Solved

adding users to a group using QAD or windows powershell script

Posted on 2013-01-16
8
948 Views
Last Modified: 2013-01-17
I want to add all domain users to a group whose description starts with B Dynamically.

Used the below QAD script but getting Exception.

$group = "cn=group1,CN=users,DC=local,DC=com"
$user = Get-QADUser -SearchRoot "CN=users,DC=local,DC=com" -Enabled -SizeLimit 0 -Service 'server.local.com:389'| where{ $_.description -like "B*"} 
Add-QADGroupMember -identity $group -Member $user

Open in new window


Below is the error

dd-QADGroupMember : An operations error occurred. (Exception from HRESULT: 0x80072020)At C:\temp\universalgroup1.ps1:3 char:19
+ Add-QADGroupMember <<<<  -identity $group -Member $user
    + CategoryInfo          : NotSpecified: (:) [Add-QADGroupMember], DirectoryServicesCOMException
    + FullyQualifiedErrorId : System.DirectoryServices.DirectoryServicesCOMException,Quest.ActiveRoles.ArsPowerShellSn
   apIn.Cmdlets.AddGroupMemberCmdlet2

Open in new window


Is there any simple way to pull the users with my condition and add it to a group dynamically using windows powershell or Quest.
0
Comment
Question by:ahmshaik
  • 5
  • 2
8 Comments
 

Author Comment

by:ahmshaik
ID: 38785202
I have used ADUC -> Saved Queries and pulled all the users where desc starts with B.
Manually selected all users from the output of the query and added to the group.

Please help me with the powershell script so that we can schedule it on a daily basis and add/remove users from the group dynamically.
0
 
LVL 5

Accepted Solution

by:
coraxal earned 200 total points
ID: 38785295
I suspect that your issue is due to permission (in order to modify objects in AD, you have to use an account with enough permissions to do so).  The basic logic to populate the group would be something like this:

1. Connect to AD with an account with permissions to carry on the changes
2. Get all user accounts that meet your criteria
3. Remove all members from the group
4. Iterate through your user collection to add each user account to the group

Because you'll want to schedule this script, you'll need to encrypt the password for the user account that will be connecting to AD.  You'll have to do something like this to generate an encrypted version of the AD user account (of course, if the password is reset the script could break so you'd have to generate another file):

(get-credential).password |
      convertFrom-SecureString |
      Set-C ontent C:\scripts\password.txt
$filter = "(&(objectCategory=person)(objectClass=user)(description=B*))"
$scope = "CN=users,DC=local,DC=com"
$Group = Get-QADGroup -Identity "Group1"
$password = Get-Content C:\scripts\password.txt | ConvertTo-SecureString
$connAccount = 'local.com\administrator'
$resultSize = 0

# Connect to Active Directory
Connect-QADService -ConnectionAccount $connAccount -ConnectionPassword $password

# Clear group
[void](Set-QADGroup -Identity $Group.DN -Member $NULL)

# Get all enabled Active Directory accounts and add them to the group
Get-QADUser -SearchRoot $scope `
	-Enabled `
	-DontUseDefaultIncludedProperties `
	-IncludedProperties DN `
	-LdapFilter $filter `
	-SizeLimit $resultSize | ForEach-Object {
				
		[void](Add-QADGroupMember -Identity $Group.DN -Member $_.DN )
				
		}
		
# Disconnect from Active Directory
Disconnect-QADService

Open in new window

0
 

Author Comment

by:ahmshaik
ID: 38785299
Excellent coraxal.

I will run the script with my domain admin permission and request you further if i get an errors messgae. Thanks a lot for your wonderful script.
0
 
LVL 21

Assisted Solution

by:yo_bee
yo_bee earned 300 total points
ID: 38785555
Is this something you are looking for?

Import-module activedirectory

$users = Get-ADUSER -filter {description -like 'b*'} 

ForEach  ($user in $users)
{
Add-ADGroupMember -Identity "CN=00000-000,OU=Test_OU,DC=contoso,DC=local" -Members $user.distinguishedName
}

Open in new window

0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:ahmshaik
ID: 38789655
Thanks a lot Coraxal, your script worked as expected.

Hi Yo_bee,
Many thanks : Your script too worked well and is Perfect.

I can schedule any of the scripts and run on a daily basis . Please let me know the below answer. If you want I can close the topic and ask a seperate Question.

Once i run your script all my users will be in the the group whose desc starts with B.
Is there any Dynamic way in ActiveDirectory where when I create/delete a user can it automatically add to the group?
0
 
LVL 21

Assisted Solution

by:yo_bee
yo_bee earned 300 total points
ID: 38789680
I would say this warrants another question, but I will start you in the directions.
To do this you will need a script or custom form rather than using ADUC GUI to create user.
If you delete a user they are removed from any groups, so there is not need to really script anything unless you are looking to do a batch delete.
0
 

Author Comment

by:ahmshaik
ID: 38789793
Thanks Yo_bee.

I will create a script to collect all newly created users in a day and have in a excel sheet.
Will give the data to the script and add to the group on a daily basis.

If I am stuck with getting report for newly created users, will come to you with a new post.

Once again thanks a lot for your expertise.
0
 

Author Closing Comment

by:ahmshaik
ID: 38789797
Useful and technical solutions given by both of the experts.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
A procedure for exporting installed hotfix details of remote computers using powershell
Learn the basics of strings in Python: declaration, operations, indices, and slicing. Strings are declared with quotations; for example: s = "string": Strings are immutable.: Strings may be concatenated or multiplied using the addition and multiplic…
The viewer will learn how to dynamically set the form action using jQuery.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now