?
Solved

automatically add users to a specific group in AD

Posted on 2016-09-29
8
Medium Priority
?
75 Views
Last Modified: 2016-09-29
Hello Experts,

I have a request to add all users from my site in NYC to a specific group in AD, so I need your help to analyze possible service impact of doing this, because this group will allow users within this group use a third party tool for  printer mapping and management called Printer Logic.

So, from a performance point of view, do you oversees any potential service impact or performance issues?

second question,

can you please test the following script to make sure will add all users in the domain or site?

Unfortunately, our AD has multiple OUs, across multiple site and we do not want to include service accounts or disabled accounts to this group. so if you believe this script should be updated, please make the corrections and testing, and send back to me

script

$user = Get-ADUser -filter *
 $Group = "<name of group>"

ForEach ($samAccountName in $user)
 {
 Add-ADGroupMember $Group -members $samAccountName
 }
0
Comment
Question by:Jerry Seinfield
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 40

Expert Comment

by:Subsun
ID: 41821984
Users who are disabled can be filtered easily, you can also filter out the users who are already member of that group. Example is shown below..
$Group = "<name of group>"
$GroupDn = (Get-ADGroup $Group).DistinguishedName
$User = Get-ADUser -Filter {-not (memberof -like $GroupDn) -and (Enabled -eq $True)}

Open in new window

How you going to identify the service accounts? Is the service account located in a specific OU or is there any specific naming standard you follow for service accounts?
0
 

Author Comment

by:Jerry Seinfield
ID: 41822088
yes to both of your questions

Any service impact by creating this group with the majority of users populated there? The OU structure is a mess, therefore we do have user accounts, enabled, disabled, and service accounts across different OUs, there is no pattern
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41822128
Any service impact by creating this group with the majority of users populated there?
If it's a Universal group, then it's membership is replicated across the Global catalog servers. However the performance impact should be minimal in a well-connected environment.
The OU structure is a mess, therefore we do have user accounts, enabled, disabled, and service accounts across different OUs, there is no pattern
In this case it's difficult to filter the service accounts until you give an attribute which we can use to filter them. :-)
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 40

Expert Comment

by:Subsun
ID: 41822159
If the service accounts are set to password never expires, then we can filter using that attribute. But if any normal user accounts have the same setting then they also will be excluded.
0
 

Author Comment

by:Jerry Seinfield
ID: 41822226
yes, the service accounts are set to password never expires
0
 
LVL 40

Expert Comment

by:Subsun
ID: 41822237
Here is the updated code which will exclude all account which are set to PasswordNeverExpires
$Group = "<name of group>"
$GroupDn = (Get-ADGroup $Group).DistinguishedName
$User = Get-ADUser -Filter {-not (memberof -like $GroupDn) -and (Enabled -eq $True) -and (PasswordNeverExpires -eq $False)}

Open in new window

0
 

Author Comment

by:Jerry Seinfield
ID: 41822337
thanks Subsun, so, that script above will add any user account that is enabled and password does not expires to the group? I need to know if the group will populated with all the accounts with that criteria
0
 
LVL 40

Accepted Solution

by:
Subsun earned 2000 total points
ID: 41822354
Group will have all enabled users whose password is set to expire.
Here is the complete code..
$Group = "<name of group>"
$GroupDn = (Get-ADGroup $Group).DistinguishedName
$User = Get-ADUser -Filter {-not (memberof -like $GroupDn) -and (Enabled -eq $True) -and (PasswordNeverExpires -eq $False)}
If ($User){Add-ADGroupMember $Group -members $User}

Open in new window

1

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question