Solved

Copy and append domain group privledges from old account to new account

Posted on 2004-08-20
2
282 Views
Last Modified: 2008-02-01
I am in need of having to copy and / or append domain group privledges from old usernames to new usernames.  There are 2000 accounts that need to be done.  I have a text file of the old name and the new name to read from but have no idea how to incorporate that into anything useful.

I do have a batch file that uses windows 2003 tools to get this done.  It is a simple blah.bat old name new name and it does it all.  (Script below)  Does anyone know where I can find a script to do what I need.   VB would be better as it would tie in with some other things being done but I am not picky at this point at all.



Here is the current batch file that is doing it with win2k3 tools

@echo off
if {%2}=={} @echo Syntax: Call CopyDomGroups From Add_or_Replace [To]&goto :EOF
setlocal
set from=%1
set ar=%2
set to=%username%
if not {%3}=={} set to=%3
if /i "%ar%" EQU "a" goto arok
if /i "%ar%" NEQ "r" @echo Syntax: Call CopyDomGroups From MergeReplace [To]&goto finish
:arok
for /f "Tokens=*" %%u in ('dsquery user -samid %from%') do set fdn=%%u
if not defined fdn @echo CopyDomGroups %from% not found.&goto finish
for /f "Tokens=*" %%u in ('dsquery user -samid %to%') do set tdn=%%u
if not defined tdn @echo CopyDomGroups %to% not found.&goto finish
if /i "%ar%" EQU "a" goto add
@echo.>%TEMP%\CopyDomGroups.tmp
for /f "Tokens=*" %%a in ('dsget user %fdn% -memberof') do @echo %%a>>%TEMP%\CopyDomGroups.tmp
for /f "Tokens=*" %%b in ('dsget user %tdn% -memberof ^|findstr /i /l /v /g:%TEMP%\CopyDomGroups.tmp') do set DN=%%b&call :rparse
:add
@echo.>%TEMP%\CopyDomGroups.tmp
for /f "Tokens=*" %%a in ('dsget user %tdn% -memberof') do @echo %%a>>%TEMP%\CopyDomGroups.tmp
for /f "Tokens=*" %%b in ('dsget user %fdn% -memberof ^|findstr /i /l /v /g:%TEMP%\CopyDomGroups.tmp') do set DN=%%b&call :aparse
:finish
if exist %TEMP%\CopyDomGroups.tmp del /a %TEMP%\CopyDomGroups.tmp
endlocal
goto :EOF
:rparse
dsmod group %DN% -rmmbr %tdn% >nul
goto :EOF
:aparse
dsmod group %DN% -addmbr %tdn% >nul


Thanks in advance for any and all help tossed in my direction :)

Ypto Gink
0
Comment
Question by:bstolte
2 Comments
 
LVL 3

Accepted Solution

by:
mpemberton5 earned 250 total points
ID: 11873750
If you have VB.NET it should be pretty easy.

1. Read in your list of old users and new users into two arrays
2. For each user (each array entry)
   a. Read the old users' DirectoryEntry
   b. Read the new users' DirectoryEntry
   c. Query the groups that the old user is associated with
   d. Add the new user to each group (filter out any that you don't want)
   e. move to next user (array entry)


Here's some code that will return the groups that the passed user belongs into:
    Public Function GetUserGroupMembership(ByVal strUser As String) As StringCollection
        Dim groups As StringCollection = New StringCollection

            Dim obEntry As DirectoryEntry = New DirectoryEntry(yourLDAPpath)
            Dim srch As DirectorySearcher = New DirectorySearcher(obEntry, "(&(objectClass=user)(samAccountName=" & strUser & "))")
            Dim res As SearchResult = srch.FindOne()

            Dim obUser As DirectoryEntry = New DirectoryEntry(res.Path)
            Dim obGroups As Object = obUser.Invoke("Groups")

            Dim ob As Object
            For Each ob In obGroups
                Dim obGpEntry As DirectoryEntry = New DirectoryEntry(ob)
                groups.Add(obGpEntry.Name.Split("=").GetValue(1))
            Next
            'End If

        Return groups
    End Function


And here is some code that will allow you to add a user to a group:
Dim MyGroup As DirectoryEntry = ADHelper.GetUser(userName)
MyGroup.Properties("member").Add(currUser.Properties("distinguishedName").Value) ' Add user to group
MyGroup.CommitChanges()


That should give you enough ammo to tackle this project.  Do some research on the use of DirectoryServices works.  It's relatively easy.  Let me know if you have any additional questions.

Thanks,
Mark
0
 

Author Comment

by:bstolte
ID: 11970236
Sorry for the late response, I actually gave up but did not want to leave you hanging out there.  Thanks for your effort and sorry about my own shortcomings on making this work.  Thanks.

0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction: Recently, I got a requirement to zip all files individually with batch file script in Windows OS. I don't know much about scripting, but I searched Google and found a lot of examples and websites to complete my task. Finally, I was ab…
Entering a date in Microsoft Access can be tricky. A typo can cause month and day to be shuffled, entering the day only causes an error, as does entering, say, day 31 in June. This article shows how an inputmask supported by code can help the user a…
Viewers will learn how to properly install Eclipse with the necessary JDK, and will take a look at an introductory Java program. Download Eclipse installation zip file: Extract files from zip file: Download and install JDK 8: Open Eclipse and …
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now