• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1493
  • Last Modified:

Change Primary group of users in OU

We have a need to change the primary group that users belong to in a specific OU.

I saw this on script guy but do not know how to modify it to perform the action on all users in a specific OU rather than a specific user.

http://blogs.technet.com/b/heyscriptingguy/archive/2005/08/31/how-can-i-change-a-user-s-primary-group.aspx

Say I have an OU named Customers and I want to change their group from domain users to a group named Web Users. how can I acomplish this? Thanks.
0
jbla9028
Asked:
jbla9028
  • 8
  • 6
  • 4
  • +1
1 Solution
 
Alan GunnCommented:
Hi!
I would advise against changing user's primary group.

The primary group membership is stored differently from other group memberships within AD.
The primary group is shown by tools such as DSGet and MMC but queries using programing interfaces may not return the membership.

I discovered this after changing the Primary group on my own user account.

To identify user as "Web Users" why not just create a group called "Web Users" and add them to it?
0
 
jbla9028Author Commented:
The default group is domain users. We have specific security guidelines to remove the user from the group. It's because when admins forget to change default permissions on certain things, users are always in domain users which by mistake, gives them permissions to things. This eliminates that possibility.
0
 
jbla9028Author Commented:
IE you must remove domain users from the primary group, in order to remove the user from the domain users group.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
footechCommented:
Sounds more like a problem with existing practices that should be corrected rather than changing everyone's primary group.  I really would strongly advise correcting the problem, rather than treating the symptom.  However, just so you have options, the following PowerShell script should work for you.  You would just need to change the name of the group, and the OU where you are searching for users.  With the -whatif parameter the script won't make any changes.  You can remove it when you want to run for real.
$group = "some group"
$groupRID = ((Get-ADGroup $group).SID -split "-")[-1]

Get-ADUser -filter * -SearchBase "ou=someou,dc=domain,dc=com" |
 Set-ADUser -Replace @{PrimaryGroupID = $groupRID} -WhatIf

Open in new window

0
 
RobSampsonCommented:
Hi, if you want VBScript, from that Scripting Guy article, this change loops through all users in the specified OU.

Set objOU = GetObject("LDAP://ou=NonDomainUsers,dc=fabrikam,dc=com")
Set objGroup = GetObject("LDAP://cn=Finance Managers,ou=Finance,dc=fabrikam,dc=com")
For Each objUser In objOU
	If objUser.Class = "user" Then
		WScript.Echo objUser.distinguishedName
		Set objUser = GetObject("LDAP://" & objUser.distinguishedName)
		objGroup.GetInfoEx Array("primaryGroupToken"), 0
		objUser.primaryGroupID = objGroup.primaryGroupToken
		objUser.SetInfo
	End If
Next

Open in new window


Regards,

Rob.
0
 
jbla9028Author Commented:
Rob, thanks for your help. i am trying to replicate this on a test domain. I get an error when executing the script. The error I get is below. I created a domain, jbtest.com. I have two OUs. testOU and groups. I have two groups in the groups OU. Good & Bad. I have 4 users. testuser1, testuser2, testuser3, and testuser4.  Not sure why it complains about the 2nd line. any help is appreciated.

---------------------------
Windows Script Host
---------------------------
Script:      C:\temp\test.vbs
Line:      2
Char:      1
Error:      There is no such object on the server.
Code:      80072030
Source:       (null)

---------------------------
OK  
---------------------------



Set objOU = GetObject("LDAP://ou=TestOU,dc=jbtest,dc=com")
Set objGroup = GetObject("LDAP://cn=Good,ou=Groups,dc=jbtest,dc=com")
For Each objUser In objOU
	If objUser.Class = "user" Then
		WScript.Echo objUser.distinguishedName
		Set objUser = GetObject("LDAP://" & objUser.distinguishedName)
		objGroup.GetInfoEx Array("primaryGroupToken"), 0
		objUser.primaryGroupID = objGroup.primaryGroupToken
		objUser.SetInfo
	End If
Next

Open in new window

0
 
RobSampsonCommented:
The path to objGroup must be correct. In AD Users and Computers, view the properties of the group, and look at the Object tab. Put that in the script and it should work.

Rob.
0
 
jbla9028Author Commented:
Rob, It's still not working. I used LDAP Administrator to pull the LDAP query for each object. it's complaining about the 1st character on the line which is odd.




