Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

automatically add users to a specific group in AD

Posted on 2016-09-29
8
Medium Priority
?
82 Views
Last Modified: 2016-09-29
Hello Experts,

I have a request to add all users from my site in NYC to a specific group in AD, so I need your help to analyze possible service impact of doing this, because this group will allow users within this group use a third party tool for  printer mapping and management called Printer Logic.

So, from a performance point of view, do you oversees any potential service impact or performance issues?

second question,

can you please test the following script to make sure will add all users in the domain or site?

Unfortunately, our AD has multiple OUs, across multiple site and we do not want to include service accounts or disabled accounts to this group. so if you believe this script should be updated, please make the corrections and testing, and send back to me

script

$user = Get-ADUser -filter *
 $Group = "<name of group>"

ForEach ($samAccountName in $user)
 {
 Add-ADGroupMember $Group -members $samAccountName
 }
0
Comment
Question by:Jerry Seinfield
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 40

Expert Comment

by:Subsun
ID: 41821984
Users who are disabled can be filtered easily, you can also filter out the users who are already member of that group. Example is shown below..
$Group = "<name of group>"
$GroupDn = (Get-ADGroup $Group).DistinguishedName
$User = Get-ADUser -Filter {-not (memberof -like $GroupDn) -and (Enabled -eq $True)}

Open in new window

How you going to identify the service accounts? Is the service account located in a specific OU or is there any specific naming standard you follow for service accounts?
0
 

Author Comment

by:Jerry Seinfield
ID: 41822088
yes to both of your questions

Any service impact by creating this group with the majority of users populated there? The OU structure is a mess, therefore we do have user accounts, enabled, disabled, and service accounts across different OUs, there is no pattern
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41822128
Any service impact by creating this group with the majority of users populated there?
If it's a Universal group, then it's membership is replicated across the Global catalog servers. However the performance impact should be minimal in a well-connected environment.
The OU structure is a mess, therefore we do have user accounts, enabled, disabled, and service accounts across different OUs, there is no pattern
In this case it's difficult to filter the service accounts until you give an attribute which we can use to filter them. :-)
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 40

Expert Comment

by:Subsun
ID: 41822159
If the service accounts are set to password never expires, then we can filter using that attribute. But if any normal user accounts have the same setting then they also will be excluded.
0
 

Author Comment

by:Jerry Seinfield
ID: 41822226
yes, the service accounts are set to password never expires
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41822237
Here is the updated code which will exclude all account which are set to PasswordNeverExpires
$Group = "<name of group>"
$GroupDn = (Get-ADGroup $Group).DistinguishedName
$User = Get-ADUser -Filter {-not (memberof -like $GroupDn) -and (Enabled -eq $True) -and (PasswordNeverExpires -eq $False)}

Open in new window

0
 

Author Comment

by:Jerry Seinfield
ID: 41822337
thanks Subsun, so, that script above will add any user account that is enabled and password does not expires to the group? I need to know if the group will populated with all the accounts with that criteria
0
 
LVL 40

Accepted Solution

by:
Subsun earned 2000 total points
ID: 41822354
Group will have all enabled users whose password is set to expire.
Here is the complete code..
$Group = "<name of group>"
$GroupDn = (Get-ADGroup $Group).DistinguishedName
$User = Get-ADUser -Filter {-not (memberof -like $GroupDn) -and (Enabled -eq $True) -and (PasswordNeverExpires -eq $False)}
If ($User){Add-ADGroupMember $Group -members $User}

Open in new window

1

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question