begar
asked on
Add users from an OU to a group, with users already belonging to
I cant find the correct way to add to a security AD Group all the users belonging to an OU. Specifically I encounter a problem when some of these users are already members of the group. I've tried the next syntax:
dsquery * "ou=ou,dc=domain,dc=com" -filter "(objectClass=user)" -limit 1000 | dsmod group "CN=group-name,ou=groups,d c=domain,d c=com" -c -addmbr
But the command exits with an error telling me that The user is already member of the group, and then exits with no changes made to the group.
dsquery * "ou=ou,dc=domain,dc=com" -filter "(objectClass=user)" -limit 1000 | dsmod group "CN=group-name,ou=groups,d
But the command exits with an error telling me that The user is already member of the group, and then exits with no changes made to the group.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There is nothing wrong with your command, you can say its a mystery. There are problems when you pipe DSAdd, DSMod, DSMov, DSRm with DSQuery. I have searched allot for its explanation /solution on many forums, MS articles but didn't find any solution other then using FOR command.
In my solution I have used FOR loop.
FOR /F ["options"] %variable IN ('command') DO
Above loop type is used to parse the output of a 'command' (in our case command is DSQuery).
%variable holds the list of items that are outcome of a command (in our case %u which holds the users DN).
Delims=x specifies a delimiter, this replaces the default delimiter that is space and tab (if I don't give delims=* then %u may hold incorrect DN if users CN contains any space. It will automatically break the line when ever it finds any space in user DN)
For more information about FOR loop you can use FOR /? on command line.
DSQuery * "ou=ou,dc=domain,dc=com" -Filter "(sAMAccountType=805306368 )"
This statement will result ONLY user accounts that are inside the specified OU. (your statement was "(objectClass=user)" which may also include computer accounts.)
If you need further explanation do let me know.
In my solution I have used FOR loop.
FOR /F ["options"] %variable IN ('command') DO
Above loop type is used to parse the output of a 'command' (in our case command is DSQuery).
%variable holds the list of items that are outcome of a command (in our case %u which holds the users DN).
Delims=x specifies a delimiter, this replaces the default delimiter that is space and tab (if I don't give delims=* then %u may hold incorrect DN if users CN contains any space. It will automatically break the line when ever it finds any space in user DN)
For more information about FOR loop you can use FOR /? on command line.
DSQuery * "ou=ou,dc=domain,dc=com" -Filter "(sAMAccountType=805306368
This statement will result ONLY user accounts that are inside the specified OU. (your statement was "(objectClass=user)" which may also include computer accounts.)
If you need further explanation do let me know.
ASKER
great! the 500 are yours...
I found another way to accomplish that with the original Idea, the one with the pipe. What if I define a filter like (&(sAMAccountType=80530636 8)(!member Of="cn=gro up,ou=doma in,ou=com" ))
:D It takes much less time since the command is searching in a OU that hosts a thousand users. No users in the group, no errors, and no interruptions. Simply but effective.
Thank u again
I found another way to accomplish that with the original Idea, the one with the pipe. What if I define a filter like (&(sAMAccountType=80530636
:D It takes much less time since the command is searching in a OU that hosts a thousand users. No users in the group, no errors, and no interruptions. Simply but effective.
Thank u again
Excellent :)
Thanks for the points
Thanks for the points
ASKER
thank u in advance