如何跨AD中的所有OU创建安全组

时间:2020-02-21 09:23:32

标签: powershell foreach scripting active-directory ou

在我的任务中,有必要根据OU名称创建组,并考虑嵌套。

例如,有一个OU 

OU=Credential,OU=DepIT,DC=Contoso,DC=loc

然后我需要创建以下组:

  • DepIT中:三组DepIT_RDepIT_WDepIT_L

  • Credential中:两组DepIT_Credential_RDepIT_Credential_W

最后,DepIT_Credential_RDepIT_Credential_W必须是DepIT_L的成员。

现在结构如下:OU DepIT,在其中OU Credential。我已经准备好要执行的操作的屏幕截图:

1. DepIT - structure

2. DepIT - structure and groups

3. Credential - groups

4. DepIT_L group members

到目前为止,我的尝试:

$OU = "OU=DepIT,DC=Contoso,DC=loc"
$one_level_OU = Get-ADOrganizationalUnit -SearchBase $OU -SearchScope OneLevel -filter *


$one_level_OU | 

foreach{

New-ADGroup -Name $($_.Name+"_RW") -GroupCategory Security -groupscope global -Path $_.DistinguishedName
New-ADGroup -Name $($_.Name+"_R") -GroupCategory Security -groupscope global -Path $_.DistinguishedName
New-ADGroup -Name $($_.Name+"_L") -GroupCategory Security -groupscope global -Path $_.DistinguishedName

    $ous = Get-ADOrganizationalUnit -SearchBase "OU=$($_.name),OU=DepIT,DC=Contoso,DC=loc" -SearchScope Subtree -filter "name -notlike '*$($one_level_OU.Name)*'"

    $group_L = get-adgroup -Filter "name -like '*_L'" -Properties * | select name

    $ous | foreach {

       New-ADGroup -Name $($_.Name+"_RW") -GroupCategory Security -groupscope global -Path $_.DistinguishedName
       New-ADGroup -Name $($_.Name+"_R") -GroupCategory Security -groupscope global -Path $_.DistinguishedName


       foreach ($gr in $group_L) {
            Add-ADGroupMember -Identity $($_.name) -Members "$($_.Name+"_RW")", "$($_.Name+"_R")"
       }
    }
}

非常感谢您的帮助。

0 个答案:

没有答案
相关问题
最新问题