AD 환경에서 꼼수 Dynamic Security Group 만들기

logo-active-directory-720

 

순수 AD 환경에서는 Dynamic Security Group 생성이 안됩니다. 물론 Exchange 제품이 설치되어 있다면 생성해서 사용이 가능 하지만, AD 환경에서는 생성할 수 없습니다. 하지만 Dynamic Group의 편리성을 생각해본다면 AD 환경에서도 지원을 해줄것도 같지만 아직까지는 지원하지 않고 있습니다. (현재 Windows 2012R1 버전까지도 지원하지 않습니다.)

그래서 Powershell을 이용해서 짜가(?) Dynamic Security Group을 만들어볼까 합니다. 동작 원리는 다음과 같으며 아래와 같이 몇가지 조건이 충족 되어야 합니다.

  • 구현 조건
    • 특정 OU에 포함된 계정으로 자동으로 추가 되어야 합니다.
    • 특정 OU에서 중지되거나 삭제된 계정은 자동으로 삭제 되어야 합니다.
    • 추가 되거나 삭제된 정보를 확인 및 메일로 전달 받을 수 있어야 합니다.
  • 동작 원리
    • Powershell code를 이용해 Schedule job 설정을 통해 주기적으로 해당 OU를 감시
    • 감시하는 OU에 변화가 발생하면 해당 정보를 확인하여, Security Group에 추가/삭제 작업

 

##Modules

Import-Module ActiveDirectory
##Variables

$SGroup = “Security Group Name”

$Searchbase = “OU=XXX,OU=XXX,DC=XXX,DC=XX”
##Initialize

$UserGroup = Get-ADGroupMember -Identity $SGroup -recursive | Select-Object Name,SamAccountName

$UserOU = Get-ADUser -Filter * -Properties Name,SamAccountName,Enabled -SearchBase $Searchbase | Select-Object Name,SamAccountname,Enabled
$ReportRemoved = @()

$ReportAdded = @()
##Main

Foreach ($user in $UserOU)

{

#Verify if the user is disabled and if so remove him from the Security Group

if ($user.Enabled -eq $False -AND $UserGroup.SamAccountname -contains $user.SamAccountname)

{

# Remove-ADGroupMember -Identity $SGroup -Members $user.SamAccountname -WhatIf #simulation task.

Remove-ADGroupMember -Identity $SGroup -Members $user.SamAccountname
$Entry = New-Object PSObject -Property @{

Name = $user.Name

SamAccount = $user.SamAccountname

Enabled = $user.Enabled

Action = “Removed from $SGroup”

Reason = “User is disabled”

}
$ReportRemoved += $Entry

}
#Add users that are enabled and don’t already belong to the group

if ($user.Enabled -eq $True -AND $UserGroup.SamAccountname -notcontains $user.SamAccountname)

{

# Add-ADGroupMember -Identity $SGroup -Members $user.SamAccountName -WhatIf #simulation task.

Add-ADGroupMember -Identity $SGroup -Members $user.SamAccountName

 

$Entry = New-Object PSObject -Property @{

Name = $user.Name

SamAccount = $user.SamAccountName

Enabled = $user.Enabled

Action = “Added to $SGroup”

Reason = “User is present in the searchbase and is enabled” }
$ReportAdded += $Entry

}

}#end foreach
foreach ($user in $UserGroup)

{

#if the user isn’t in the searchbase OU, remove him from the Security Group

if($UserOU.SamAccountName -notcontains $user.SamAccountName)

{

# Remove-ADGroupMember -Identity $SGroup -Members $user.SamAccountname -WhatIf #simulation task.

Remove-ADGroupMember -Identity $SGroup -Members $user.SamAccountname
$Entry = New-Object PSObject -Property @{

Name = $user.Name

SamAccount = $user.SamAccountname

Enabled = “n.a”

Action = “Removed from $SGroup”

Reason = “User didn’t exist in the searchbase”

}

$ReportRemoved += $Entry

}

}#end foreach
#Send Report if users are added or removed

if ($ReportRemoved.count -ge 1 -or $ReportAdded.count -ge 1)

{

$color = ‘”#347235″‘
if ($ReportRemoved.count -lt 1)

{

$ReportRemoved = “<font color=$color>No users have been removed from $SGroup</font>”

}

else

{

$ReportRemoved = $ReportRemoved | ConvertTo-Html -Fragment

}
if ($ReportAdded.count -lt 1)

{

$ReportAdded = “<font color=$color>No users have been added to $SGroup</font>”

}

else

{

$ReportAdded = $ReportAdded | ConvertTo-Html -Fragment

}
$HTMLmessage = @”

<html>

<head>

<style type=”text/css”>

<!–

body {

font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;

font-size: 12px;

}

table{

border-collapse: collapse;

border: none;

font: 10pt Verdana, Geneva, Arial, Helvetica, sans-serif;

color: black;

margin-bottom: 10px;

}
table td{

font-size: 12px;

padding-left: 0px;

padding-right: 20px;

text-align: left;

}
table th {

font-size: 12px;

font-weight: bold;

padding-left: 0px;

padding-right: 20px;

text-align: left;

}

–>

</style>

</head>
<body>

<h4><b>Security Group “$SGroup” Maintenance</b></h4>

Searchbase = $Searchbase<br>

<h5>Users added to the Security Group</h5>

$ReportAdded

<h5>Users removed from the Security Group</h5>

$Reportremoved

<br><br><br>

<small>This automated report ran on $env:computername at $((get-date).ToString())</small>

</body>

</html>

“@
Send-MailMessage -From “Security Group $SGroup IT Admin<XXX@XXX.Com>” -To “XXXX<XXXX@XXX.Com>” -Subject “Security Group $SGroup Maintenance” -Smtpserver Seder server infomation -body $HTMLmessage -BodyAsHtml

}

Leave a Comment