Stephanos Constantinou Blog

PowerShell Scripting

Home » Blogs » Check if AD group is in correct OU

Check if AD group is in correct OU

by 1 Comment

Check if AD group is in correct OU

Scenario:

Check if AD group is in correct OU.

In Active Directory there are two main types of groups, Distribution and Security Groups. Some organizations may want to keep these two types of groups separated. When you create a group, you can create it under the correct OU in Active Directory. After some time a distribution group might needed to be changed to Security group and the vice versa. If the organization is small you can keep track of those changes and move the group under the correct OU. In big organizations, or if there is a local IT on each location of the organization that can perform such cases, it is almost impossible to keep track of those changes. And also ensure that groups are moved under the correct OU after the group type has been changed.

I wrote the below script just to provide me with an email report if there is any group located under incorrect OU in Active Directory. We will understand better below that a more detail explanation will be given. Please note that we also assure that local IT administrators are able to create groups only under specific OUs as there is delegation on Active Directory.

Let see in more detail

The first part of the script is only the description and help information of the script that can be retrieved by using Get-Help command. We start our script by importing the Active Directory module so we will be able to use the command needed. After that we define a few variables to that will be used later. The first one is the file that holds our encrypted password, that will be used to send the email report. Then we define the key that was used to encrypt the password so we will use it for the decryption. After we have set our user that will authenticate to send the email, we are going to retrieve the password from the file, setup email credentials, from and to email addresses.

The next two commands will retrieve from Active Directory all Organisational Units, that are suppose to have Distribution groups and Security groups. We save them in a variable so we will be able to go through and check  if any groups are not under the correct Organisational Unit. After that, we define 2 more variables, that we part of the HTML emails that will send the report. The HTML code is split and will be combined later for the report. Two foreach loops are used later to check each Organisational Unit for each variable if any group is placed incorrectly. The first loop checks if there are any security groups under the Organisational Units that are suppose to have only distribution groups. The second loop checks the opposite. It checks if there are any distribution groups under the Organisational Units that are suppose to have security groups. All the values found, if there are any we will saved in variables to be used for the reporting.

Reporting

After we have gathered all the information, an email report will be send if any group is found under a wrong Organizational Unit, providing as the name of the group and the Organisational Unit that it is under. If nothing is found then no email will be sent. Also there are an error email which will be sent if there are any errors or exceptions during the process. The error email will include all errors exceptions thrown during the run of the script. Before send any HTML email out, we combine the part of the HTML code so the code will be completed.

Permissions

The user that you will run the script needs to have read permissions on Active Directory for the specific Organisational Units and Group Objects.

You can download the script here or copy it from below.

Hope you like it. If you have any questions or anything else please let me know in the comments below.

Related Links:

Solution / Script:

<#
.SYNOPSIS
  Name: Get-GroupWringLocation.ps1
  The purpose of this script is to provide you with email report for groups in wrong Orgnanisational
  Unit.

.DESCRIPTION
  This is a simple script to retrieve all group objects in Active Directory and then check if the
  Organizational Unit in Active Directory that is under is correct based on group type (Distribution
  and Security

.RELATED LINKS
  
Home


.NOTES
  Update : 10-01-2018 Changed the method that Ous are collected.
  Release Date: 14-04-2017

  Author: Stephanos Constantinou

.EXAMPLE
  Get-GroupWringLocation.ps1
  Report will be sent to the email address that you will configure in the script.
#>

Import-Module ActiveDirectory

$file = "C:\Scripts\Password.txt"
$key = (1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32)
$user = "[email protected]"
$password = Get-Content $file | ConvertTo-SecureString -Key $key
$EmailCredentials = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user,$password
$To = '[email protected]'
$From = '[email protected]'

$AllDistributions = (Get-ADOrganizationalUnit -Properties DistinguishedName -Filter * -SearchBase "OU=Offices,DC=domain,DC=com" | where {$_.DistinguishedName -like "OU=DistributionGroups,OU=Groups,OU=*"}).DistinguishedName

$AllSecurity = (Get-ADOrganizationalUnit -Properties DistinguishedName -Filter * -SearchBase "OU=Offices,DC=domain,DC=com" | where {$_.DistinguishedName -like "OU=SecurityGroups,OU=Groups,OU=*"}).DistinguishedName

$DistributionResult = ""
$SecurityResult = ""

$EmailUp = @"
<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" data-wp-preserve="%3Cstyle%3E%0A%0Abody%20%7B%20font-family%3ASegoe%2C%20%22Segoe%20UI%22%2C%20%22DejaVu%20Sans%22%2C%20%22Trebuchet%20MS%22%2C%20Verdana%2C%20sans-serif%20!important%3B%20color%3A%23434242%3B%7D%0ATABLE%20%7B%20font-family%3ASegoe%2C%20%22Segoe%20UI%22%2C%20%22DejaVu%20Sans%22%2C%20%22Trebuchet%20MS%22%2C%20Verdana%2C%20sans-serif%20!important%3B%20border-width%3A%201px%3Bborder-style%3A%20solid%3Bborder-color%3A%20black%3Bborder-collapse%3A%20collapse%3B%7D%0ATR%20%7Bborder-width%3A%201px%3Bpadding%3A%2010px%3Bborder-style%3A%20solid%3Bborder-color%3A%20white%3B%20%7D%0ATD%20%7Bfont-family%3ASegoe%2C%20%22Segoe%20UI%22%2C%20%22DejaVu%20Sans%22%2C%20%22Trebuchet%20MS%22%2C%20Verdana%2C%20sans-serif%20!important%3B%20border-width%3A%201px%3Bpadding%3A%2010px%3Bborder-style%3A%20solid%3Bborder-color%3A%20white%3B%20background-color%3A%23C3DDDB%3B%7D%0A.colorm%20%7Bbackground-color%3A%2358A09E%3B%20color%3Awhite%3B%7D%0A.colort%7Bbackground-color%3A%2358A09E%3B%20padding%3A20px%3B%20color%3Awhite%3B%20font-weight%3Abold%3B%7D%0A.colorn%7Bbackground-color%3Atransparent%3B%7D%0A%3C%2Fstyle%3E" data-mce-resize="false" data-mce-placeholder="1" class="mce-object" width="20" height="20" alt="<style>" title="<style>" />
<body>

