Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 435
  • Last Modified:

AD OUs and security groups

  I was wondering, is there a way when I create a new user in OU automaticaly to be added to a security group. For example: I have OU "sales" and I have security group "sales". When I create user "John Smith" in OU "sales" hi is automaticaly member of the Security Group "sales".

Please help!
0
jlundock
Asked:
jlundock
  • 6
  • 5
  • 3
2 Solutions
 
tigermattCommented:

This is a question which is asked quite often, and the answer is Unfortunately not. OUs and Security Groups are two different things, and as such, they are controlled independently of each other.

-Matt
0
 
Henrik JohanssonSystems engineerCommented:
This is as Matt said not possibly with native functionality, but can be done with some scripting and let a schedule task take care of the automatic group membership adding.
@echo off
setlocal
SET GROUPNAME="sales"
FOR /F "delims=" %%a in ('dsquery user "OU=sales,DC=domain,DC=local"') DO (
        dsquery GROUP -name %GROUPNAME%|dsmod group -addmbr %%a 2>>c:\temp\bulkerr.log 1>>c:\temp\bulk.log
)

Open in new window

0
 
jlundockAuthor Commented:
I like the script.
Could please tell me what I need to replace in this script. And my second question is how much this task will slow down my DC or it will cause some other issues?
 
Thank you,
Plamen
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
tigermattCommented:

I'll answer on henjoh09's behalf.

It looks to me that in the script, you need to enter the name of the group where it says SET GROUPNAME="sales". This is the name of the security group which the users must be added to.

You must also specify the OU where the script should pull users out of - this is currently defined by the OU=sales,DC=domain,DC=local part. Enter the appropriate LDAP string here for the OU in question, or post your OU structure and we can help you form that string.

The script needs to run as a Scheduled Task. It won't run all the time and therefore will not have an impact on your DC's performance.

-Matt
0
 
jlundockAuthor Commented:
Ok, I am attaching 2 files. One is AD structure and one is ADSIedit Object version. I would like the script to work for users OU under Support\Information technologies to be added in the IT security group.
 
Thank you for all your help,
Plamen

AD.jpg
ADSIedit-Object-Version.jpg
0
 
tigermattCommented:

Using henjoh's script - and he deserves a split of the points for posting that script initially - it would be like the script in the attached code snippet.

-Matt
@echo off
setlocal
SET GROUPNAME="IT"
FOR /F "delims=" %%a in ('dsquery user "OU=Information Technology,OU=Support,DC=NIResorts,DC=com"') DO (
        dsquery GROUP -name %GROUPNAME%|dsmod group -addmbr %%a 2>>c:\temp\bulkerr.log 1>>c:\temp\bulk.log
)

Open in new window

0
 
Henrik JohanssonSystems engineerCommented:
To be a little bit more dynamic than my original sample, it's now rewritten to take group name as first parameter and the OU containing users as the second parameter.
Also added some error handling to avoid that it tries to add the user if it's already member of the group.

Sample execution if script is saved as bulkadd.cmd:
bulkadd "IT" "OU=Users,OU=Information Technology,OU=Support,DC=NIResorts,DC=com"

/Henrik
@echo off
setlocal
SET GROUPNAME="%~1"
SET USEROU="%~2"
SET ERRLOGFILE=c:\temp\%GROUPNAME:"=%_bulkerr.log
SET LOGFILE=c:\temp\%GROUPNAME:"=%_bulk.log
FOR /F "delims=" %%u in ('dsquery user %USEROU%') DO (
	REM Check if %%u is member of %GROUPNAME%
	for /F %%c in ('dsquery group -name %GROUPNAME%^|dsget group -members^|find /c %%u') do (
		if "%%c" == "0" (
			echo %DATE% %TIME% Adding %%u >> %LOGFILE%
			dsquery group -name %GROUPNAME%|dsmod group -addmbr %%u 2>>%ERRLOGFILE% 1>> %LOGFILE%-output
		)
	)
)

Open in new window

0
 
jlundockAuthor Commented:
So, for me Henrik it will be:
@echo off
setlocal
SET GROUPNAME="IT"
SET USEROU="OU=Users,OU=Information Technologies,OU=Support"
SET ERRLOGFILE=c:\temp\%GROUPNAME:"=%_bulkerr.log
SET LOGFILE=c:\temp\%GROUPNAME:"=%_bulk.log
FOR /F "delims=" %%u in ('dsquery user %USEROU%') DO (
	REM Check if %%u is member of %GROUPNAME%
	for /F %%c in ('dsquery group -name %GROUPNAME%^|dsget group -members^|find /c %%u') do (
		if "%%c" == "0" (
			echo %DATE% %TIME% Adding %%u >> %LOGFILE%
			dsquery group -name %GROUPNAME%|dsmod group -addmbr %%u 2>>%ERRLOGFILE% 1>> %LOGFILE%-output
		)
	)
)
 

Open in new window

0
 
jlundockAuthor Commented:
How about the bulkerr.log file and bulk.log? Do I need to creat them or they will create automatically? If I type the code in to a text file, does it metter if I save the file as .bat or .cmd?
 
Thank you,
Plamen
0
 
jlundockAuthor Commented:
Oh, and one more thing, the group IT is global security type of group.
0
 
tigermattCommented:

Hey,

Using Henrik's script, you now don't need to modify anything inside the script. Just download and save the script somewhere, and then when you execute it (either manually, at a command prompt, or using a Scheduled Task) you'd enter the command

path_to_script.cmd "Name of Security Group" "Path to OU of Users"

The script will pick up these parameters out of the command line and will automatically associate them with the appropriate variables in the script. So, your command would be

path_to_script.cmd "IT" "OU=Users,OU=Information Technology,OU=Support,DC=NIResorts,DC=com"

at either a command prompt or in the Scheduled Task.

-Matt
0
 
tigermattCommented:

And based on my limited knowledge of batch scripting, the log files should be created automatically.

-Matt
0
 
Henrik JohanssonSystems engineerCommented:
As the script was rewritten to handle parameters, you don't nead to edit the script in http:#23662872 if you don't want to change the path for the log files to be something else than c:\temp. Save the script and call it with the group and OU as parameters on the command line.
%~1 means first parameter
%~2 means second parameter
>> appends new lines to end of file if it already exist, and will automatically create file if file doesn't exist.

OU-parameter passed to script nead to be complete DN of the OU including ",DC=NIResorts,DC=com" if not modifying the script to append the DC-part at the SET USEROU-line.

It doesn't really matter if you save file as *.cmd or *.bat when running batch on NT-based system like Windows 200x. BAT is an older file extension that was used back in DOS-based systems, but can still be used.
0
 
jlundockAuthor Commented:
Thanks to Henrik and Matt.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 6
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now