Set objOU = GetObject("ldap://usittstdc001.jbtest.com:389/OU=TestOU,DC=JBTEST,DC=COM")
Set objGroup = GetObject("ldap://usittstdc001.jbtest.com:389/CN=Bad,OU=Groups,DC=JBTEST,DC=COM")
For Each objUser In objOU
	If objUser.Class = "user" Then
		WScript.Echo objUser.distinguishedName
		Set objUser = GetObject("LDAP://" & objUser.distinguishedName)
		objGroup.GetInfoEx Array("primaryGroupToken"), 0
		objUser.primaryGroupID = objGroup.primaryGroupToken
		objUser.SetInfo
	End If
Next

Open in new window

1-15-2014-8-01-45-AM.jpg
0
 
RobSampsonCommented:
All you should need is this:
Set objGroup = GetObject("LDAP://CN=Bad,OU=Groups,DC=JBTEST,DC=COM")

Does your account have permission to bind to the group?

You may need to run a command prompt "As Administrator" then run
cscript C:\Scripts\YourScript.vbs

or you may also need to run that command prompt with a domain admin account.

Rob.
0
 
jbla9028Author Commented:
I ran the script in a command prompt as an administrator logged in as a domain admin.

I usually just execute c:\temp\test.vbs  I tried with cscript and got a similar error as a text.



c:\temp\test.vbs(2, 1) (null): There is no such object on the server.

Open in new window

0
 
RobSampsonCommented:
That is really odd.  I can't see why it would bind to the OU you have specified on the first line, but not the group in the second line.  As long as the LDAP path is exactly correct, it should work fine.

Maybe you could bind the group above it and enumerate that to see what you get....

Set objOU = GetObject("LDAP://OU=Groups,DC=JBTEST,DC=COM")
For Each objUser In objOU
	If objUser.Class = "group" Then
		WScript.Echo "Group name: " & objUser.CN & " - Group path: " & objUser.adsPath
	End If
Next

Open in new window


Rob.
0
 
footechCommented:
You could also try the PowerShell script I provided.  If you're not familiar with using Microsoft's AD PowerShell cmdlets, you will first need to import the AD module
Import-Module ActiveDirectory
On a 2008 R2 DC, you could also just click the shortcut for "Active Directory Module for Windows PowerShell".
0
 
jbla9028Author Commented:
I tried running the power shell script. the script runs but I didn't get any change. Here's the edits I made to the script

$group = "Bad"
$groupRID = ((Get-ADGroup $group).SID -split "-")[-1]

Get-ADUser -filter * -SearchBase "ou=TestOU,dc=jbtest,dc=com" |
 Set-ADUser -Replace @{PrimaryGroupID = $groupRID} -WhatIf

Open in new window



PS C:\temp> C:\temp\test.ps1
What if: Performing the operation "Set" on target "CN=testuser1,OU=TestOU,DC=JBTEST,DC=COM".
What if: Performing the operation "Set" on target "CN=testuser2,OU=TestOU,DC=JBTEST,DC=COM".
What if: Performing the operation "Set" on target "CN=testuser3,OU=TestOU,DC=JBTEST,DC=COM".
What if: Performing the operation "Set" on target "CN=testuser4,OU=TestOU,DC=JBTEST,DC=COM".

Open in new window


I look at one of the users and it doesn't look like the primary group was changed. Did I properly edit the script?
0
 
footechCommented:
With the -whatif parameter the script won't make any changes. You can remove it when you want to run for real.
You must have missed this from my first post.  Other than that it looks good.
0
 
RobSampsonCommented:
Also try the snippet I posted in comment ID 39784137, binding to the OU above the group, and seeing what adsPath it returns.

Rob.
0
 
jbla9028Author Commented:
Sorry I missed that part if your above comment about the whatif. So I am very close. running into sort of a new issue. So I got the script to work on users in an OU (yay). I didn't realize that the production environment has these users in the CN=Users directory. which I believe is a special case. If I migrate my test users into a specific OU and run it against that OU, this works perfectly. If I move my users into "users OU" it does not. Anyway around that?

$Users = Get-ADUser -Filter * -Searchbase "OU=Users,dc=jbtest,dc=com"
Add-ADGroupMember -Identity 'Web Users' -Member $Users -Confirm:0

$group = "Web Users"
$groupRID = ((Get-ADGroup $group).SID -split "-")[-1]
Get-ADUser -filter * -SearchBase "ou=Users,dc=jbtest,dc=com" |
 Set-ADUser -Replace @{PrimaryGroupID = $groupRID}

 $Users = Get-ADUser -Filter * -Searchbase "OU=Users,dc=jbtest,dc=com"
Remove-ADGroupMember -Identity 'Domain Users' -Member $Users -Confirm:0

Open in new window

0
 
RobSampsonCommented:
Since they are in the default Users container, this is referenced with CN=Users, and not OU=Users.

Just change that OU to CN and it should work.

Rob.
0
 
jbla9028Author Commented:
Rob, thank you. This worked and I implemented it. thanks for the assistance.
0
 
footechCommented:
I'm confused. Did you implement the VB script solution or the PowerShell solution?  I didn't reply to your last post because Rob had already posted the answer.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 8
  • 6
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now