I’ve been doing some work recently with C# querying AD for locked out users. One of the requirements for this was to only show users that can be altered by the user running the program.
Fortunately there is a computed AD attribute available for this to do the job, called allowedAttributesEffective. Here is some sample code to check a user for attributes you can write to:
There has been a couple of updates to the shadowGroupSync tool over the past few days. Apart from a bit of development, I also I went and threw it to GitHub. You can check out my previous posts on it, or grab the latest version.
There’s also a development branch in the repository that lets you choose the type of group to create. UPDATE: The features from the development branch are now all in the stable version.
The stable branch has also had a few features added and a couple of little snags fixed. The main new feature is the ability to specify multiple source organisational units for inclusion into a single shadow group. These changes make the utility very useful for generating distribution lists or access groups based on whatever conditions you want; like employee type, manager, or existing group memberships.
The stable ‘master’ branch is essentially the script use myself on a day to day basis, so it should work fine for you. However, as with all things not done yet, the development branch ‘next’ may be unstable. If downloading it sets your computer/server/domain/datacenter on fire (delete as appropriate), that’s got nothing to do with me.
I’ve made a fair amount of changes to the shadow group sync script, it’s a fair amount more powerful and much more flexible than the first version. You can now sync user and computer objects into groups from an OU, but with the added functionality of filters to narrow for specific user or computer attribute values. There are a few changes to the format of the CSV, detailed in the script comments, along with an example of the filters that you can use (see the Microsoft TechNet article on PowerShell Active Directory filter syntax for more information).
There’s some more changes here, the script now takes the CSV as an argument to the script file. For example:
.\shadowGroupSync.ps1 -file ".\TheCSVFile.csv"
are both valid ways or running the script.
As before, feel free to use it in any way you want. It’s pretty straightforward, but may contain bugs which I take no responsibility for.
Thanks to i3laze for his work with this. I probably wouldn’t have made the effort to extend the script without it.