#Requires -RunAsAdministrator <# .SYNOPSIS Phase 2.5a: Create new AD security groups for staged share rollout. .DESCRIPTION Creates three new global security groups for the new share structure. Groups are created EMPTY — members are added per-department when each department is ready to cut over to the new shares. Also removes Tamra.Matthews from SG-Sales-RW (she moves to SG-Sales-RO). No other changes are made to existing groups or members. .NOTES IDEMPOTENT — safe to re-run. Existing groups are skipped, not overwritten. Run on CS-SERVER via GuruRMM remote execution. Verify $GroupOU before running: Get-ADGroup SG-Management-RW | Select DistinguishedName The OU in $GroupOU must match the OU where existing SG- groups live. #> Import-Module ActiveDirectory -ErrorAction Stop # --- VERIFY THIS MATCHES WHERE EXISTING SG- GROUPS LIVE --- # Check with: Get-ADGroup SG-Management-RW | Select DistinguishedName $GroupOU = "OU=Groups,DC=cascades,DC=local" Write-Host "=== Phase 2.5a: New AD Security Groups ===" -ForegroundColor Cyan Write-Host "" # ============================================================ # STEP 1: Create new groups (empty — members added later) # ============================================================ Write-Host "--- Creating New Security Groups ---" -ForegroundColor Yellow $newGroups = @( @{ Name = "SG-Mgmt-RW"; Description = "Management share - Read/Write" } @{ Name = "SG-Sales-RO"; Description = "Sales share - Read Only" } @{ Name = "SG-Activities-RW"; Description = "Activities share - Read/Write" } ) foreach ($g in $newGroups) { try { $existing = Get-ADGroup -Filter "Name -eq '$($g.Name)'" -ErrorAction SilentlyContinue if (-not $existing) { New-ADGroup ` -Name $g.Name ` -GroupScope Global ` -GroupCategory Security ` -Path $GroupOU ` -Description $g.Description ` -ErrorAction Stop Write-Host " [OK] Created: $($g.Name)" -ForegroundColor Green } else { Write-Host " [SKIP] $($g.Name) already exists" -ForegroundColor DarkGray } } catch { Write-Host " [ERROR] Failed to create $($g.Name): $_" -ForegroundColor Red } } # ============================================================ # STEP 2: Remove Tamra.Matthews from SG-Sales-RW # ============================================================ Write-Host "`n--- Adjusting SG-Sales-RW Membership ---" -ForegroundColor Yellow try { $isMember = Get-ADGroupMember -Identity "SG-Sales-RW" -ErrorAction Stop | Where-Object { $_.SamAccountName -eq "Tamra.Matthews" } if ($isMember) { Remove-ADGroupMember -Identity "SG-Sales-RW" -Members "Tamra.Matthews" -Confirm:$false -ErrorAction Stop Write-Host " [OK] Removed Tamra.Matthews from SG-Sales-RW" -ForegroundColor Green } else { Write-Host " [SKIP] Tamra.Matthews is not a member of SG-Sales-RW" -ForegroundColor DarkGray } } catch { Write-Host " [ERROR] Failed to adjust SG-Sales-RW: $_" -ForegroundColor Red } # ============================================================ # SUMMARY: All SG- groups with member counts # ============================================================ Write-Host "`n=== SG- Group Summary ===" -ForegroundColor Cyan Write-Host "" Get-ADGroup -Filter 'Name -like "SG-*"' -ErrorAction SilentlyContinue | Sort-Object Name | ForEach-Object { $count = (Get-ADGroupMember $_ -ErrorAction SilentlyContinue | Measure-Object).Count Write-Host (" {0,-25} {1,2} member(s)" -f $_.Name, $count) -ForegroundColor Cyan } Write-Host "" Write-Host "=== AD Groups Complete ===" -ForegroundColor Cyan Write-Host "Next: Run phase2-new-shares.ps1 to create the folder structure and SMB shares" -ForegroundColor Green