Skip navigation
How can I synchronize a master group to lots of other groups

How can I synchronize a master group to lots of other groups

Q. I need to synchronize a single master group to contain only users present in lots of other groups. What is a good way to do this?

A. I recently had a customer that wanted to use the group membership criteria to control accounts replicated to Azure AD via Azure AD Connect from on-premises AD. Each group in the company had their own OU and their own local group of accounts they wanted replicated to Azure AD however just placing all those individual groups in the master group used by Azure AD Connect did not work, instead the groups got replicated to Azure AD but not the accounts inside them. Instead the requirement was to enumerate through each group and add the users not already in the master group to the master group and any accounts not in local groups to be removed from the master group. I was able to achieve this very easily with about 15 lines of PowerShell (you probably guessed PowerShell would be the answer).

To set context I have a master group named GlobalAADSync. Then in each local OU they have a group that ends with AADSync, e.g. LABLONAADSync with their accounts they want synchronized in. First the script finds all groups ending with AADSync except the global group. Then it creates an empty array that will contain all the users found in all the groups. It then gets the current users in the global group. Next each local group is enumerated for users and they are added to the array of new users. Compare-Object is then used to compare the two arrays of users. Any users found in the new array but not current are added, any found in current but not new are removed. This minimizes churn on the group and is very simple code. Enjoy!

#All Sync Groups EXCEPT the main GlaobalAADSync group
$AADSyncGroups = Get-ADGroup -Filter {(Name -like "*AADSync") -and (Name -ne "GlobalAADSync")}

$NewMembers = @()

#Get current members
$ExistingMembers = Get-ADGroupMember GlobalAADSync

#Find all the people that should be in sync group
foreach($AADSyncGroup in $AADSyncGroups)
{
    Get-ADGroupMember $AADSyncGroup | ForEach-Object { $NewMembers += $PSItem }
}

#are there any new people not currently members
$MemberDifferences = Compare-Object $ExistingMembers $NewMembers
foreach($MemberDifference in $MemberDifferences)
{
   if($MemberDifference.SideIndicator -eq "=>")
   {
        #if the user is present in New but not existing need to add them
        Write-Output "Adding user $($MemberDifference.InputObject.SamAccountName)"
        Add-ADGroupMember -Identity GlobalAADSync -Members $MemberDifference.InputObject.SamAccountName 
   }
   elseif($MemberDifference.SideIndicator -eq "<=")
   {
        #if the user is present in existing but not in new need to remove them
        Write-Output "Removing user $($MemberDifference.InputObject.SamAccountName)"
        Remove-ADGroupMember -Identity GlobalAADSync -Members $MemberDifference.InputObject.SamAccountName -Confirm:$false
   }
}

 

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish