Solved

Change Primary group of users in OU

Posted on 2014-01-07
19
807 Views
Last Modified: 2014-01-23
We have a need to change the primary group that users belong to in a specific OU.

I saw this on script guy but do not know how to modify it to perform the action on all users in a specific OU rather than a specific user.

http://blogs.technet.com/b/heyscriptingguy/archive/2005/08/31/how-can-i-change-a-user-s-primary-group.aspx

Say I have an OU named Customers and I want to change their group from domain users to a group named Web Users. how can I acomplish this? Thanks.
0
Comment
Question by:jbla9028
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
  • 4
  • +1
19 Comments
 
LVL 6

Expert Comment

by:Alan Gunn
ID: 39762001
Hi!
I would advise against changing user's primary group.

The primary group membership is stored differently from other group memberships within AD.
The primary group is shown by tools such as DSGet and MMC but queries using programing interfaces may not return the membership.

I discovered this after changing the Primary group on my own user account.

To identify user as "Web Users" why not just create a group called "Web Users" and add them to it?
0
 
LVL 1

Author Comment

by:jbla9028
ID: 39762465
The default group is domain users. We have specific security guidelines to remove the user from the group. It's because when admins forget to change default permissions on certain things, users are always in domain users which by mistake, gives them permissions to things. This eliminates that possibility.
0
 
LVL 1

Author Comment

by:jbla9028
ID: 39762469
IE you must remove domain users from the primary group, in order to remove the user from the domain users group.
0
How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

 
LVL 40

Expert Comment

by:footech
ID: 39762716
Sounds more like a problem with existing practices that should be corrected rather than changing everyone's primary group.  I really would strongly advise correcting the problem, rather than treating the symptom.  However, just so you have options, the following PowerShell script should work for you.  You would just need to change the name of the group, and the OU where you are searching for users.  With the -whatif parameter the script won't make any changes.  You can remove it when you want to run for real.
$group = "some group"
$groupRID = ((Get-ADGroup $group).SID -split "-")[-1]

Get-ADUser -filter * -SearchBase "ou=someou,dc=domain,dc=com" |
 Set-ADUser -Replace @{PrimaryGroupID = $groupRID} -WhatIf

Open in new window

0
 
LVL 65

Expert Comment

by:RobSampson
ID: 39767061
Hi, if you want VBScript, from that Scripting Guy article, this change loops through all users in the specified OU.

Set objOU = GetObject("LDAP://ou=NonDomainUsers,dc=fabrikam,dc=com")
Set objGroup = GetObject("LDAP://cn=Finance Managers,ou=Finance,dc=fabrikam,dc=com")
For Each objUser In objOU
	If objUser.Class = "user" Then
		WScript.Echo objUser.distinguishedName
		Set objUser = GetObject("LDAP://" & objUser.distinguishedName)
		objGroup.GetInfoEx Array("primaryGroupToken"), 0
		objUser.primaryGroupID = objGroup.primaryGroupToken
		objUser.SetInfo
	End If
Next

Open in new window


Regards,

Rob.
0
 
LVL 1

Author Comment

by:jbla9028
ID: 39780998
Rob, thanks for your help. i am trying to replicate this on a test domain. I get an error when executing the script. The error I get is below. I created a domain, jbtest.com. I have two OUs. testOU and groups. I have two groups in the groups OU. Good & Bad. I have 4 users. testuser1, testuser2, testuser3, and testuser4.  Not sure why it complains about the 2nd line. any help is appreciated.

---------------------------
Windows Script Host
---------------------------
Script:      C:\temp\test.vbs
Line:      2
Char:      1
Error:      There is no such object on the server.
Code:      80072030
Source:       (null)

---------------------------
OK  
---------------------------



Set objOU = GetObject("LDAP://ou=TestOU,dc=jbtest,dc=com")
Set objGroup = GetObject("LDAP://cn=Good,ou=Groups,dc=jbtest,dc=com")
For Each objUser In objOU
	If objUser.Class = "user" Then
		WScript.Echo objUser.distinguishedName
		Set objUser = GetObject("LDAP://" & objUser.distinguishedName)
		objGroup.GetInfoEx Array("primaryGroupToken"), 0
		objUser.primaryGroupID = objGroup.primaryGroupToken
		objUser.SetInfo
	End If
Next

Open in new window

0
 
LVL 65

Expert Comment

by:RobSampson
ID: 39781134
The path to objGroup must be correct. In AD Users and Computers, view the properties of the group, and look at the Object tab. Put that in the script and it should work.

Rob.
0
 
LVL 1

Author Comment

by:jbla9028
ID: 39782106
Rob, It's still not working. I used LDAP Administrator to pull the LDAP query for each object. it's complaining about the 1st character on the line which is odd.




Set objOU = GetObject("ldap://usittstdc001.jbtest.com:389/OU=TestOU,DC=JBTEST,DC=COM")
Set objGroup = GetObject("ldap://usittstdc001.jbtest.com:389/CN=Bad,OU=Groups,DC=JBTEST,DC=COM")
For Each objUser In objOU
	If objUser.Class = "user" Then
		WScript.Echo objUser.distinguishedName
		Set objUser = GetObject("LDAP://" & objUser.distinguishedName)
		objGroup.GetInfoEx Array("primaryGroupToken"), 0
		objUser.primaryGroupID = objGroup.primaryGroupToken
		objUser.SetInfo
	End If
Next

Open in new window

1-15-2014-8-01-45-AM.jpg
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 39784063
All you should need is this:
Set objGroup = GetObject("LDAP://CN=Bad,OU=Groups,DC=JBTEST,DC=COM")

Does your account have permission to bind to the group?

You may need to run a command prompt "As Administrator" then run
cscript C:\Scripts\YourScript.vbs

or you may also need to run that command prompt with a domain admin account.

Rob.
0
 
LVL 1

Author Comment

by:jbla9028
ID: 39784087
I ran the script in a command prompt as an administrator logged in as a domain admin.

I usually just execute c:\temp\test.vbs  I tried with cscript and got a similar error as a text.



c:\temp\test.vbs(2, 1) (null): There is no such object on the server.

Open in new window

0
 
LVL 65

Accepted Solution

by:
RobSampson earned 500 total points
ID: 39784137
That is really odd.  I can't see why it would bind to the OU you have specified on the first line, but not the group in the second line.  As long as the LDAP path is exactly correct, it should work fine.

Maybe you could bind the group above it and enumerate that to see what you get....

Set objOU = GetObject("LDAP://OU=Groups,DC=JBTEST,DC=COM")
For Each objUser In objOU
	If objUser.Class = "group" Then
		WScript.Echo "Group name: " & objUser.CN & " - Group path: " & objUser.adsPath
	End If
Next

Open in new window


Rob.
0
 
LVL 40

Expert Comment

by:footech
ID: 39784323
You could also try the PowerShell script I provided.  If you're not familiar with using Microsoft's AD PowerShell cmdlets, you will first need to import the AD module
Import-Module ActiveDirectory
On a 2008 R2 DC, you could also just click the shortcut for "Active Directory Module for Windows PowerShell".
0
 
LVL 1

Author Comment

by:jbla9028
ID: 39787252
I tried running the power shell script. the script runs but I didn't get any change. Here's the edits I made to the script

$group = "Bad"
$groupRID = ((Get-ADGroup $group).SID -split "-")[-1]

Get-ADUser -filter * -SearchBase "ou=TestOU,dc=jbtest,dc=com" |
 Set-ADUser -Replace @{PrimaryGroupID = $groupRID} -WhatIf

Open in new window



PS C:\temp> C:\temp\test.ps1
What if: Performing the operation "Set" on target "CN=testuser1,OU=TestOU,DC=JBTEST,DC=COM".
What if: Performing the operation "Set" on target "CN=testuser2,OU=TestOU,DC=JBTEST,DC=COM".
What if: Performing the operation "Set" on target "CN=testuser3,OU=TestOU,DC=JBTEST,DC=COM".
What if: Performing the operation "Set" on target "CN=testuser4,OU=TestOU,DC=JBTEST,DC=COM".

Open in new window


I look at one of the users and it doesn't look like the primary group was changed. Did I properly edit the script?
0
 
LVL 40

Expert Comment

by:footech
ID: 39787353
With the -whatif parameter the script won't make any changes. You can remove it when you want to run for real.
You must have missed this from my first post.  Other than that it looks good.
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 39787464
Also try the snippet I posted in comment ID 39784137, binding to the OU above the group, and seeing what adsPath it returns.

Rob.
0
 
LVL 1

Author Comment

by:jbla9028
ID: 39787487
Sorry I missed that part if your above comment about the whatif. So I am very close. running into sort of a new issue. So I got the script to work on users in an OU (yay). I didn't realize that the production environment has these users in the CN=Users directory. which I believe is a special case. If I migrate my test users into a specific OU and run it against that OU, this works perfectly. If I move my users into "users OU" it does not. Anyway around that?

$Users = Get-ADUser -Filter * -Searchbase "OU=Users,dc=jbtest,dc=com"
Add-ADGroupMember -Identity 'Web Users' -Member $Users -Confirm:0

$group = "Web Users"
$groupRID = ((Get-ADGroup $group).SID -split "-")[-1]
Get-ADUser -filter * -SearchBase "ou=Users,dc=jbtest,dc=com" |
 Set-ADUser -Replace @{PrimaryGroupID = $groupRID}

 $Users = Get-ADUser -Filter * -Searchbase "OU=Users,dc=jbtest,dc=com"
Remove-ADGroupMember -Identity 'Domain Users' -Member $Users -Confirm:0

Open in new window

0
 
LVL 65

Expert Comment

by:RobSampson
ID: 39787515
Since they are in the default Users container, this is referenced with CN=Users, and not OU=Users.

Just change that OU to CN and it should work.

Rob.
0
 
LVL 1

Author Closing Comment

by:jbla9028
ID: 39802912
Rob, thank you. This worked and I implemented it. thanks for the assistance.
0
 
LVL 40

Expert Comment

by:footech
ID: 39803794
I'm confused. Did you implement the VB script solution or the PowerShell solution?  I didn't reply to your last post because Rob had already posted the answer.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to prepare an HTML email signature template file containing dynamic placeholders for users' Azure AD data. Furthermore, it explains how to use this file to remotely set up a department-wide email signature policy in Office …
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question