claudetools/clients/cascades-tucson/docs/migration/scripts/phase2-ad-groups-new.ps1

#Requires -RunAsAdministrator
<#
.SYNOPSIS
    Phase 2.5a: Create new AD security groups for staged share rollout.
.DESCRIPTION
    Creates three new global security groups for the new share structure.
    Groups are created EMPTY — members are added per-department when each
    department is ready to cut over to the new shares.

    Also removes Tamra.Matthews from SG-Sales-RW (she moves to SG-Sales-RO).
    No other changes are made to existing groups or members.
.NOTES
    IDEMPOTENT — safe to re-run. Existing groups are skipped, not overwritten.
    Run on CS-SERVER via GuruRMM remote execution.

    Verify $GroupOU before running:
        Get-ADGroup SG-Management-RW | Select DistinguishedName
    The OU in $GroupOU must match the OU where existing SG- groups live.
#>

Import-Module ActiveDirectory -ErrorAction Stop

# --- VERIFY THIS MATCHES WHERE EXISTING SG- GROUPS LIVE ---
# Check with: Get-ADGroup SG-Management-RW | Select DistinguishedName
$GroupOU = "OU=Groups,DC=cascades,DC=local"

Write-Host "=== Phase 2.5a: New AD Security Groups ===" -ForegroundColor Cyan
Write-Host ""

# ============================================================
# STEP 1: Create new groups (empty — members added later)
# ============================================================
Write-Host "--- Creating New Security Groups ---" -ForegroundColor Yellow

$newGroups = @(
    @{ Name = "SG-Mgmt-RW";       Description = "Management share - Read/Write" }
    @{ Name = "SG-Sales-RO";      Description = "Sales share - Read Only" }
    @{ Name = "SG-Activities-RW"; Description = "Activities share - Read/Write" }
)

foreach ($g in $newGroups) {
    try {
        $existing = Get-ADGroup -Filter "Name -eq '$($g.Name)'" -ErrorAction SilentlyContinue
        if (-not $existing) {
            New-ADGroup `
                -Name          $g.Name `
                -GroupScope    Global `
                -GroupCategory Security `
                -Path          $GroupOU `
                -Description   $g.Description `
                -ErrorAction   Stop
            Write-Host "  [OK] Created: $($g.Name)" -ForegroundColor Green
        } else {
            Write-Host "  [SKIP] $($g.Name) already exists" -ForegroundColor DarkGray
        }
    }
    catch {
        Write-Host "  [ERROR] Failed to create $($g.Name): $_" -ForegroundColor Red
    }
}

# ============================================================
# STEP 2: Remove Tamra.Matthews from SG-Sales-RW
# ============================================================
Write-Host "`n--- Adjusting SG-Sales-RW Membership ---" -ForegroundColor Yellow

try {
    $isMember = Get-ADGroupMember -Identity "SG-Sales-RW" -ErrorAction Stop |
        Where-Object { $_.SamAccountName -eq "Tamra.Matthews" }

    if ($isMember) {
        Remove-ADGroupMember -Identity "SG-Sales-RW" -Members "Tamra.Matthews" -Confirm:$false -ErrorAction Stop
        Write-Host "  [OK] Removed Tamra.Matthews from SG-Sales-RW" -ForegroundColor Green
    } else {
        Write-Host "  [SKIP] Tamra.Matthews is not a member of SG-Sales-RW" -ForegroundColor DarkGray
    }
}
catch {
    Write-Host "  [ERROR] Failed to adjust SG-Sales-RW: $_" -ForegroundColor Red
}

# ============================================================
# SUMMARY: All SG- groups with member counts
# ============================================================
Write-Host "`n=== SG- Group Summary ===" -ForegroundColor Cyan
Write-Host ""

Get-ADGroup -Filter 'Name -like "SG-*"' -ErrorAction SilentlyContinue |
    Sort-Object Name |
    ForEach-Object {
        $count = (Get-ADGroupMember $_ -ErrorAction SilentlyContinue | Measure-Object).Count
        Write-Host ("  {0,-25} {1,2} member(s)" -f $_.Name, $count) -ForegroundColor Cyan
    }

Write-Host ""
Write-Host "=== AD Groups Complete ===" -ForegroundColor Cyan
Write-Host "Next: Run phase2-new-shares.ps1 to create the folder structure and SMB shares" -ForegroundColor Green