Wednesday, March 5, 2014

Copy Group Membership from one Domain to Another

As a part of my job as a systems engineer I have the opportunity to work on a couple of  acquisitions. During the integration process we found a need to copy the AD security groups used to control access to shares for shared data.  Here is a little PowerShell script that I wrote that uses a CSV to map each user between the two domains. 

Prerequisites
-A CSV mapping the usernames of each user from the source domain to the userid in the destination domain. headers for CSV (SrcDomain-UserName,DestDomain-UserName)
-Read access in the source domain
-Read/Modify rights in the destination domain
-A matching group on in the destination. (Group A in the source  is named Group A in the destination)


#Copies group membership of groups from one domain to another. 
# It uses a CSV to map users between the 2 domains.
# ChangeLog
# 3/3/14-Added logging process for users who might already be in the destination group.

Import-Module ActiveDirectory

$SourceGrps=@()
$DestGrps=@()
$NewuserInfo=@()
$Compare=@()

$RemoteDomainCredential=Get-Credential "username@domainname"

$RemoteDomain="Something.org" #DomainNmae of the Source domain

$LogFile=""

$Csv=Import-Csv -Path "UserMap.csv"

$SourceGrps=Get-ADGroup -Filter * -SearchBase "OU=Groups,DC=Something,DC=org" -Server $RemoteDomain  -credential $RemoteDomainCredential  |Sort{ $_.Name.Substring(1)}

$DestGrps=Get-ADGroup -Filter * -SearchBase "OU=Groups,DC=newdomain,DC=org" |Sort{ $_.Name.Substring(1)}

$Compare=Compare-Object -ReferenceObject($SourceGrps) -DifferenceObject($DestGrps) -PassThru -Property Name

#$Compare the groups in the source and destination domain. ensuring only groups that exist in both domains are copied

ForEach ($Commparison in $Compare){

Write-Host $Commparison.sideIndicator

$Temp=$Commparison.Name

       if ($Commparison.sideIndicator -eq "=>"){

              Add-Content -Path $LogFile "$Temp Was Found in the Destination but not In the Source"

       }ElseIf ($Commparison.sideIndicator -eq "<="){

              Add-Content -Path $LogFile "$Temp Was Found in the Source but not In the Destination"

              $SourceGrps.remove($temp)

       }

}

foreach($Group In $SourceGrps){

       $NewuserInfo=@()

       $SourceGroup=$Group.Name

       $GrpUsers=Get-ADGroupMember -Identity $Group -Server $RemoteDomain  -credential $RemoteDomainCredential

       Write-Host $Group.Name

       Write-host $GrpUsers.count

       if ($GrpUsers.Count -eq $Null) {

              Add-Content -Path $LogFile "$SourceGroup,,Source Group, Group is Empty"

       }Else{

              foreach($User in $GrpUsers){

                     $SourceUser=$User.Name

                     #Add logic for no results log

                     $Result = $CSV | Where{$User.SamAccountName -eq $_.SrcDomain-UserName}

                     if ($Result -ne $null){

                           $NewuserInfo += $Result

                     }Else{                    

                           Add-Content -Path $LogFile "$SourceGroup,$SourceUser,Source Group, User not found in CSV (Failure)"

                           sleep 1

                     }

              }

              $User=$null

              Foreach($User in $NewuserInfo){

                     $DestUserName=$user.DestDomain-UserName

                     $DestGroupName=$Group.Name

                     Try{

                           #writing Group Members in destination Group
                           Add-ADGroupMember -Identity $DestGroupName -Members $DestUserName 

                           Add-Content -Path $LogFile "$DestGroupName,$DestUserName,User Added to Group (Success)"

                           sleep 1

                     }

                     catch [Microsoft.ActiveDirectory.Management.ADException]{

                           if ($_.psbase.Exception.ErrorCode -eq 1378){ #Get Errorcode from $Error[0]

                                  Add-Content -Path $LogFile "$DestGroupName,$DestUserName,User Already in Group"

                                  sleep 1

                           }else{

                                  throw

                           }

                     }

              }

       }

}
Posted by at No comments:

Monday, December 23, 2013

Copy AD Group members from one group to another

Here is how using Powershell you can copy the members of an Active Directory group from one group to another.



That is all.
Posted by at No comments:
Labels: ,

Wednesday, November 21, 2012

PowerShell Script to Search Distribution List Members Mailboxes

Here is a powershell script to search the mailboxes of a specified distribution list. I would run it from the Exchange Management Shell so you have access to all the Exchange cmdlets.



