Category Archives: Networks

Managing AD Shadow Groups using Windows PowerShell

I’ve done a bit of work with Windows PowerShell lately, here’s a little script to sync AD OUs with ‘Shadow Groups’.

I couldn’t find a full solution that I could pick up and use, so I rolled my own to sync some OUs containing computers with some groups.

The script reads from a CSV that defines the source OUs and the group names you want to populate. Inside the script, the destination OU gets set, where the shadow groups will exist.

I’ve linked to the code below, feel free to use it in any way you want. It’s pretty straightforward, but may contain bugs which I take no responsibility for.



i3laze (i3laze ‘at’ yandex ‘dot’ ru) supplied an updated script that deals with syncing mail-enabled users and child domains, and not just computers. As with the first version, I take no responsibility if the script has bugs or somehow manages to nuke your domain.

Download: i3laze-shadowGroupSync

I’ve done some work to merge the two versions, which will give the script a lot more flexibility as to the object types it will sync, but there’s still got a bit of testing to do before I post it.


Newer versions of the script are here. This post is kept as a reference to the first version of the script.

Managing OSX (10.6): Preferences for Macs connected to an Active Directory domain

A follow-up to my earlier article “Managed Preferences without OSX Server“, this is just a run through of what to do once you’ve got your Macs in the Active Directory (AD) and want to manage the policies on groups of machines (computer-lists, in Apple terminology), instead of managing preferences individually for each machine.

First of all, a computer-list ‘group’ is needed, which AD doesn’t know about, as groups in AD are universal, and not split by member object type. This means we will need to open ADSI Edit and create an object based on the computer-list class and then manually add the machine accounts to it, as AD doesn’t see this object as a group. When you add machines to this group, you need to specify the machine’s object name in AD (the machine name, followed by the $ sign). Look here for more info + images on how that looks.

Once the computer-list is created and the Macs are added into this group, you can manage the preferences just by changing the group’s attributes with Workgroup Manager, shown below. After opening Workgroup Manager, you need to ‘View Directories’, as you can’t connect to AD in the same way Workgroup Manager would connect to Open Directory (OD). Then you have to authenticate yourself with your AD account set up to administer the computer-list group. This is so you don’t have to log into the Mac with Workgroup Manager as an admin all the time.

Workgroup Manager menuWorkgroup Manager preferences for the computer-listWorkgroup Manager parental controls preferences


Once you’ve logged in and found your computer-list group, the journey is nearly over, all that’s left is to change some preferences! We don’t want any profanity displayed in the dictionary now, do we?

That’s pretty much it, it’s a little annoying having to support the machine group with ADSI Edit, but I’m sure some powershell scripting that automatically adds machines with iMac or apple in the name to this group would be pretty easy.

MacOSX (10.6): Managed Preferences without OSX Server

I have tested this in both a development and a production Windows Server 2008 R2 environment, extending the schema to allow Mac OSX computers to received managed preferences direct from the Active Directory (AD), and not requiring a separate OSX directory server to supply those preferences.

I don’t understand why Apple don’t just give people the pre-made ldif file, with it configured to add only missing classes and attributes. The current method involves having to buy OSX server to do this, which is crazy (This may have changed in 10.7, I don’t know yet).

Anyway, below is the correctly configured ldif file that will add the required attributes and classes to an AD schema. The environment I tested it in was a standard AD, with schema extensions for System Center Configuration Manager (SSCM) applied.

The following file is supplied with absolutely no guarantees and may in fact cause your Active Directory environment to spontaneously combust, or develop an unhealthy craving for human brains.


You should add this schema modification to the AD schema, by using the following command:

ldifde -i -u -f ADSchemaExtension_OSX10.6.ldif -s server:port -b username domain password -j . -c "cn=Configuration,dc=X" #configurationNamingContext

If you run this command on the schema master, you can omit the username/password and server/port part from the command, as so:

ldifde -i -u -f ADSchemaExtension_OSX10.6.ldif -j . -c "cn=Configuration,dc=X" #configurationNamingContext

More information on ldifde is in the technet article for ldifde.

Once the schema has been extended, you can treat the AD as a direct replacement for the OSX Open Directory Server in regards to managing preferences.

The next step is to join your Macs to the domain with the AD connector and set up your administration machine to control preferences for Macs in the domain, by installing the Server Admin Tools for OSX 10.6.