Solved

automatically add users to a specific group in AD

Posted on 2016-09-29
8
73 Views
Last Modified: 2016-09-29
Hello Experts,

I have a request to add all users from my site in NYC to a specific group in AD, so I need your help to analyze possible service impact of doing this, because this group will allow users within this group use a third party tool for  printer mapping and management called Printer Logic.

So, from a performance point of view, do you oversees any potential service impact or performance issues?

second question,

can you please test the following script to make sure will add all users in the domain or site?

Unfortunately, our AD has multiple OUs, across multiple site and we do not want to include service accounts or disabled accounts to this group. so if you believe this script should be updated, please make the corrections and testing, and send back to me

script

$user = Get-ADUser -filter *
 $Group = "<name of group>"

ForEach ($samAccountName in $user)
 {
 Add-ADGroupMember $Group -members $samAccountName
 }
0
Comment
Question by:Jerry Seinfield
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 40

Expert Comment

by:Subsun
ID: 41821984
Users who are disabled can be filtered easily, you can also filter out the users who are already member of that group. Example is shown below..
$Group = "<name of group>"
$GroupDn = (Get-ADGroup $Group).DistinguishedName
$User = Get-ADUser -Filter {-not (memberof -like $GroupDn) -and (Enabled -eq $True)}

Open in new window

How you going to identify the service accounts? Is the service account located in a specific OU or is there any specific naming standard you follow for service accounts?
0
 

Author Comment

by:Jerry Seinfield
ID: 41822088
yes to both of your questions

Any service impact by creating this group with the majority of users populated there? The OU structure is a mess, therefore we do have user accounts, enabled, disabled, and service accounts across different OUs, there is no pattern
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41822128
Any service impact by creating this group with the majority of users populated there?
If it's a Universal group, then it's membership is replicated across the Global catalog servers. However the performance impact should be minimal in a well-connected environment.
The OU structure is a mess, therefore we do have user accounts, enabled, disabled, and service accounts across different OUs, there is no pattern
In this case it's difficult to filter the service accounts until you give an attribute which we can use to filter them. :-)
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 40

Expert Comment

by:Subsun
ID: 41822159
If the service accounts are set to password never expires, then we can filter using that attribute. But if any normal user accounts have the same setting then they also will be excluded.
0
 

Author Comment

by:Jerry Seinfield
ID: 41822226
yes, the service accounts are set to password never expires
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41822237
Here is the updated code which will exclude all account which are set to PasswordNeverExpires
$Group = "<name of group>"
$GroupDn = (Get-ADGroup $Group).DistinguishedName
$User = Get-ADUser -Filter {-not (memberof -like $GroupDn) -and (Enabled -eq $True) -and (PasswordNeverExpires -eq $False)}

Open in new window

0
 

Author Comment

by:Jerry Seinfield
ID: 41822337
thanks Subsun, so, that script above will add any user account that is enabled and password does not expires to the group? I need to know if the group will populated with all the accounts with that criteria
0
 
LVL 40

Accepted Solution

by:
Subsun earned 500 total points
ID: 41822354
Group will have all enabled users whose password is set to expire.
Here is the complete code..
$Group = "<name of group>"
$GroupDn = (Get-ADGroup $Group).DistinguishedName
$User = Get-ADUser -Filter {-not (memberof -like $GroupDn) -and (Enabled -eq $True) -and (PasswordNeverExpires -eq $False)}
If ($User){Add-ADGroupMember $Group -members $User}

Open in new window

1

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
My attempt to use PowerShell and other great resources found online to simplify the deployment of Office 365 ProPlus client components to any workstation that needs it, regardless of existing Office components that may be needing attention.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question