Solved

automatically add users to a specific group in AD

Posted on 2016-09-29
8
45 Views
Last Modified: 2016-09-29
Hello Experts,

I have a request to add all users from my site in NYC to a specific group in AD, so I need your help to analyze possible service impact of doing this, because this group will allow users within this group use a third party tool for  printer mapping and management called Printer Logic.

So, from a performance point of view, do you oversees any potential service impact or performance issues?

second question,

can you please test the following script to make sure will add all users in the domain or site?

Unfortunately, our AD has multiple OUs, across multiple site and we do not want to include service accounts or disabled accounts to this group. so if you believe this script should be updated, please make the corrections and testing, and send back to me

script

$user = Get-ADUser -filter *
 $Group = "<name of group>"

ForEach ($samAccountName in $user)
 {
 Add-ADGroupMember $Group -members $samAccountName
 }
0
Comment
Question by:Jerry Seinfield
  • 5
  • 3
8 Comments
 
LVL 40

Expert Comment

by:Subsun
ID: 41821984
Users who are disabled can be filtered easily, you can also filter out the users who are already member of that group. Example is shown below..
$Group = "<name of group>"
$GroupDn = (Get-ADGroup $Group).DistinguishedName
$User = Get-ADUser -Filter {-not (memberof -like $GroupDn) -and (Enabled -eq $True)}

Open in new window

How you going to identify the service accounts? Is the service account located in a specific OU or is there any specific naming standard you follow for service accounts?
0
 

Author Comment

by:Jerry Seinfield
ID: 41822088
yes to both of your questions

Any service impact by creating this group with the majority of users populated there? The OU structure is a mess, therefore we do have user accounts, enabled, disabled, and service accounts across different OUs, there is no pattern
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41822128
Any service impact by creating this group with the majority of users populated there?
If it's a Universal group, then it's membership is replicated across the Global catalog servers. However the performance impact should be minimal in a well-connected environment.
The OU structure is a mess, therefore we do have user accounts, enabled, disabled, and service accounts across different OUs, there is no pattern
In this case it's difficult to filter the service accounts until you give an attribute which we can use to filter them. :-)
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41822159
If the service accounts are set to password never expires, then we can filter using that attribute. But if any normal user accounts have the same setting then they also will be excluded.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:Jerry Seinfield
ID: 41822226
yes, the service accounts are set to password never expires
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41822237
Here is the updated code which will exclude all account which are set to PasswordNeverExpires
$Group = "<name of group>"
$GroupDn = (Get-ADGroup $Group).DistinguishedName
$User = Get-ADUser -Filter {-not (memberof -like $GroupDn) -and (Enabled -eq $True) -and (PasswordNeverExpires -eq $False)}

Open in new window

0
 

Author Comment

by:Jerry Seinfield
ID: 41822337
thanks Subsun, so, that script above will add any user account that is enabled and password does not expires to the group? I need to know if the group will populated with all the accounts with that criteria
0
 
LVL 40

Accepted Solution

by:
Subsun earned 500 total points
ID: 41822354
Group will have all enabled users whose password is set to expire.
Here is the complete code..
$Group = "<name of group>"
$GroupDn = (Get-ADGroup $Group).DistinguishedName
$User = Get-ADUser -Filter {-not (memberof -like $GroupDn) -and (Enabled -eq $True) -and (PasswordNeverExpires -eq $False)}
If ($User){Add-ADGroupMember $Group -members $User}

Open in new window

1

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now