Dec
During one of my projects at a customer the Active Directory setup needed to change. In this particular AD, they had defined Job Titles (Global Groups) in a Job Title OU. Specific Application Groups were members of these Job Titles to make sure that people who were in any of those Job Titles got the applications they needed to do their jobs.
Along the way it was decided that these Job Titles didn’t fit the purpose anymore and a decision was made to use Job Profiles instead. This caused quite an extreme reduction of (Global) Groups in AD (approximately from 350+ per country OU to 12+).
In order to make the Job Title applications available to the matching profiles, a AD Group Migration had to be done. I decided to do that in Powershell (without any knowledge 
) instead of VBScript this time. Below is the result which, I am sure, can be written shorter and more logical, but it’s a start.
The script makes use of an input.csv which contained a ‘translation table’ to match the new Profile Groups with the old Job Title Groups.
Note #1: This is part one of a batch of 6 scripts. The other scripts will be posted later on, since some are still under development and all scripts can be run separately.
Note #2: This script makes use of the Active Directory Module for PowerShell.
migrate_ad_group_membership.ps1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 | ####################################################### # AUTHOR : http://www.hican.net - @hicannet # DATE : 24-11-2011 # COMMENT : This script populates the new RBAC Profile # groups with all the applications that can / # need to be linked to these groups (based # upon the RBAC JobTitle groups). ####################################################### Import-Module ActiveDirectory # Dynamic fill of the input Array # The input.csv looks like this (groups names without country code): # <JOB_TITLE_GROUP_NAME>,<NEW_PROFILE_GROUP_NAME> # <JOB_TITLE_GROUP_NAME>,<NEW_PROFILE_GROUP_NAME> $path = Split-Path -parent $MyInvocation.MyCommand.Definition $path = $path + "\input.csv" $groups = Get-Content $path # Country code array (due to the complexity of the AD OU structure) $country = "<COUNTRY_OU_01>","<COUNTRY_OU_02>","<COUNTRY_OU_03>" # FUNCTIONS Function populateRBACProfiles { # Loop through all countries in the $country array Foreach ($cntry In $country) { $rbacs = Get-ADGroup -Filter * -SearchBase ("OU=RBAC Title Groups,OU="+$cntry+",OU=Groups,DC=hican,DC=net") Foreach ($group In $groups) { # Split the values of the input.csv and rename to match the projects AD. $split = $group.split(",") $string = $cntry+"-GG.RBAC."+$split[0] $stringN = $cntry+"-GG."+$split[1] Foreach ($rbac In $rbacs) { If ($string -eq ($rbac | %{$_.Name})) { $apps = Get-ADGroup -Identity $string -Properties memberof | Select -expandproperty memberof Foreach ($app In $apps) { If($app) { # Trap any errors Try { $exists = Get-ADGroupMember $app | %{$_.Name} } Catch { } # If they match and are existant, add them to the appropriate RBAC Profile Group (mentioned in the input.csv) If ($exists -notcontains $stringN) { Add-ADGroupMember $app $stringN -Confirm:$false } } } } } } } } # RUN SCRIPT populateRBACProfiles "SCRIPT FINISHED" |