Solved

Change Primary group of users in OU

Posted on 2014-01-07
19
664 Views
Last Modified: 2014-01-23
We have a need to change the primary group that users belong to in a specific OU.

I saw this on script guy but do not know how to modify it to perform the action on all users in a specific OU rather than a specific user.

http://blogs.technet.com/b/heyscriptingguy/archive/2005/08/31/how-can-i-change-a-user-s-primary-group.aspx

Say I have an OU named Customers and I want to change their group from domain users to a group named Web Users. how can I acomplish this? Thanks.
0
Comment
Question by:jbla9028
  • 8
  • 6
  • 4
  • +1
19 Comments
 
LVL 6

Expert Comment

by:Alan Gunn
ID: 39762001
Hi!
I would advise against changing user's primary group.

The primary group membership is stored differently from other group memberships within AD.
The primary group is shown by tools such as DSGet and MMC but queries using programing interfaces may not return the membership.

I discovered this after changing the Primary group on my own user account.

To identify user as "Web Users" why not just create a group called "Web Users" and add them to it?
0
 
LVL 1

Author Comment

by:jbla9028
ID: 39762465
The default group is domain users. We have specific security guidelines to remove the user from the group. It's because when admins forget to change default permissions on certain things, users are always in domain users which by mistake, gives them permissions to things. This eliminates that possibility.
0
 
LVL 1

Author Comment

by:jbla9028
ID: 39762469
IE you must remove domain users from the primary group, in order to remove the user from the domain users group.
0
 
LVL 39

Expert Comment

by:footech
ID: 39762716
Sounds more like a problem with existing practices that should be corrected rather than changing everyone's primary group.  I really would strongly advise correcting the problem, rather than treating the symptom.  However, just so you have options, the following PowerShell script should work for you.  You would just need to change the name of the group, and the OU where you are searching for users.  With the -whatif parameter the script won't make any changes.  You can remove it when you want to run for real.
$group = "some group"
$groupRID = ((Get-ADGroup $group).SID -split "-")[-1]

Get-ADUser -filter * -SearchBase "ou=someou,dc=domain,dc=com" |
 Set-ADUser -Replace @{PrimaryGroupID = $groupRID} -WhatIf

Open in new window

0
 
LVL 65

Expert Comment

by:RobSampson
ID: 39767061
Hi, if you want VBScript, from that Scripting Guy article, this change loops through all users in the specified OU.

Set objOU = GetObject("LDAP://ou=NonDomainUsers,dc=fabrikam,dc=com")
Set objGroup = GetObject("LDAP://cn=Finance Managers,ou=Finance,dc=fabrikam,dc=com")
For Each objUser In objOU
	If objUser.Class = "user" Then
		WScript.Echo objUser.distinguishedName
		Set objUser = GetObject("LDAP://" & objUser.distinguishedName)
		objGroup.GetInfoEx Array("primaryGroupToken"), 0
		objUser.primaryGroupID = objGroup.primaryGroupToken
		objUser.SetInfo
	End If
Next

Open in new window


Regards,

Rob.
0
 
LVL 1

Author Comment

by:jbla9028
ID: 39780998
Rob, thanks for your help. i am trying to replicate this on a test domain. I get an error when executing the script. The error I get is below. I created a domain, jbtest.com. I have two OUs. testOU and groups. I have two groups in the groups OU. Good & Bad. I have 4 users. testuser1, testuser2, testuser3, and testuser4.  Not sure why it complains about the 2nd line. any help is appreciated.

---------------------------
Windows Script Host
---------------------------
Script:      C:\temp\test.vbs
Line:      2
Char:      1
Error:      There is no such object on the server.
Code:      80072030
Source:       (null)

---------------------------
OK  
---------------------------



Set objOU = GetObject("LDAP://ou=TestOU,dc=jbtest,dc=com")
Set objGroup = GetObject("LDAP://cn=Good,ou=Groups,dc=jbtest,dc=com")
For Each objUser In objOU
	If objUser.Class = "user" Then
		WScript.Echo objUser.distinguishedName
		Set objUser = GetObject("LDAP://" & objUser.distinguishedName)
		objGroup.GetInfoEx Array("primaryGroupToken"), 0
		objUser.primaryGroupID = objGroup.primaryGroupToken
		objUser.SetInfo
	End If
Next

Open in new window

0
 
LVL 65

Expert Comment

by:RobSampson
ID: 39781134
The path to objGroup must be correct. In AD Users and Computers, view the properties of the group, and look at the Object tab. Put that in the script and it should work.

Rob.
0
 
LVL 1

Author Comment

by:jbla9028
ID: 39782106
Rob, It's still not working. I used LDAP Administrator to pull the LDAP query for each object. it's complaining about the 1st character on the line which is odd.




Set objOU = GetObject("ldap://usittstdc001.jbtest.com:389/OU=TestOU,DC=JBTEST,DC=COM")
Set objGroup = GetObject("ldap://usittstdc001.jbtest.com:389/CN=Bad,OU=Groups,DC=JBTEST,DC=COM")
For Each objUser In objOU
	If objUser.Class = "user" Then
		WScript.Echo objUser.distinguishedName
		Set objUser = GetObject("LDAP://" & objUser.distinguishedName)
		objGroup.GetInfoEx Array("primaryGroupToken"), 0
		objUser.primaryGroupID = objGroup.primaryGroupToken
		objUser.SetInfo
	End If
Next

Open in new window

1-15-2014-8-01-45-AM.jpg
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 39784063
All you should need is this:
Set objGroup = GetObject("LDAP://CN=Bad,OU=Groups,DC=JBTEST,DC=COM")

Does your account have permission to bind to the group?

You may need to run a command prompt "As Administrator" then run
cscript C:\Scripts\YourScript.vbs

or you may also need to run that command prompt with a domain admin account.

Rob.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 1

Author Comment

by:jbla9028
ID: 39784087
I ran the script in a command prompt as an administrator logged in as a domain admin.

I usually just execute c:\temp\test.vbs  I tried with cscript and got a similar error as a text.



c:\temp\test.vbs(2, 1) (null): There is no such object on the server.

Open in new window

0
 
LVL 65

Accepted Solution

by:
RobSampson earned 500 total points
ID: 39784137
That is really odd.  I can't see why it would bind to the OU you have specified on the first line, but not the group in the second line.  As long as the LDAP path is exactly correct, it should work fine.

Maybe you could bind the group above it and enumerate that to see what you get....

Set objOU = GetObject("LDAP://OU=Groups,DC=JBTEST,DC=COM")
For Each objUser In objOU
	If objUser.Class = "group" Then
		WScript.Echo "Group name: " & objUser.CN & " - Group path: " & objUser.adsPath
	End If
Next

Open in new window


Rob.
0
 
LVL 39

Expert Comment

by:footech
ID: 39784323
You could also try the PowerShell script I provided.  If you're not familiar with using Microsoft's AD PowerShell cmdlets, you will first need to import the AD module
Import-Module ActiveDirectory
On a 2008 R2 DC, you could also just click the shortcut for "Active Directory Module for Windows PowerShell".
0
 
LVL 1

Author Comment

by:jbla9028
ID: 39787252
I tried running the power shell script. the script runs but I didn't get any change. Here's the edits I made to the script

$group = "Bad"
$groupRID = ((Get-ADGroup $group).SID -split "-")[-1]

Get-ADUser -filter * -SearchBase "ou=TestOU,dc=jbtest,dc=com" |
 Set-ADUser -Replace @{PrimaryGroupID = $groupRID} -WhatIf

Open in new window



PS C:\temp> C:\temp\test.ps1
What if: Performing the operation "Set" on target "CN=testuser1,OU=TestOU,DC=JBTEST,DC=COM".
What if: Performing the operation "Set" on target "CN=testuser2,OU=TestOU,DC=JBTEST,DC=COM".
What if: Performing the operation "Set" on target "CN=testuser3,OU=TestOU,DC=JBTEST,DC=COM".
What if: Performing the operation "Set" on target "CN=testuser4,OU=TestOU,DC=JBTEST,DC=COM".

Open in new window


I look at one of the users and it doesn't look like the primary group was changed. Did I properly edit the script?
0
 
LVL 39

Expert Comment

by:footech
ID: 39787353
With the -whatif parameter the script won't make any changes. You can remove it when you want to run for real.
You must have missed this from my first post.  Other than that it looks good.
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 39787464
Also try the snippet I posted in comment ID 39784137, binding to the OU above the group, and seeing what adsPath it returns.

Rob.
0
 
LVL 1

Author Comment

by:jbla9028
ID: 39787487
Sorry I missed that part if your above comment about the whatif. So I am very close. running into sort of a new issue. So I got the script to work on users in an OU (yay). I didn't realize that the production environment has these users in the CN=Users directory. which I believe is a special case. If I migrate my test users into a specific OU and run it against that OU, this works perfectly. If I move my users into "users OU" it does not. Anyway around that?

$Users = Get-ADUser -Filter * -Searchbase "OU=Users,dc=jbtest,dc=com"
Add-ADGroupMember -Identity 'Web Users' -Member $Users -Confirm:0

$group = "Web Users"
$groupRID = ((Get-ADGroup $group).SID -split "-")[-1]
Get-ADUser -filter * -SearchBase "ou=Users,dc=jbtest,dc=com" |
 Set-ADUser -Replace @{PrimaryGroupID = $groupRID}

 $Users = Get-ADUser -Filter * -Searchbase "OU=Users,dc=jbtest,dc=com"
Remove-ADGroupMember -Identity 'Domain Users' -Member $Users -Confirm:0

Open in new window

0
 
LVL 65

Expert Comment

by:RobSampson
ID: 39787515
Since they are in the default Users container, this is referenced with CN=Users, and not OU=Users.

Just change that OU to CN and it should work.

Rob.
0
 
LVL 1

Author Closing Comment

by:jbla9028
ID: 39802912
Rob, thank you. This worked and I implemented it. thanks for the assistance.
0
 
LVL 39

Expert Comment

by:footech
ID: 39803794
I'm confused. Did you implement the VB script solution or the PowerShell solution?  I didn't reply to your last post because Rob had already posted the answer.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
A procedure for exporting installed hotfix details of remote computers using powershell
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now