<h3>Distribution and Security Groups Check</h3>

<h4>Distribution Groups Check:</h4>

<table>
  <tr>
    <td class="colort">Group Name</td>
    <td class="colort">Active Directory Location</td>
  </tr>
"@

$EmailMiddle = @"
</table>
<br>
<h4>Security Groups Check:</h4>

<table>
   <tr>
      <td class="colort">Group Name</td>
      <td class="colort">Active Directory Location</td>
   </tr>
"@

$EmailDown = @"
</table>
</body>
"@

cd ad:

foreach ($Distribution in $AllDistributions){

   $DistributionCheck = (Get-ADGroup -Filter {GroupCategory -eq "Security"} -SearchBase "$Distribution").name

   if ($DistributionCheck -ne $null){

      $DistributionResultTemp = @"
   <tr>
      <td class="colorm">$DistributionCheck</td>
      <td>$Distribution</td>
   </tr>
"@

      $DistributionResult = $DistributionResult + "`r`n" + $DistributionResultTemp
   }
}

foreach ($Security in $AllSecurity){

   $SecurityCheck = (Get-ADGroup -Filter {GroupCategory -eq "Distribution"} -SearchBase "$Security").name

   if ($SecurityCheck -ne $null){

      $SecurityResultTemp = @"
   <tr>
      <td class="colorm">$SecurityCheck</td>
      <td>$Security</td>
   </tr>
"@

      $SecurityResult = $SecurityResult + "`r`n" + $SecurityResultTemp
   }
}

$Email = $EmailUp + $DistributionResult + $EmailMiddle + $SecurityResult + $EmailDown

if (($DistributionResult -ne "") -and ($securityResult -ne "")){

   send-mailmessage `
      -To $To `
      -Subject "Distribution and Security Groups AD Location Check Report $(Get-Date -format dd/MM/yyyy)" `
      -Body $Email `
      -BodyAsHtml `
      -Priority high `
      -UseSsl `
      -Port 587 `
      -SmtpServer 'smtp.office365.com' `
      -From $From `
      -Credential $EmailCredentials
}

if ($error -ne $null){

   foreach ($value in $error){

      $ErrorEmailTemp = @"
   <tr>
      <td class="colorm">$value</td>
   </tr>
"@

      $ErrorEmailResult = $ErrorEmailResult + "`r`n" + $ErrorEmailTemp
   }

   $ErrorEmailUp = @"
<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" data-wp-preserve="%3Cstyle%3E%0Abody%20%7Bfont-family%3ASegoe%2C%20%22Segoe%20UI%22%2C%20%22DejaVu%20Sans%22%2C%20%22Trebuchet%20MS%22%2C%20Verdana%2C%20sans-serif%20!important%3B%20color%3A%23434242%3B%7D%0ATABLE%20%7Bfont-family%3ASegoe%2C%20%22Segoe%20UI%22%2C%20%22DejaVu%20Sans%22%2C%20%22Trebuchet%20MS%22%2C%20Verdana%2C%20sans-serif%20!important%3B%20border-width%3A%201px%3Bborder-style%3A%20solid%3Bborder-color%3A%20black%3Bborder-collapse%3A%20collapse%3B%7D%0ATR%20%7Bborder-width%3A%201px%3Bpadding%3A%2010px%3Bborder-style%3A%20solid%3Bborder-color%3A%20white%3B%20%7D%0ATD%20%7Bfont-family%3ASegoe%2C%20%22Segoe%20UI%22%2C%20%22DejaVu%20Sans%22%2C%20%22Trebuchet%20MS%22%2C%20Verdana%2C%20sans-serif%20!important%3B%20border-width%3A%201px%3Bpadding%3A%2010px%3Bborder-style%3A%20solid%3Bborder-color%3A%20white%3B%20background-color%3A%23C3DDDB%3B%7D%0A.colorm%20%7Bbackground-color%3A%2358A09E%3B%20color%3Awhite%3B%7D%0Ah3%20%7Bcolor%3A%23BD3337%20!important%3B%7D%0A%3C%2Fstyle%3E" data-mce-resize="false" data-mce-placeholder="1" class="mce-object" width="20" height="20" alt="<style>" title="<style>" />

<body>
<h3 style="color:#BD3337 !important;"> WARNING!!!</h3>

<p>There were errors during Distribution and Security Groups AD Location check</p>

<p>Please check the errors and act accordingly</p>

<table>

"@

   $ErrorEmailDown = @"
</table>
</body>
"@

   $ErrorEmail = $ErrorEmailUp + $ErrorEmailResult + $ErrorEmailDown

   send-mailmessage `
      -To $To `
      -Subject "Distribution and Security Groups AD Location Check Report $(Get-Date -format dd/MM/yyyy) - WARNING" `
      -Body $ErrorEmail `
      -BodyAsHtml `
      -Priority high `
      -UseSsl `
      -Port 587 `
      -SmtpServer 'smtp.office365.com' `
      -From $From `
      -Credential $EmailCredentials
}

Reader Interactions

Trackbacks

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.