We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

AD OUs and security groups

jlundock
jlundock asked
on
Medium Priority
473 Views
Last Modified: 2012-08-14
  I was wondering, is there a way when I create a new user in OU automaticaly to be added to a security group. For example: I have OU "sales" and I have security group "sales". When I create user "John Smith" in OU "sales" hi is automaticaly member of the Security Group "sales".

Please help!
Comment
Watch Question

tigermattSite Reliability Engineer
CERTIFIED EXPERT
Most Valuable Expert 2011

Commented:

This is a question which is asked quite often, and the answer is Unfortunately not. OUs and Security Groups are two different things, and as such, they are controlled independently of each other.

-Matt
Henrik JohanssonSystems engineer
Top Expert 2008

Commented:
This is as Matt said not possibly with native functionality, but can be done with some scripting and let a schedule task take care of the automatic group membership adding.
@echo off
setlocal
SET GROUPNAME="sales"
FOR /F "delims=" %%a in ('dsquery user "OU=sales,DC=domain,DC=local"') DO (
        dsquery GROUP -name %GROUPNAME%|dsmod group -addmbr %%a 2>>c:\temp\bulkerr.log 1>>c:\temp\bulk.log
)

Open in new window

Author

Commented:
I like the script.
Could please tell me what I need to replace in this script. And my second question is how much this task will slow down my DC or it will cause some other issues?
 
Thank you,
Plamen
tigermattSite Reliability Engineer
CERTIFIED EXPERT
Most Valuable Expert 2011

Commented:

I'll answer on henjoh09's behalf.

It looks to me that in the script, you need to enter the name of the group where it says SET GROUPNAME="sales". This is the name of the security group which the users must be added to.

You must also specify the OU where the script should pull users out of - this is currently defined by the OU=sales,DC=domain,DC=local part. Enter the appropriate LDAP string here for the OU in question, or post your OU structure and we can help you form that string.

The script needs to run as a Scheduled Task. It won't run all the time and therefore will not have an impact on your DC's performance.

-Matt

Author

Commented:
Ok, I am attaching 2 files. One is AD structure and one is ADSIedit Object version. I would like the script to work for users OU under Support\Information technologies to be added in the IT security group.
 
Thank you for all your help,
Plamen

AD.jpg
ADSIedit-Object-Version.jpg
tigermattSite Reliability Engineer
CERTIFIED EXPERT
Most Valuable Expert 2011

Commented:

Using henjoh's script - and he deserves a split of the points for posting that script initially - it would be like the script in the attached code snippet.

-Matt
@echo off
setlocal
SET GROUPNAME="IT"
FOR /F "delims=" %%a in ('dsquery user "OU=Information Technology,OU=Support,DC=NIResorts,DC=com"') DO (
        dsquery GROUP -name %GROUPNAME%|dsmod group -addmbr %%a 2>>c:\temp\bulkerr.log 1>>c:\temp\bulk.log
)

Open in new window

Systems engineer
Top Expert 2008
Commented:
To be a little bit more dynamic than my original sample, it's now rewritten to take group name as first parameter and the OU containing users as the second parameter.
Also added some error handling to avoid that it tries to add the user if it's already member of the group.

Sample execution if script is saved as bulkadd.cmd:
bulkadd "IT" "OU=Users,OU=Information Technology,OU=Support,DC=NIResorts,DC=com"

/Henrik
@echo off
setlocal
SET GROUPNAME="%~1"
SET USEROU="%~2"
SET ERRLOGFILE=c:\temp\%GROUPNAME:"=%_bulkerr.log
SET LOGFILE=c:\temp\%GROUPNAME:"=%_bulk.log
FOR /F "delims=" %%u in ('dsquery user %USEROU%') DO (
	REM Check if %%u is member of %GROUPNAME%
	for /F %%c in ('dsquery group -name %GROUPNAME%^|dsget group -members^|find /c %%u') do (
		if "%%c" == "0" (
			echo %DATE% %TIME% Adding %%u >> %LOGFILE%
			dsquery group -name %GROUPNAME%|dsmod group -addmbr %%u 2>>%ERRLOGFILE% 1>> %LOGFILE%-output
		)
	)
)

Open in new window

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
So, for me Henrik it will be:
@echo off
setlocal
SET GROUPNAME="IT"
SET USEROU="OU=Users,OU=Information Technologies,OU=Support"
SET ERRLOGFILE=c:\temp\%GROUPNAME:"=%_bulkerr.log
SET LOGFILE=c:\temp\%GROUPNAME:"=%_bulk.log
FOR /F "delims=" %%u in ('dsquery user %USEROU%') DO (
	REM Check if %%u is member of %GROUPNAME%
	for /F %%c in ('dsquery group -name %GROUPNAME%^|dsget group -members^|find /c %%u') do (
		if "%%c" == "0" (
			echo %DATE% %TIME% Adding %%u >> %LOGFILE%
			dsquery group -name %GROUPNAME%|dsmod group -addmbr %%u 2>>%ERRLOGFILE% 1>> %LOGFILE%-output
		)
	)
)
 

Open in new window

Author

Commented:
How about the bulkerr.log file and bulk.log? Do I need to creat them or they will create automatically? If I type the code in to a text file, does it metter if I save the file as .bat or .cmd?
 
Thank you,
Plamen

Author

Commented:
Oh, and one more thing, the group IT is global security type of group.
tigermattSite Reliability Engineer
CERTIFIED EXPERT
Most Valuable Expert 2011
Commented:

Hey,

Using Henrik's script, you now don't need to modify anything inside the script. Just download and save the script somewhere, and then when you execute it (either manually, at a command prompt, or using a Scheduled Task) you'd enter the command

path_to_script.cmd "Name of Security Group" "Path to OU of Users"

The script will pick up these parameters out of the command line and will automatically associate them with the appropriate variables in the script. So, your command would be

path_to_script.cmd "IT" "OU=Users,OU=Information Technology,OU=Support,DC=NIResorts,DC=com"

at either a command prompt or in the Scheduled Task.

-Matt
tigermattSite Reliability Engineer
CERTIFIED EXPERT
Most Valuable Expert 2011

Commented:

And based on my limited knowledge of batch scripting, the log files should be created automatically.

-Matt
Henrik JohanssonSystems engineer
Top Expert 2008

Commented:
As the script was rewritten to handle parameters, you don't nead to edit the script in http:#23662872 if you don't want to change the path for the log files to be something else than c:\temp. Save the script and call it with the group and OU as parameters on the command line.
%~1 means first parameter
%~2 means second parameter
>> appends new lines to end of file if it already exist, and will automatically create file if file doesn't exist.

OU-parameter passed to script nead to be complete DN of the OU including ",DC=NIResorts,DC=com" if not modifying the script to append the DC-part at the SET USEROU-line.

It doesn't really matter if you save file as *.cmd or *.bat when running batch on NT-based system like Windows 200x. BAT is an older file extension that was used back in DOS-based systems, but can still be used.

Author

Commented:
Thanks to Henrik and Matt.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.