Users found in a specific OU should always be a member of a specific security group Posted on July 9, 2017 by dpejic Here we have a very simple criteria: Users found in a specific OU should always be a member of a specific security group. This does not require any human input or modification. We just need a way to compare the users in the OU with the users in the group and make any necessary changes. PowerShell Windows Server 2008 R2 with Active Directory cmdlets: $OU=”Organizational Unit distinguishedName” $Group=” Group distinguishedName” Get-ADGroupMember –Identity $Group | Where-Object {$_.distinguishedName –NotMatch $OU} | ForEach-Object {Remove-ADPrincipalGroupMembership –Identity $_ –MemberOf $Group –Confirm:$false} Get-ADUser –SearchBase $OU –SearchScope OneLevel –LDAPFilter “(!memberOf=$Group)” | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $Group}