Powershell: add many users to a security group?

Experts-

Still relatively new to Powershell and am having some issues trying to figure out the proper syntax for this.

I have the users in a single OU (I also have a list of the users in a CSV file).
Is there a way to use powershell to make these users a member of a specific security group?

I think my syntax is wrong, and still can't quite get the hang of it.
$Group = [ADSI]"LDAP://CN=TESTOU,OU=Company Users,DC=blah,DC=com"

get-user -organizationalUnit TESTOU | where-object{$_.RecipientType -eq User" -and $_.department -eq "Sales"} | $Group.Add("LDAP://$($newuser.distinguishedName)")

Open in new window

LVL 16
ThinkPaperIT ConsultantAsked:
Who is Participating?
 
prashanthdCommented:
Try the following powershell code, it will fetch all users from OU and add the Group
Set the following values
#Set the absolute path of the group  
$group = [ADSI]"LDAP://CN=TESTOU,OU=Company Users,DC=blah,DC=com"
#Set the absolute path of the OU  
$objDomain = New-Object System.DirectoryServices.DirectoryEntry("LDAP://ou=TESTOU,dc=blah,dc=com")
#Set the absolute path of the group  
$group = [ADSI]"LDAP://CN=TESTOU,OU=Company Users,DC=blah,DC=com"
#Set the absolute path of the OU   
$objDomain = New-Object System.DirectoryServices.DirectoryEntry("LDAP://ou=TESTOU,dc=blah,dc=com") 

$strFilter = "(&(objectClass=person)(objectCategory=User))"
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "subtree"

$colProplist ="adspath"
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}

$colResults = $objSearcher.FindAll()

foreach ($objResult in $colResults){
    $objItem = $objResult.Properties; 
	$objItem.adspath
	$group.add($objItem.adspath)
	$group.SetInfo()
	}

Open in new window

0
 
Adam BrownSr Solutions ArchitectCommented:
Well, there are some built in Powershell cmdlets you can use if you have Windows 2008 R2. If you don't, I'd highly recommend using the quest active roles shell available here: http://www.quest.com/powershell/activeroles-server.aspx

I'll work on a quick script for you to use in there that should work well.
0
 
Adam BrownSr Solutions ArchitectCommented:
The attached code should do what you want if you use the Quest cmdlets.
Here's how it works, the get-qaduser cmdlet pulls all users in AD, the Where limits returns to users that have a parentcontainer attribute of domain.com/home/users. The results are placed into an object. A foreach-object is run on that object and pulls the Name attribute and ties it to the $name object and runs the add-qadgroupmember cmdlet for each entry. The add-qadgroupmember cmdlet is passed the identity of the group Groupname and each pass of the foreach loop adds the user to that group.
$users = get-qaduser | where{$_.parentcontainer -eq "domain.com/Home/Users"}
foreach ($name in $users)
{
add-qadgroupmember -identity "Groupname" -member $name
}

Open in new window

0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
ThinkPaperIT ConsultantAuthor Commented:
I understand that Quest cmdlets are very useful, but unfortunately I am not allowed to use it.

I found a workaround by simply using Active Directory, opening the properties of the Security Group, and adding the users in that way (Selecting them all) since they are all located in the same OU.

Still -- it'd be nice if I could figure the commands out.
0
 
Adam BrownSr Solutions ArchitectCommented:
Yeah. Native coding for AD work in powershell is a little tricky. For instance, the get-user cmdlet doesn't really exist in native powershell. In the AD Shell for 2008 R2, you would use the get-aduser cmdlet. The -organizationalunit switch also doesn't exist. You would use something similar to the code snippet I added, where{$_.parentcontainer -eq "ou path"}, to pull out only users that are in a specific OU.

http://www.techrepublic.com/blog/networking/managing-active-directory-objects-with-powershell-in-windows-server-2008/1166 should give you some more detail on what you would want to do without Quest or the AD cmdlets in 2008 R2. There are some additional resources available there that may help as well.You may also want to wait a bit, and some of the more experienced powershellers will probably come by and give some advice. I'd point you to the beginner's guide I wrote a while back, but I think you're already past what it will be able to explain. A link to it is in my profile if you feel like looking at it, though.
0
 
prashanthdCommented:
Will a vbscript be helpful?
0
 
ThinkPaperIT ConsultantAuthor Commented:
Wow, thanks! That was a whole lot more complicated than I thought it would be. @_@!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.