Link to Search-Malbox Cmdlet documentation
http://technet.microsoft.com/en-us/library/dd298173(v=exchg.141).aspx

Exchange Search keywords

Property Example Search results 
Attachmentsattachment:annualreport.pptxMessages that have an attachment named annualreport.pptx. The use of attachment:annualreport or attachment:annual* returns the same results as using the full name of the attachment.
Cccc:paul shenMessages with Paul Shen in the Cc field.
cc:pauls
cc:pauls@contoso.com
Fromfrom:bharat sunejaMessages sent by Bharat Suneja.
from:bsuneja
from:bsuneja@contoso.com
Keywords in retention policyretentionpolicy:business criticalMessages that have the Business Critical retention tag applied.
Date when messages expire according to policyexpires:4/1/2010Messages that expire on April 1, 2010.
Sentsent:yesterdayAll messages sent yesterday.
SubjectSubject:"patent filing"All messages where the phrase "patent filing" appears in the Subject field. 
Toto:"ben smith"Messages that have Ben Smith in the To field.
to:bsmith
to:besmith@contoso.com

AQS: http://technet.microsoft.com/en-us/library/bb232132.aspx#
Posted by at No comments:
Labels: ,

Thursday, November 8, 2012

Disable USB Power Save

Need to disable USB Power Save?



Well here is a registry setting that will disable the ability for the computer to turn off the device to save power.

[HKLM\System\CurrentControlSet\Services\USB]
DisableSelectiveSuspend=1
Posted by at No comments:
Labels:

Wednesday, November 7, 2012

Add or remove Common Desktop Items



Here are the registry locations and Guids for hiding common Microsoft Windows Desktop Items:
All the Entries are Dwords a value of 1 hides the item a value of 0 showes it.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HideDesktopIcons\ClassicStartMenu]

Computer = {20D04FE0-3AEA-1069-A2D8-08002B30309D}
Personal folder = {59031a47-3f72-44a7-89c5-5595fe6b30ee}
Control Panel = {5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}
NetWork = {F02C1A0D-BE21-4350-88B0-7367FC96EF3C}
Recycle Bin = {645FF040-5081-101B-9F08-00AA002F954E}
Libraries = {031E4825-7B94-4dc3-B131-E946B44C8DD5}

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HideDesktopIcons\NewStartPanel]

Computer = {20D04FE0-3AEA-1069-A2D8-08002B30309D}
Personal folder = {59031a47-3f72-44a7-89c5-5595fe6b30ee}
Control Panel = {5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}
NetWork = {F02C1A0D-BE21-4350-88B0-7367FC96EF3C}
Recycle Bin = {645FF040-5081-101B-9F08-00AA002F954E}
Libraries = {031E4825-7B94-4dc3-B131-E946B44C8DD5}

While there are no builtin GPO's to control these folders you can use GroupPolicy Preferences to minipulate.

Thanks to Henny Louwers over at http://hlouwers.wordpress.com/2010/07/24/show-hide-desktop-items-windows-2008-r2-windows-7-by-means-of-registry-and-microsoft-group-policy-preferences/ for the CLSID and Registry paths.

You can find a full list of CLSID's for windows 7 here http://www.sevenforums.com/tutorials/110919-clsid-key-list-windows-7-a.html
Posted by at No comments:
Labels: ,

Tuesday, October 30, 2012

Disable / Remove Network Explorer in Windows Explorer

Looking for a way in Windows 7 to remove the Network Explorer in Windows Exporer? Here is a great Registy setting that can be deployed or set in your master image

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}"=dword:00000001

I deployed this using a group policy preference but this blog post has an adm that can be imported create a GPO.

Thanks to this Blog Post


Another nice guide on how to remove the Network Icon from Windows Explorer on a Win7 Device can be found here

http://www.sevenforums.com/tutorials/39699-network-add-remove-navigation-pane.html
Posted by at No comments:
Labels: ,

Thursday, September 27, 2012

This Operation has been canceled due to restrictions in effect on this computer. Please contact your system administrator.

The Outlook Error “This Operation has been canceled due to restrictions in effect on this computer. Please contact your system administrator." seen when trying to open a link within an email can be resolved by doing the following

1.Close Outlook.
2.Open Internet explorer go to Tools > Internet Options > Programs Tab > Click Make Default to set IE as the default browser
3.Then from with in Internet Options go to the Advanced Tab then Click Restore Advanced Settings.
4. Test to see if the issue is resolved.

If the above does not resolve the issue run the following from a command Prompt to update a registry value setting it back to the default value.

reg add HKCR\.html\ /d htmlfile /f
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)