Shadow Group

Before I go in details, let me clear that shadow group is not a new type of group in Active Directory in addition of Domain Local Group, Global Group and Universal Group. Shadow group is a global security group whose members are the user object of a specific organizational unit (OU).

Shadow groups are generally used to apply Fine grained password policy. Fine-grained password policies are only applied to user objects (or inetOrgPerson) and global security groups. Fine-grained password policies cannot be applied to an OU, if you want to apply a fine-grained password policy to all of the users of an OU, you can use a shadow group.

The membership of a shadow group needs to be updated manually or through scripts.

The power shell script required to automate the membership of a shadow group:

1. Either open the Active Directory Module For Windows Power Shell or open the Windows Power Shell and run the following command

Import-Module ActiveDirectory

2.Set a variable $OU that defines the distinguished name of the OU which contains the user object.

$OU="OU=TheOUName,DC=yourdomain,DC=com"

3. Set a variable $ShadowGroup that defines the distinguished name of the shadow group 

$ShadowGroup="CN=ShadowGroupName,OU=TheOUName,DC=yourdomain,DC=com"

4.This section of script will verify the membership of the shadow group that the members belong to the specific OU, if not remove them from the shadow group.

Get-ADGroupMember –Identity $ShadowGroup | Where-Object {$_.distinguishedName

–NotMatch $OU} | ForEach-Object {Remove-ADPrincipalGroupMembership –Identity 

$_ –MemberOf $ShadowGroup –Confirm:$false}

5. This section will monitor the newly added user objects in the specific OU and automatically add them as a member of shadow group.

Get-ADUser –SearchBase $OU –SearchScope OneLevel –LDAPFilter 

"(!memberOf=$ShadowGroup)" | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $ShadowGroup}

Now save this script as "ShadowGroup.ps1".

After the script is ready we need to create a task scheduler to run this script automatically,for example if you want to run this script every 24 hours. To do this:

1. Open the Task scheduler from the start menu.

2. Click create task.

3. on the general tab type the name of the task.

4. Click on the action tab and new.

5. On the New Action wizard

   Action: Start a program

   program/script: 

     C:\Windows\system32\windowspowershell\v1.0\powershell.exe

      Add arguments (optional): C:\scripts\ShadowGroup.ps1

Lab Implementation:

I have a DC named Test-dc.test.com. On the DC I've created an OU named Sales, within Sales I've create two users named Dev & Sam and a global security group named Auditor which will be used as shadow group. Please go through with the images below: