Managing Active Directory does not always have to be complicated. If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why
Course Of The Month
Become a Premium Member and unlock a new, free course in leading technologies each month.
Solved
adding users to a group using QAD or windows powershell script
Posted on 2013-01-16
I want to add all domain users to a group whose description starts with B Dynamically.
Used the below QAD script but getting Exception.
Below is the error
dd-QADGroupMember : An operations error occurred. (Exception from HRESULT: 0x80072020)At C:\temp\universalgroup1.ps
+ Add-QADGroupMember <<<< -identity $group -Member $user
+ CategoryInfo : NotSpecified: (:) [Add-QADGroupMember], DirectoryServicesCOMExcept
+ FullyQualifiedErrorId : System.DirectoryServices.D
apIn.Cmdlets.AddGroupMembe
Is there any simple way to pull the users with my condition and add it to a group dynamically using windows powershell or Quest.
Used the below QAD script but getting Exception.
$group = "cn=group1,CN=users,DC=local,DC=com"
$user = Get-QADUser -SearchRoot "CN=users,DC=local,DC=com" -Enabled -SizeLimit 0 -Service 'server.local.com:389'| where{ $_.description -like "B*"}
Add-QADGroupMember -identity $group -Member $user
Below is the error
dd-QADGroupMember : An operations error occurred. (Exception from HRESULT: 0x80072020)At C:\temp\universalgroup1.ps
+ Add-QADGroupMember <<<< -identity $group -Member $user
+ CategoryInfo : NotSpecified: (:) [Add-QADGroupMember], DirectoryServicesCOMExcept
+ FullyQualifiedErrorId : System.DirectoryServices.D
apIn.Cmdlets.AddGroupMembe
Is there any simple way to pull the users with my condition and add it to a group dynamically using windows powershell or Quest.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
5
2
8 Comments
I have used ADUC -> Saved Queries and pulled all the users where desc starts with B.
Manually selected all users from the output of the query and added to the group.
Please help me with the powershell script so that we can schedule it on a daily basis and add/remove users from the group dynamically.
Manually selected all users from the output of the query and added to the group.
Please help me with the powershell script so that we can schedule it on a daily basis and add/remove users from the group dynamically.
I suspect that your issue is due to permission (in order to modify objects in AD, you have to use an account with enough permissions to do so). The basic logic to populate the group would be something like this:
1. Connect to AD with an account with permissions to carry on the changes
2. Get all user accounts that meet your criteria
3. Remove all members from the group
4. Iterate through your user collection to add each user account to the group
Because you'll want to schedule this script, you'll need to encrypt the password for the user account that will be connecting to AD. You'll have to do something like this to generate an encrypted version of the AD user account (of course, if the password is reset the script could break so you'd have to generate another file):
(get-credential).password |
convertFrom-SecureString |
Set-C ontent C:\scripts\password.txt
1. Connect to AD with an account with permissions to carry on the changes
2. Get all user accounts that meet your criteria
3. Remove all members from the group
4. Iterate through your user collection to add each user account to the group
Because you'll want to schedule this script, you'll need to encrypt the password for the user account that will be connecting to AD. You'll have to do something like this to generate an encrypted version of the AD user account (of course, if the password is reset the script could break so you'd have to generate another file):
(get-credential).password |
convertFrom-SecureString |
Set-C ontent C:\scripts\password.txt
$filter = "(&(objectCategory=person)(objectClass=user)(description=B*))"
$scope = "CN=users,DC=local,DC=com"
$Group = Get-QADGroup -Identity "Group1"
$password = Get-Content C:\scripts\password.txt | ConvertTo-SecureString
$connAccount = 'local.com\administrator'
$resultSize = 0
# Connect to Active Directory
Connect-QADService -ConnectionAccount $connAccount -ConnectionPassword $password
# Clear group
[void](Set-QADGroup -Identity $Group.DN -Member $NULL)
# Get all enabled Active Directory accounts and add them to the group
Get-QADUser -SearchRoot $scope `
-Enabled `
-DontUseDefaultIncludedProperties `
-IncludedProperties DN `
-LdapFilter $filter `
-SizeLimit $resultSize | ForEach-Object {
[void](Add-QADGroupMember -Identity $Group.DN -Member $_.DN )
}
# Disconnect from Active Directory
Disconnect-QADService
Excellent coraxal.
I will run the script with my domain admin permission and request you further if i get an errors messgae. Thanks a lot for your wonderful script.
I will run the script with my domain admin permission and request you further if i get an errors messgae. Thanks a lot for your wonderful script.
Active 1 day ago
Is this something you are looking for?
Import-module activedirectory
$users = Get-ADUSER -filter {description -like 'b*'}
ForEach ($user in $users)
{
Add-ADGroupMember -Identity "CN=00000-000,OU=Test_OU,DC=contoso,DC=local" -Members $user.distinguishedName
}
Thanks a lot Coraxal, your script worked as expected.
Hi Yo_bee,
Many thanks : Your script too worked well and is Perfect.
I can schedule any of the scripts and run on a daily basis . Please let me know the below answer. If you want I can close the topic and ask a seperate Question.
Once i run your script all my users will be in the the group whose desc starts with B.
Is there any Dynamic way in ActiveDirectory where when I create/delete a user can it automatically add to the group?
Hi Yo_bee,
Many thanks : Your script too worked well and is Perfect.
I can schedule any of the scripts and run on a daily basis . Please let me know the below answer. If you want I can close the topic and ask a seperate Question.
Once i run your script all my users will be in the the group whose desc starts with B.
Is there any Dynamic way in ActiveDirectory where when I create/delete a user can it automatically add to the group?
Active 1 day ago
I would say this warrants another question, but I will start you in the directions.
To do this you will need a script or custom form rather than using ADUC GUI to create user.
If you delete a user they are removed from any groups, so there is not need to really script anything unless you are looking to do a batch delete.
To do this you will need a script or custom form rather than using ADUC GUI to create user.
If you delete a user they are removed from any groups, so there is not need to really script anything unless you are looking to do a batch delete.
Thanks Yo_bee.
I will create a script to collect all newly created users in a day and have in a excel sheet.
Will give the data to the script and add to the group on a daily basis.
If I am stuck with getting report for newly created users, will come to you with a new post.
Once again thanks a lot for your expertise.
I will create a script to collect all newly created users in a day and have in a excel sheet.
Will give the data to the script and add to the group on a daily basis.
If I am stuck with getting report for newly created users, will come to you with a new post.
Once again thanks a lot for your expertise.
Featured Post
Route 53 has the ability to easily configure DNS record sets specifically for failover scenarios. These failover record sets can be configured to failover to full-blown deployments in other regions or to a static HTML page that informs your customers of the issue.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Recently we ran in to an issue while running some SQL jobs where we were trying to process the cubes. We got an error saying failure stating 'NT SERVICE\SQLSERVERAGENT does not have access to Analysis Services. So this is a way to automate that wit…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…
- Document Management
- Document Imaging
- Programming
- Adobe Acrobat
- Scripting Languages
- Printers and Scanners, OCR, *Scripts, *PDF, *text file
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month3 days, 21 hours left to enroll
630 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.