Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Create Multiple Groups in AD

Posted on 2006-05-04
18
Medium Priority
?
773 Views
Last Modified: 2008-02-01
Does someone have a script that will create multiple group objects in AD by reading the names from a text file?

I have the following script which creates 1 (one) group, how can I modify it to make it create more than one?


Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2
Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000

Set objOU = GetObject("LDAP://ou=SPECIFY OU HERE,dc=SPECIFY DN HERE")
Set objGroup = objOU.Create("Group", "cn=Name_Of_Group")

objGroup.Put "groupType", ADS_GROUP_TYPE_GLOBAL_GROUP Or _
    ADS_GROUP_TYPE_SECURITY_ENABLED
objGroup.SetInfo


We are about to being a project to migrate our existing AD to our parent companies' AD (which I hate but what can you do) and I need to recreate about 150 groups from our AD in their AD.  There is no trusts setup so ADMT is out of the question.
0
Comment
Question by:dspent
  • 10
  • 7
18 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 16610706
This will work for you.  Copy this into a CMD file, run it from the server or an XP workstation.  This script assumes the following:

1) The groups are in a text file named "groups.txt" and are entered one per line with no quotes (eg. Management).  
2) This script can be run against one OU at a time - if you require creating groups in different OUs, then you need to divide them up into multiple Groups.txt files - one per OU.
3)  It is creating Global Groups.  To change this, after the -scope switch you can use (l)ocal, (u)niversal, or (g)lobal.
4)  There is no error checking - it's a down and dirty script.


@echo off
cls

set /p strDC="Please enter the NetBIOS name of a DC: "
Set /p strOU="Please enter the name of the OU to create the groups: "
for /f %%A in ('dsquery OU -name %strOU% -s %strDC%') do set strOUPath=%%A

for /f "delims=" %%B in (groups.txt) do dsadd group "CN="%%B","%strOUPath% -secgrp yes -scope g -s %strDC%

pause

0
 
LVL 51

Expert Comment

by:Netman66
ID: 16610785
I forgot to add - the server and/or the worksation must have the Support Tools installed on them.  They're on their respective CD under Support.

0
 
LVL 1

Author Comment

by:dspent
ID: 16611820
I am not at work this minute so I can't test...

However, one thing that has me questioning whether this will work for me is access rights/permissions to the domain.  Of course I am domain admin in MY domain.... But in the corporate domain we are limited admins only to our top level OU.

In other words, we only have what administrative rights the corporate IS domain admins have delegated.  Do you think this will be a problem?  I will test this out in the A.M.

-Jones
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
LVL 58

Expert Comment

by:Pete Long
ID: 16612495
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16613481
You can create the groups at the level you are granted rights.  The other admins can move them if they won't allow you to create them where they belong.

0
 
LVL 1

Author Comment

by:dspent
ID: 16614232
Where you have:

Set /p strOU="Please enter the name of the OU to create the groups: "

How do I enter the OU name?

I'm assuming...
ou=groups,ou=AKJ,ou=Facilities,dc=corporatedomain,dc=com   etc.....?
0
 
LVL 1

Author Comment

by:dspent
ID: 16614235
Oh yeah and what about specifying the description for the group, can that also be done?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16614795
No, just enter the friendly name - ie. Groups.  The script will go get the proper LDAP name.

Description can be added but it adds a bit of complexity to things.

If you have to do this by script let me know and I'll tweak that tonight.



0
 
LVL 1

Author Comment

by:dspent
ID: 16622266
You say the script will get the proper name, but how will it be able to differentiate between my group and other groups that have the same name in other OU's....

The corporate OU Structure is like this

TOP LEVEL (domain)
---FACILITIES (ou)
-------XXX (ou)  where xxx is a three letter code for each hospital in the domain.  ours is AKJ
----------Groups (ou)  and other ou's at this level for users, workstations, server etc...

Each OU under facilities is exactly the same for every facility.  So if I specify for example GroupBlah in Groups OU how will your script know to put it in the Groups OU under the AKJ ou and not some other Groups OU?


