Solved

Powershell: add many users to a security group?

Posted on 2011-02-24
7
1,414 Views
Last Modified: 2012-06-27
Experts-

Still relatively new to Powershell and am having some issues trying to figure out the proper syntax for this.

I have the users in a single OU (I also have a list of the users in a CSV file).
Is there a way to use powershell to make these users a member of a specific security group?

I think my syntax is wrong, and still can't quite get the hang of it.
$Group = [ADSI]"LDAP://CN=TESTOU,OU=Company Users,DC=blah,DC=com"

get-user -organizationalUnit TESTOU | where-object{$_.RecipientType -eq User" -and $_.department -eq "Sales"} | $Group.Add("LDAP://$($newuser.distinguishedName)")

Open in new window

0
Comment
Question by:ThinkPaper
  • 3
  • 2
  • 2
7 Comments
 
LVL 38

Expert Comment

by:Adam Brown
ID: 34974069
Well, there are some built in Powershell cmdlets you can use if you have Windows 2008 R2. If you don't, I'd highly recommend using the quest active roles shell available here: http://www.quest.com/powershell/activeroles-server.aspx

I'll work on a quick script for you to use in there that should work well.
0
 
LVL 38

Expert Comment

by:Adam Brown
ID: 34974161
The attached code should do what you want if you use the Quest cmdlets.
Here's how it works, the get-qaduser cmdlet pulls all users in AD, the Where limits returns to users that have a parentcontainer attribute of domain.com/home/users. The results are placed into an object. A foreach-object is run on that object and pulls the Name attribute and ties it to the $name object and runs the add-qadgroupmember cmdlet for each entry. The add-qadgroupmember cmdlet is passed the identity of the group Groupname and each pass of the foreach loop adds the user to that group.
$users = get-qaduser | where{$_.parentcontainer -eq "domain.com/Home/Users"}
foreach ($name in $users)
{
add-qadgroupmember -identity "Groupname" -member $name
}

Open in new window

0
 
LVL 16

Author Comment

by:ThinkPaper
ID: 34974213
I understand that Quest cmdlets are very useful, but unfortunately I am not allowed to use it.

I found a workaround by simply using Active Directory, opening the properties of the Security Group, and adding the users in that way (Selecting them all) since they are all located in the same OU.

Still -- it'd be nice if I could figure the commands out.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 38

Expert Comment

by:Adam Brown
ID: 34974325
Yeah. Native coding for AD work in powershell is a little tricky. For instance, the get-user cmdlet doesn't really exist in native powershell. In the AD Shell for 2008 R2, you would use the get-aduser cmdlet. The -organizationalunit switch also doesn't exist. You would use something similar to the code snippet I added, where{$_.parentcontainer -eq "ou path"}, to pull out only users that are in a specific OU.

http://www.techrepublic.com/blog/networking/managing-active-directory-objects-with-powershell-in-windows-server-2008/1166 should give you some more detail on what you would want to do without Quest or the AD cmdlets in 2008 R2. There are some additional resources available there that may help as well.You may also want to wait a bit, and some of the more experienced powershellers will probably come by and give some advice. I'd point you to the beginner's guide I wrote a while back, but I think you're already past what it will be able to explain. A link to it is in my profile if you feel like looking at it, though.
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 34977988
Will a vbscript be helpful?
0
 
LVL 12

Accepted Solution

by:
prashanthd earned 500 total points
ID: 34978718
Try the following powershell code, it will fetch all users from OU and add the Group
Set the following values
#Set the absolute path of the group  
$group = [ADSI]"LDAP://CN=TESTOU,OU=Company Users,DC=blah,DC=com"
#Set the absolute path of the OU  
$objDomain = New-Object System.DirectoryServices.DirectoryEntry("LDAP://ou=TESTOU,dc=blah,dc=com")
#Set the absolute path of the group  
$group = [ADSI]"LDAP://CN=TESTOU,OU=Company Users,DC=blah,DC=com"
#Set the absolute path of the OU   
$objDomain = New-Object System.DirectoryServices.DirectoryEntry("LDAP://ou=TESTOU,dc=blah,dc=com") 

$strFilter = "(&(objectClass=person)(objectCategory=User))"
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "subtree"

$colProplist ="adspath"
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}

$colResults = $objSearcher.FindAll()

foreach ($objResult in $colResults){
    $objItem = $objResult.Properties; 
	$objItem.adspath
	$group.add($objItem.adspath)
	$group.SetInfo()
	}

Open in new window

0
 
LVL 16

Author Closing Comment

by:ThinkPaper
ID: 34998064
Wow, thanks! That was a whole lot more complicated than I thought it would be. @_@!
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now