Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Powershell: add many users to a security group?

Posted on 2011-02-24
7
Medium Priority
?
1,443 Views
Last Modified: 2012-06-27
Experts-

Still relatively new to Powershell and am having some issues trying to figure out the proper syntax for this.

I have the users in a single OU (I also have a list of the users in a CSV file).
Is there a way to use powershell to make these users a member of a specific security group?

I think my syntax is wrong, and still can't quite get the hang of it.
$Group = [ADSI]"LDAP://CN=TESTOU,OU=Company Users,DC=blah,DC=com"

get-user -organizationalUnit TESTOU | where-object{$_.RecipientType -eq User" -and $_.department -eq "Sales"} | $Group.Add("LDAP://$($newuser.distinguishedName)")

Open in new window

0
Comment
Question by:ThinkPaper
  • 3
  • 2
  • 2
7 Comments
 
LVL 43

Expert Comment

by:Adam Brown
ID: 34974069
Well, there are some built in Powershell cmdlets you can use if you have Windows 2008 R2. If you don't, I'd highly recommend using the quest active roles shell available here: http://www.quest.com/powershell/activeroles-server.aspx

I'll work on a quick script for you to use in there that should work well.
0
 
LVL 43

Expert Comment

by:Adam Brown
ID: 34974161
The attached code should do what you want if you use the Quest cmdlets.
Here's how it works, the get-qaduser cmdlet pulls all users in AD, the Where limits returns to users that have a parentcontainer attribute of domain.com/home/users. The results are placed into an object. A foreach-object is run on that object and pulls the Name attribute and ties it to the $name object and runs the add-qadgroupmember cmdlet for each entry. The add-qadgroupmember cmdlet is passed the identity of the group Groupname and each pass of the foreach loop adds the user to that group.
$users = get-qaduser | where{$_.parentcontainer -eq "domain.com/Home/Users"}
foreach ($name in $users)
{
add-qadgroupmember -identity "Groupname" -member $name
}

Open in new window

0
 
LVL 16

Author Comment

by:ThinkPaper
ID: 34974213
I understand that Quest cmdlets are very useful, but unfortunately I am not allowed to use it.

I found a workaround by simply using Active Directory, opening the properties of the Security Group, and adding the users in that way (Selecting them all) since they are all located in the same OU.

Still -- it'd be nice if I could figure the commands out.
0
WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

 
LVL 43

Expert Comment

by:Adam Brown
ID: 34974325
Yeah. Native coding for AD work in powershell is a little tricky. For instance, the get-user cmdlet doesn't really exist in native powershell. In the AD Shell for 2008 R2, you would use the get-aduser cmdlet. The -organizationalunit switch also doesn't exist. You would use something similar to the code snippet I added, where{$_.parentcontainer -eq "ou path"}, to pull out only users that are in a specific OU.

http://www.techrepublic.com/blog/networking/managing-active-directory-objects-with-powershell-in-windows-server-2008/1166 should give you some more detail on what you would want to do without Quest or the AD cmdlets in 2008 R2. There are some additional resources available there that may help as well.You may also want to wait a bit, and some of the more experienced powershellers will probably come by and give some advice. I'd point you to the beginner's guide I wrote a while back, but I think you're already past what it will be able to explain. A link to it is in my profile if you feel like looking at it, though.
0
 
LVL 12

Expert Comment

by:prashanthd
ID: 34977988
Will a vbscript be helpful?
0
 
LVL 12

Accepted Solution

by:
prashanthd earned 2000 total points
ID: 34978718
Try the following powershell code, it will fetch all users from OU and add the Group
Set the following values
#Set the absolute path of the group  
$group = [ADSI]"LDAP://CN=TESTOU,OU=Company Users,DC=blah,DC=com"
#Set the absolute path of the OU  
$objDomain = New-Object System.DirectoryServices.DirectoryEntry("LDAP://ou=TESTOU,dc=blah,dc=com")
#Set the absolute path of the group  
$group = [ADSI]"LDAP://CN=TESTOU,OU=Company Users,DC=blah,DC=com"
#Set the absolute path of the OU   
$objDomain = New-Object System.DirectoryServices.DirectoryEntry("LDAP://ou=TESTOU,dc=blah,dc=com") 

$strFilter = "(&(objectClass=person)(objectCategory=User))"
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "subtree"

$colProplist ="adspath"
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}

$colResults = $objSearcher.FindAll()

foreach ($objResult in $colResults){
    $objItem = $objResult.Properties; 
	$objItem.adspath
	$group.add($objItem.adspath)
	$group.SetInfo()
	}

Open in new window

0
 
LVL 16

Author Closing Comment

by:ThinkPaper
ID: 34998064
Wow, thanks! That was a whole lot more complicated than I thought it would be. @_@!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Measuring Server's processing rate with a simple powershell command. The differences in processing rate also was recorded in different use-cases, when a server in free and busy states.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Loops Section Overview

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question