Add Users to Security Groups based on Company Field

Posted on 2010-01-06
Medium Priority
Last Modified: 2013-12-24
Good afternoon Experts,

We have multiple independent locations that have their own "utilitty" servers for WSUS, AV updates, etc that update the local PCs from the server, and then all the utility servers update to a master server at our datacenter.

I am trying to create home directory/my documents redirect to the local utility servers, that replicate to the master server at our datacenter.  What I have for the users at each location is a 3 digit code in their company field in their active directory profile designating their location.  I also have created groups for all of those users locations.  What I need is to create a script checks the users company field for that code, and adds the user to the appropriate group.  Once I have that I can create the folder logon scripts to point to the correct local server for their home folders.

I can create the logon script, but I need a script that I can run nightly to adjust group membership based on that company field.  
Question by:SoldatoDiDio
LVL 71

Accepted Solution

Chris Dent earned 1200 total points
ID: 26195208

Not a bad request at all. Let me know if anything in the attached isn't clear :)

' Create a connection to the group the users go in

Dim objGroup : Set objGroup = GetObject("LDAP://CN=Group Name,OU=SomeWhere,DC=domain,DC=com")

' LDAP Filter to find users with specific company field

Dim strLdapFilter : strLdapFilter = "(&(objectClass=user)(objectCategory=person)(company=abc))"

' Find the domain

Dim objRootDSE : Set objRootDSE = GetObject("LDAP://RootDSE")
Dim strLdapPath : strLdapPath = "LDAP://" & objRootDSE.Get("defaultNamingContext")

' Set up the Search

Dim objConnection : Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

Dim objCommand : Set objCommand = Createobject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000

objCommand.CommandText = "<" & strLdapPath & ">;" & _
  strLdapFilter & ";distinguishedName;subtree"

Dim objRecordSet : Set objRecordSet = objCommand.Execute

Do Until objRecordSet.EOF

  ' Add the member to the group - Suppress errors about a member already being in the group

  On Error Resume Next
  objGroup.Add("LDAP://" & objRecordSet.Fields("distinguishedName").Value)
  If Err.Number = -2147019886 Then

    ' Already a member of the group - Ignore it

  ElseIf Err.Number <> 0 Then

    ' Something went wrong, tell us about it.

    WScript.Echo Err.Number & ": " & Err.Description

  End If
  On Error Goto 0


Open in new window

LVL 27

Assisted Solution

bluntTony earned 800 total points
ID: 26199150
Just to expand on Chris's concept a little, the below will allow you to assess codes and add users to various different groups based on the content of the code in 'company' by looping through a dictionary array object.

You just need to edit the section I have commented to add the code and the DN of the group it relates to. You can add as many 'objGroupDict.Add......' lines as you need.

This code can be run once each day and will add users to all of the groups you specify in the script.


Set oRootDSE = GetObject("LDAP://RootDSE")
Set objConn = CreateObject("ADODB.Connection")
Set objComm =   CreateObject("ADODB.Command")
Set objGroupDict = CreateObject("Scripting.Dictionary")

objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"
Set objComm.ActiveConnection = objConn
objComm.Properties("Page Size") = 1000
strBase   =  "<LDAP://" & oRootDSE.get("defaultNamingContext") & ">;"
strAttrs  = "distinguishedName;"
strScope  = "subtree"

'objGroupDict.Add "ABC", "CN=GroupABC,OU=groups,DC=domain,DC=local"
'objGroupDict.Add "DEF", "CN=GroupDEF,OU=groups,DC=domain,DC=local"
'objGroupDict.Add "GHI", "CN=GroupGHI,OU=groups,DC=domain,DC=local"
'objGroupDict.Add "JKL", "CN=GroupJKL,OU=groups,DC=domain,DC=local"

For Each groupCode In objGroupDict.Keys
	strFilter = "(&(objectclass=user)(objectCategory=person)(company=*" & groupCode & "*));"
	objComm.CommandText = strBase & strFilter & strAttrs & strScope
	Set objRS = objComm.Execute
	Set objGroup = GetObject("LDAP://" & objGroupDict.Item(groupCode))
	If objRs.RecordCount > 0 Then
		Do Until objRS.EOF
			On Error Resume Next
	  		objGroup.Add("LDAP://" & objRS.Fields("distinguishedName").Value)
	  		If Err.Number = -2147019886 Then
	  			'Do nothing
	  		ElseIf Err.Number<> 0 Then
	  			WScript.Echo Err.Number & ": " & Err.Description
	  		End If	
			On Error Goto 0
	End if

Open in new window


Author Closing Comment

ID: 31673736
Chris, you gave the perfect solution, and after testing it worked out great.  I began to repeat the loop with multiple constants, and it worked.  Then Tony created the array to simply what I was trying to accomplish.  Thank you both so much!

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog post, we’ll look at how using thread_statistics can cause high memory usage.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses
Course of the Month15 days, 14 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question