AD OUs and security groups

This is a question which is asked quite often, and the answer is Unfortunately not. OUs and Security Groups are two different things, and as such, they are controlled independently of each other.

-Matt

This is as Matt said not possibly with native functionality, but can be done with some scripting and let a schedule task take care of the automatic group membership adding.

@echo off
setlocal
SET GROUPNAME="sales"
FOR /F "delims=" %%a in ('dsquery user "OU=sales,DC=domain,DC=local"') DO (
        dsquery GROUP -name %GROUPNAME%|dsmod group -addmbr %%a 2>>c:\temp\bulkerr.log 1>>c:\temp\bulk.log
)

Select allOpen in new window

I like the script.
Could please tell me what I need to replace in this script. And my second question is how much this task will slow down my DC or it will cause some other issues?
 
Thank you,
Plamen

I'll answer on henjoh09's behalf.

It looks to me that in the script, you need to enter the name of the group where it says SET GROUPNAME="sales". This is the name of the security group which the users must be added to.

You must also specify the OU where the script should pull users out of - this is currently defined by the OU=sales,DC=domain,DC=local part. Enter the appropriate LDAP string here for the OU in question, or post your OU structure and we can help you form that string.

The script needs to run as a Scheduled Task. It won't run all the time and therefore will not have an impact on your DC's performance.

-Matt

Ok, I am attaching 2 files. One is AD structure and one is ADSIedit Object version. I would like the script to work for users OU under Support\Information technologies to be added in the IT security group.
 
Thank you for all your help,
Plamen

AD.jpg
ADSIedit-Object-Version.jpg

Using henjoh's script - and he deserves a split of the points for posting that script initially - it would be like the script in the attached code snippet.

-Matt

@echo off
setlocal
SET GROUPNAME="IT"
FOR /F "delims=" %%a in ('dsquery user "OU=Information Technology,OU=Support,DC=NIResorts,DC=com"') DO (
        dsquery GROUP -name %GROUPNAME%|dsmod group -addmbr %%a 2>>c:\temp\bulkerr.log 1>>c:\temp\bulk.log
)

Select allOpen in new window

So, for me Henrik it will be:

@echo off
setlocal
SET GROUPNAME="IT"
SET USEROU="OU=Users,OU=Information Technologies,OU=Support"
SET ERRLOGFILE=c:\temp\%GROUPNAME:"=%_bulkerr.log
SET LOGFILE=c:\temp\%GROUPNAME:"=%_bulk.log
FOR /F "delims=" %%u in ('dsquery user %USEROU%') DO (
	REM Check if %%u is member of %GROUPNAME%
	for /F %%c in ('dsquery group -name %GROUPNAME%^|dsget group -members^|find /c %%u') do (
		if "%%c" == "0" (
			echo %DATE% %TIME% Adding %%u >> %LOGFILE%
			dsquery group -name %GROUPNAME%|dsmod group -addmbr %%u 2>>%ERRLOGFILE% 1>> %LOGFILE%-output
		)
	)
)
 

Select allOpen in new window

How about the bulkerr.log file and bulk.log? Do I need to creat them or they will create automatically? If I type the code in to a text file, does it metter if I save the file as .bat or .cmd?
 
Thank you,
Plamen

Oh, and one more thing, the group IT is global security type of group.

And based on my limited knowledge of batch scripting, the log files should be created automatically.

-Matt

As the script was rewritten to handle parameters, you don't nead to edit the script in http:#23662872 if you don't want to change the path for the log files to be something else than c:\temp. Save the script and call it with the group and OU as parameters on the command line.
%~1 means first parameter
%~2 means second parameter
>> appends new lines to end of file if it already exist, and will automatically create file if file doesn't exist.

OU-parameter passed to script nead to be complete DN of the OU including ",DC=NIResorts,DC=com" if not modifying the script to append the DC-part at the SET USEROU-line.

It doesn't really matter if you save file as *.cmd or *.bat when running batch on NT-based system like Windows 200x. BAT is an older file extension that was used back in DOS-based systems, but can still be used.

Thanks to Henrik and Matt.