As for the description, if you wouldn't mind, I would appreciate being able to add a description via the script.  The corporate IS has already put dozens of groups in the OU for whatever reason and I want to be able to single out the groups I have added once I am finished.....However if you don't want to go through any extra hassle please don't...It's not absolutely necessary.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16622848
For the OU, you can choose the root at which to begin the search.  

for /f %%A in ('dsquery OU -name %strOU% -s %strDC%') do set strOUPath=%%A

Change the line above so that dsquery has a startnode:

for /f %%A in ('dsquery OU "{startnode}" -name %strOU% -s %strDC%') do set strOUPath=%%A

where startnode is the complete DN for example:  "ou=AKJ,ou=Facilities,dc=corporatedomain,dc=com"

As for description, I will assume that the group and description are in the same file separated by a comma (like so):

group name,group description

(no spaces between the comma and the description)

I will try to tweak this tonight.
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 2000 total points
ID: 16623307
OK, here's the modified code:

****

@echo off
cls

Set /p strStartOU="Enter the top-level starting OU: "
set /p strDC="Please enter the NetBIOS name of a DC: "
Set /p strOU="Please enter the name of the OU to create the groups: "
for /f "delims=" %%D in ('dsquery OU -name "%strStartOU%" -s %strDC%') do set strStartPath=%%D
for /f "delims=" %%A in ('dsquery OU %strStartPath% -name "%strOU%" -s %strDC%') do set strOUPath=%%A

for /f "tokens=1,2 delims=," %%B in (groups.txt) do dsadd group "CN="%%B","%strOUPath% -secgrp yes -desc "%%C" -scope g -s %strDC%

pause

****

Here's what the groups.txt should look like:

Tester1,Test Group 1
Tester2,Test Group 2
Tester3,Test Group 3


Remember, this can only load one OU at a time, so your groups.txt will have to be created accordingly.

The first prompt asks for the top-level OU - I would imaging you would put AKJ in this.
The second prompt is for a DC name.
The third prompt is for the OU where you want the groups created.


Hope this is what you want.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 16623314
You can load all the groups into one OU then move them according to description if you want to do it all from one text file - this would be a second script - and a second question! :o)

0
 
LVL 1

Author Comment

by:dspent
ID: 16640158
Sorry I didn't get back sooner....

I ran the script, but I get errors...

ou=-HNMC,dc=hnmc,dc=hnw,dc=tenethealth,dc=com
HNMADDC1
TestMe
dsquery failed:No value specified for `s'.
type dsquery /? for help.dsquery failed:No value specified for `s'.
type dsquery /? for help.dsadd failed:No value specified for `s'.
type dsadd /? for help.dsadd failed:No value specified for `s'.
type dsadd /? for help.dsadd failed:No value specified for `s'.
type dsadd /? for help.Press any key to continue . . .
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16640399
Which script gave you this error?

Can you post a couple of lines of your text file?  Change names and stuff, but do not change the format you are using, I need to see it as it is - spaces and all.

The top-level starting OU should be HNMC - do not use the LDAP path, just the simple name of the OU - no quotes and as you read it, including spaces.

So, if I interpret the last post correctly, then this:

HNMC
HNMADDC1
TestMe

Those should be your inputs.

0
 
LVL 1

Author Comment

by:dspent
ID: 16640692
Here is the script I used...

@echo off
cls

Set /p strStartOU="-HNMC"
set /p strDC="HNMADDC1"
Set /p strOU="TestMe"
for /f "delims=" %%D in ('dsquery OU -name "%strStartOU%" -s %strDC%') do set strStartPath=%%D
for /f "delims=" %%A in ('dsquery OU %strStartPath% -name "%strOU%" -s %strDC%') do set strOUPath=%%A

for /f "tokens=1,2 delims=," %%B in (groups.txt) do dsadd group "CN="%%B","%strOUPath% -secgrp yes -desc "%%C" -scope g -s %strDC%

pause


The -HNMC is the top level OU... running the above gives me the error I posted previously.


Here is my groups.txt file....

Blah,ThisIsBlah
Blah2,This Is Blah 2
Blah3,This_Is_Blah_3



0
 
LVL 51

Expert Comment

by:Netman66
ID: 16642220
First off,

Set /p strStartOU="-HNMC"
set /p strDC="HNMADDC1"
Set /p strOU="TestMe"

Should be:

Set  strStartOU="-HNMC"
Set  strDC="HNMADDC1"
Set  strOU="TestMe"

Secondly, this line cannot wrap, it has to be on one line:

for /f "tokens=1,2 delims=," %%B in (groups.txt) do dsadd group "CN="%%B","%strOUPath% -secgrp yes -desc "%%D" -scope g -s %strDC%


If this still fails, I will be home in a few hours and can debug it there.

0
 
LVL 1

Author Comment

by:dspent
ID: 16643275
That's what the problem was... The /p needed to be removed.

Works perfectly.  Thanks a million for your assistance.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16643583
Anytime!

Just so you know, I put the prompts in there so you don't have to alter the code each time.  Simply enter the new info each time you run it.

Glad to help!

NM
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question