Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 91
  • Last Modified:

automatically add users to a specific group in AD

Hello Experts,

I have a request to add all users from my site in NYC to a specific group in AD, so I need your help to analyze possible service impact of doing this, because this group will allow users within this group use a third party tool for  printer mapping and management called Printer Logic.

So, from a performance point of view, do you oversees any potential service impact or performance issues?

second question,

can you please test the following script to make sure will add all users in the domain or site?

Unfortunately, our AD has multiple OUs, across multiple site and we do not want to include service accounts or disabled accounts to this group. so if you believe this script should be updated, please make the corrections and testing, and send back to me

script

$user = Get-ADUser -filter *
 $Group = "<name of group>"

ForEach ($samAccountName in $user)
 {
 Add-ADGroupMember $Group -members $samAccountName
 }
0
Jerry Seinfield
Asked:
Jerry Seinfield
  • 5
  • 3
1 Solution
 
SubsunCommented:
Users who are disabled can be filtered easily, you can also filter out the users who are already member of that group. Example is shown below..
$Group = "<name of group>"
$GroupDn = (Get-ADGroup $Group).DistinguishedName
$User = Get-ADUser -Filter {-not (memberof -like $GroupDn) -and (Enabled -eq $True)}

Open in new window

How you going to identify the service accounts? Is the service account located in a specific OU or is there any specific naming standard you follow for service accounts?
0
 
Jerry SeinfieldAuthor Commented:
yes to both of your questions

Any service impact by creating this group with the majority of users populated there? The OU structure is a mess, therefore we do have user accounts, enabled, disabled, and service accounts across different OUs, there is no pattern
0
 
SubsunCommented:
Any service impact by creating this group with the majority of users populated there?
If it's a Universal group, then it's membership is replicated across the Global catalog servers. However the performance impact should be minimal in a well-connected environment.
The OU structure is a mess, therefore we do have user accounts, enabled, disabled, and service accounts across different OUs, there is no pattern
In this case it's difficult to filter the service accounts until you give an attribute which we can use to filter them. :-)
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
SubsunCommented:
If the service accounts are set to password never expires, then we can filter using that attribute. But if any normal user accounts have the same setting then they also will be excluded.
0
 
Jerry SeinfieldAuthor Commented:
yes, the service accounts are set to password never expires
0
 
SubsunCommented:
Here is the updated code which will exclude all account which are set to PasswordNeverExpires
$Group = "<name of group>"
$GroupDn = (Get-ADGroup $Group).DistinguishedName
$User = Get-ADUser -Filter {-not (memberof -like $GroupDn) -and (Enabled -eq $True) -and (PasswordNeverExpires -eq $False)}

Open in new window

0
 
Jerry SeinfieldAuthor Commented:
thanks Subsun, so, that script above will add any user account that is enabled and password does not expires to the group? I need to know if the group will populated with all the accounts with that criteria
0
 
SubsunCommented:
Group will have all enabled users whose password is set to expire.
Here is the complete code..
$Group = "<name of group>"
$GroupDn = (Get-ADGroup $Group).DistinguishedName
$User = Get-ADUser -Filter {-not (memberof -like $GroupDn) -and (Enabled -eq $True) -and (PasswordNeverExpires -eq $False)}
If ($User){Add-ADGroupMember $Group -members $User}

Open in new window

1

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now