• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1449
  • Last Modified:

Powershell: add many users to a security group?

Experts-

Still relatively new to Powershell and am having some issues trying to figure out the proper syntax for this.

I have the users in a single OU (I also have a list of the users in a CSV file).
Is there a way to use powershell to make these users a member of a specific security group?

I think my syntax is wrong, and still can't quite get the hang of it.
$Group = [ADSI]"LDAP://CN=TESTOU,OU=Company Users,DC=blah,DC=com"

get-user -organizationalUnit TESTOU | where-object{$_.RecipientType -eq User" -and $_.department -eq "Sales"} | $Group.Add("LDAP://$($newuser.distinguishedName)")

Open in new window

0
ThinkPaper
Asked:
ThinkPaper
  • 3
  • 2
  • 2
1 Solution
 
Adam BrownSr Solutions ArchitectCommented:
Well, there are some built in Powershell cmdlets you can use if you have Windows 2008 R2. If you don't, I'd highly recommend using the quest active roles shell available here: http://www.quest.com/powershell/activeroles-server.aspx

I'll work on a quick script for you to use in there that should work well.
0
 
Adam BrownSr Solutions ArchitectCommented:
The attached code should do what you want if you use the Quest cmdlets.
Here's how it works, the get-qaduser cmdlet pulls all users in AD, the Where limits returns to users that have a parentcontainer attribute of domain.com/home/users. The results are placed into an object. A foreach-object is run on that object and pulls the Name attribute and ties it to the $name object and runs the add-qadgroupmember cmdlet for each entry. The add-qadgroupmember cmdlet is passed the identity of the group Groupname and each pass of the foreach loop adds the user to that group.
$users = get-qaduser | where{$_.parentcontainer -eq "domain.com/Home/Users"}
foreach ($name in $users)
{
add-qadgroupmember -identity "Groupname" -member $name
}

Open in new window

0
 
ThinkPaperIT ConsultantAuthor Commented:
I understand that Quest cmdlets are very useful, but unfortunately I am not allowed to use it.

I found a workaround by simply using Active Directory, opening the properties of the Security Group, and adding the users in that way (Selecting them all) since they are all located in the same OU.

Still -- it'd be nice if I could figure the commands out.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Adam BrownSr Solutions ArchitectCommented:
Yeah. Native coding for AD work in powershell is a little tricky. For instance, the get-user cmdlet doesn't really exist in native powershell. In the AD Shell for 2008 R2, you would use the get-aduser cmdlet. The -organizationalunit switch also doesn't exist. You would use something similar to the code snippet I added, where{$_.parentcontainer -eq "ou path"}, to pull out only users that are in a specific OU.

http://www.techrepublic.com/blog/networking/managing-active-directory-objects-with-powershell-in-windows-server-2008/1166 should give you some more detail on what you would want to do without Quest or the AD cmdlets in 2008 R2. There are some additional resources available there that may help as well.You may also want to wait a bit, and some of the more experienced powershellers will probably come by and give some advice. I'd point you to the beginner's guide I wrote a while back, but I think you're already past what it will be able to explain. A link to it is in my profile if you feel like looking at it, though.
0
 
prashanthdCommented:
Will a vbscript be helpful?
0
 
prashanthdCommented:
Try the following powershell code, it will fetch all users from OU and add the Group
Set the following values
#Set the absolute path of the group  
$group = [ADSI]"LDAP://CN=TESTOU,OU=Company Users,DC=blah,DC=com"
#Set the absolute path of the OU  
$objDomain = New-Object System.DirectoryServices.DirectoryEntry("LDAP://ou=TESTOU,dc=blah,dc=com")
#Set the absolute path of the group  
$group = [ADSI]"LDAP://CN=TESTOU,OU=Company Users,DC=blah,DC=com"
#Set the absolute path of the OU   
$objDomain = New-Object System.DirectoryServices.DirectoryEntry("LDAP://ou=TESTOU,dc=blah,dc=com") 

$strFilter = "(&(objectClass=person)(objectCategory=User))"
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "subtree"

$colProplist ="adspath"
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}

$colResults = $objSearcher.FindAll()

foreach ($objResult in $colResults){
    $objItem = $objResult.Properties; 
	$objItem.adspath
	$group.add($objItem.adspath)
	$group.SetInfo()
	}

Open in new window

0
 
ThinkPaperIT ConsultantAuthor Commented:
Wow, thanks! That was a whole lot more complicated than I thought it would be. @_@!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now