/10/2018
  • Get-TouchScreen 24/10/2018
Planet PowerShell

Categories

  • Modules Cmdlets (57)
  • PowerShell Modules (5)
  • PowerShell Scripts (38)
  • PowerShell Tutorials (35)
  • Software Reviews (2)

Archives

  • April 2019 (1)
  • March 2019 (1)
  • November 2018 (1)
  • October 2018 (56)
  • September 2018 (13)
  • August 2018 (9)
  • July 2018 (6)
  • June 2018 (8)
  • May 2018 (7)
  • April 2018 (9)
  • March 2018 (4)
  • February 2018 (6)
  • January 2018 (12)
  • December 2017 (4)
Top 10 PowerShell 2018

Blogroll

  • Planet PowerShell
  • Reddit – PowerShell
  • PowerShell Magazine
  • PowerShell.org
  • PowerShell Team Blog
  • Hey, Scripting Guy! Blog
  • Mike F Robbins
  • PowerShell Explained with Kevin Marquette
  • Mike Kanakos – Network Admin
  • The Lonely Administrator
  • AskME4Tech
PowerShell Blogs Sysadmin Blogs Banners for Top 20 Programming Blogs

© 2023 · Stephanos Constantinou Blog

  • Home
  • Blogs
  • About
  • Contact