AD Shadow Groups with Windows PowerShell: An Update

I’ve made a fair amount of changes to the shadow group sync script, it’s a fair amount more powerful and much more flexible than the first version. You can now sync user and computer objects into groups from an OU, but with the added functionality of filters to narrow for specific user or computer attribute values. There are a few changes to the format of the CSV, detailed in the script comments, along with an example of the filters that you can use (see the Microsoft TechNet article on PowerShell Active Directory filter syntax for more information).


There’s some more changes here, the script now takes the CSV as an argument to the script file. For example:

.\shadowGroupSync.ps1 ".\TheCSVFile.csv"
.\shadowGroupSync.ps1 -file ".\TheCSVFile.csv"

are both valid ways or running the script.

As before, feel free to use it in any way you want. It’s pretty straightforward, but may contain bugs which I take no responsibility for.

Current version:

Older versions:

Thanks to i3laze for his work with this. I probably wouldn’t have made the effort to extend the script without it.

2 thoughts on “AD Shadow Groups with Windows PowerShell: An Update”

  1. v.4 of your script creates Universal shadow groups but for the Fine Grained Password Policy the group should be Global.

    1. Aha, that’s a good point Dmitry. I am using a slightly different version that creates global groups in a production environment. I’ll look into a further version with an option to control the group type.

      Thanks for the feedback!

Your words