?
Solved

Group Memebership under Organizational Unit

Posted on 2005-03-04
11
Medium Priority
?
214 Views
Last Modified: 2010-04-14
Does anyone know of a way to set the group membership for all users in a specific OU? I work in a K-12 School environment with a lot of user mobility. If I set up a user in one OU and Move the user to a different OU I have to make several changes to the user, including what groups the user belongs to. I can make most of the changes, like login scripts, specific to the OU that the user is in. Can this be done with Group Membership?
0
Comment
Question by:bdorminy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
11 Comments
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 13460600
Security Group membership and OU membership are totally independent of each other.  I've worked in k-12 schools as well so i know how much network administration goes on.  What exacly are you asking though?  I'm confused when you say "Does anyone know of a way to set the group membership for all users in a specific OU?"  Are you saying that you want all users in OU A to automatically be in Security Group A for example.  IE if you take a user out of OU A you want that user to be automatically removed from Security group A?
0
 

Author Comment

by:bdorminy
ID: 13460668
Yes that is what I want. If I move user johndoe which is a member of security group A1HighUsers from OU A1High to OU centraloffice I would like for his security groups to change.
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 13460842
This can't be done to my knowledge as OUs and security groups are totally independent of eachother in their memberships. There might be some script or add in to AD for this but ive never seen it. It would be a VERY dangerous thing to do in my opinion to mess with the AD database like this.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Author Comment

by:bdorminy
ID: 13461114
Ok. I just thought it would be nice to be able to use Group Policy to say if a user is in XYZ OU then they belong to XYZ Security Group.
0
 
LVL 22

Expert Comment

by:kristinaw
ID: 13461160
theoretically speaking, it would be possible to do something like this programattically, but it would be somewhat complicated. i have a couple of vbsscripts that are set up to run on a schedule (daily i think), and when they run they basically take all the members of a particular OU and add them to a specified group. for example, ou name CSB has a distribution list named CSB - ALL. Whenever new users are added, the security team frequently forgets to add members of CSB to this group. now it gets done automatically.

to do what you want would require some sort of script (or something) that would take each user in the OU, strip him out of all groups, and add him to a list of predefined groups for that OU. If you have a large number of OU's and groups then it could get a big sticky rather quickly.

Kris.
0
 
LVL 25

Accepted Solution

by:
mikeleebrla earned 500 total points
ID: 13461205
i know it would be possible but it would be VERY dangerous also..  Think about this problem that you would encounter every day:

user XYZ needs to be moved from OU A.
the script would remove user xyz from security group A as well.
but what if user xyz still needs to be a member of security group A in order to get to his/her files?
the script has now taken away the ability for this user to get to his/her files

this will happen EVERY time you change anything with regards to OUs or Groups since a user can be a member of only one OU at a time, but can be a member of many groups.

this problem doesn't even mention the AD database corruption that could occur if you do this.
0
 

Author Comment

by:bdorminy
ID: 13461259
Point well taken Mike. I see now that it could get to be quite confusing and would inevitably lead to more problems. I think the question is answered. I appreciate all the input.
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 13461279
sorry but sometimes the correct answer is simply "no it's not possible" .. have run working in  K-12 school, i dont miss it.
0
 

Author Comment

by:bdorminy
ID: 13461312
I am dealing with 27 k-12 schools on one domain. No is usually not an acceptable answer but in some cases it just can't be any other way. I love it when No is the only answer.
0
 
LVL 22

Expert Comment

by:kristinaw
ID: 13461315
i agree that it would be a difficult thing to do, but disagree with it being dangerous. i work in a very large environment and use scripts to do things similar to this all the time. all we're talking about here is adding and removing someone from a group. whether you do it once or 20 times it's essentially the same operation. i've never seen adding/removing someone from a group, mass updates to AD via script (which i've done many times), or anything of the sort cause ad database corruption. anyways, perhaps you're just the overly cautius type who prefers to take 3 days to do something by hand when it would take about 20 seconds to do via script.

i'm assuming the person asking the question would know the implications of adding/removing someone from a group. i'm simply presenting a viable option along with the pros and cons, which is what he asked for. assuming you have a highly structured environment, it is possible to do as i suggested and i agree that all pros cons should be presented. i just like questions like this as I like to try and think outside the box. i also make sure i have good backups, just in case.
0
 

Author Comment

by:bdorminy
ID: 13461513
Is it possible? Yes I agree that it is. Scripting would be a good way to accomplish the task but that is not really what I was looking for. I was tring to find out if it would be a simple and automatic operation. My end goal is to hopefully be able to tell a school media specialist how to drag a user out of one OU into another OU and she is done. I was hoping to avoid having someone with little experience trying to change user properties. Using a script may be an option in the end.
0

Featured Post

How Blockchain Is Impacting Every Industry

Blockchain expert Alex Tapscott talks to Acronis VP Frank Jablonski about this revolutionary technology and how it's making inroads into other industries and facets of everyday life.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In today's business world, data is more important than ever for informing marketing campaigns. Accessing and using data, however, may not come naturally to some creative marketing professionals. Here are four tips for adapting to wield data for insi…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question