Assign a Policy to All the Users in a Security Group

  • Article

When it comes time to assign per-user policies, those of us here at Microsoft thought of everything. For example, if you take a look at the article Assigning Policies you’ll see how per-user policies can be assigned to a single user; to all the users with accounts in a specified OU; to all the users in a particular department; to all the users with a given job title; etc., etc., etc. Like we said, we thought of everything.

What’s that? How can you assign a policy to all the users in a particular security group? Hmmm, we never thought of that ….

OK, we admit it: we didn’t add a straightforward way to assign a policy to all the users in a security group. So does that mean that there’s no way to assign a policy to all the users in a security group? Let’s put it this way:

$strFilter = "(&(objectCategory=Group)(SamAccountName=" + $args[0] +"))"

$objDomain = New-Object System.DirectoryServices.DirectoryEntry

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher

$objSearcher.SearchRoot = $objDomain

$objSearcher.Filter = $strFilter

$objSearcher.SearchScope = "Subtree"

$colProplist = "member"

foreach ($i in $colPropList)

    {[void] $objSearcher.PropertiesToLoad.Add($i)}

$colResults = $objSearcher.FindAll()

foreach ($objResult in $colResults)

    {$objItem = $objResult.Properties; $group = $objItem.member}

foreach ($x in $group)

    {

        Grant-CsClientPolicy $x -PolicyName $args[1]

    }

Before we explain what this script does (although, by now, you can probably guess what it does) let’s explain how it works. Assuming you’ve copied this code and saved it as a .ps1 file (e.g., C:\Scripts\Assign-ToGroup.ps1) you run the thing by using a command similar to this:

C:\Scripts\Assign-ToGroup.ps1 "FinanceUsers" "FinanceClientPolicy"

In this command, FinanceUsers is the name of the security group we want to assign a policy to (in this example, we’re assigning a client policy). And which policy are we assigning? That’s the second parameter passed to the script; in this example, we’re assigning the client policy FinanceClientPolicy.

As for the script itself, the first thing it does is search Active Directory in order to find the specified security group. Once that’s done the script then uses this snippet of code to retrieve all the group members and store those users in a variable named $group:

$group = $objItem.member

From there the script takes the group members and, one-by-one, connects to the appropriate user account in Active Directory. The script retrieves the user’s display name (stored in the variable $z), then uses this line of code to assign FinanceClientPolicy to the user in question:

Grant-CsClientPolicy $z -PolicyName $args[1]

Like we said, $z is the user’s display name; meanwhile, $args[1] is a Windows PowerShell variable that references the second command-line argument passed to the script.

And that, as they say, is that.

Keep in mind that this script assigns a client policy to all the users in a security group, and a client policy is the only kind of policy it can assign. What if you want to assign, say, a voice policy to all the users in a security group? That’s fine; just search the script for the cmdlet name Grant-CsClientPolicy and replace it with Grant-CsVoicePolicy. That’s all you have to do.

Gee, maybe we did think of everything after all ….