Add users from an OU to a group, with users already belonging to

Posted on 2007-10-03
Last Modified: 2008-05-31
I cant find the correct way to add to a security AD Group all the users belonging to an OU. Specifically I encounter a problem when some of these users are already members of the group. I've tried the next syntax:

dsquery * "ou=ou,dc=domain,dc=com" -filter "(objectClass=user)" -limit 1000 | dsmod group "CN=group-name,ou=groups,dc=domain,dc=com" -c -addmbr

But the command exits with an error telling me that The user is already member of the group, and then exits with no changes made to the group.
Question by:begar
    LVL 26

    Accepted Solution

    Try this

    FOR /F "delims=*" %u IN ('DSQuery * "ou=ou,dc=domain,dc=com" -Filter "(sAMAccountType=805306368)" -Limit 0') DO DSMod Group "cn=group-name,ou=groups,dc=domain,dc=com" -addmbr %u

    Author Comment

    Thanks Farhankazi, half question is yours...but, could you be more explicit? There are 500 points on the table and I want yo know what is happening with my command. And of course, I want to understand your command too....I need to improve my skills ;)

    thank u in advance
    LVL 26

    Expert Comment

    There is nothing wrong with your command, you can say its a mystery. There are problems when you pipe DSAdd, DSMod, DSMov, DSRm with DSQuery. I have searched allot for its explanation /solution on many forums, MS articles but didn't find any solution other then using FOR command.  

    In my solution I have used FOR loop.

    FOR /F ["options"] %variable IN ('command') DO
    Above loop type is used to parse the output of a 'command' (in our case command is DSQuery).
    %variable holds the list of items that are outcome of a command (in our case %u which holds the users DN).
    Delims=x  specifies a delimiter, this replaces the default delimiter that is space and tab (if I don't give delims=* then %u may hold incorrect DN if users CN contains any space. It will automatically break the line when ever it finds any space in user DN)

    For more information about FOR loop you can use FOR /? on command line.

    DSQuery * "ou=ou,dc=domain,dc=com" -Filter "(sAMAccountType=805306368)"
    This statement will result ONLY user accounts that are inside the specified OU. (your statement was "(objectClass=user)" which may also include computer accounts.)

    If you need further explanation do let me know.

    Author Comment

    great! the 500 are yours...

    I found another way to accomplish that  with the original Idea, the one with the pipe. What if I define a filter like (&(sAMAccountType=805306368)(!memberOf="cn=group,ou=domain,ou=com"))

    :D   It takes much less time since the command is searching in a OU that hosts a thousand users. No users in the group, no errors, and no interruptions. Simply but effective.

    Thank u again
    LVL 26

    Expert Comment

    Excellent :)
    Thanks for the points

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
    Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now