Is there a way to add/remove users to a group in ads through vbscript??? i can connect to ads and pull the user's data, but i cannot seem to find the field for the groups that the user is a member of. I'd like to write a script that adds users to a group and then removes them after a specified period of time. i have all of the code written, except for the group information. does anyone know how?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
script to add/remove user to group 1
- Thread starter holidayIT
- Start date
Do a keyword search in this forum for 'group AD' and you will find several threads on this topic.
[blue]"Well, once again my friend, we find that science is a two headed beast. One head is nice, it gives us aspirin and other modern conveniences,...but the other head of science is BAD! Oh, beware the other head of science, Arthur; it bites!!" - The Tick[/blue]
[blue]"Well, once again my friend, we find that science is a two headed beast. One head is nice, it gives us aspirin and other modern conveniences,...but the other head of science is BAD! Oh, beware the other head of science, Arthur; it bites!!" - The Tick[/blue]
- Thread starter
- #3
i don't see anything in their that answers my question. I know about adding a user to a domain in ads. what i need to do is add them in vbscript using adsi and wsh. i can change thir profile (ie - name, username, password, etc).
But what i need to do is add them to another group (not OU). just as they are all Domain/User and maybe Department/User i need to add aditional groups, then i need to remove them from that group. does this make it clearer?
But what i need to do is add them to another group (not OU). just as they are all Domain/User and maybe Department/User i need to add aditional groups, then i need to remove them from that group. does this make it clearer?
-
1
- #4
You first need to bind to the user object. Then you can do the following:
I hope you find this post helpful. Please let me know if it was.
Regards,
Mark
Code:
'specify the group
gpstr = "LDAP://MYDOMAIN/CN=MYGROUP,OU=Users,DC=MyCompany,DC=com"
set objGroup = GetObject(gpstr)
'now add the user to the group
objGroup.Add objUser.ADsPathI hope you find this post helpful. Please let me know if it was.
Regards,
Mark
- Thread starter
- #5
- Thread starter
- #6
that didn't seem to do it. Here is my code(just the part about the group):
strDomAdmin = "LDAP://domainName/CN=Domain Admins,OU=Users,DC=domainName,DC=net"
If strCN = "testthis" then
set objGroup = GetObject(strDomAdmin)
wscript.Echo objGroup
Wscript.Echo objUser
objGroup.Add objUser.ADsPath
objUser.setInfo
Wscript.Echo "Done"
End If
strDomAdmin = "LDAP://domainName/CN=Domain Admins,OU=Users,DC=domainName,DC=net"
If strCN = "testthis" then
set objGroup = GetObject(strDomAdmin)
wscript.Echo objGroup
Wscript.Echo objUser
objGroup.Add objUser.ADsPath
objUser.setInfo
Wscript.Echo "Done"
End If
You should not need the set info.
What are you getting from the Echo statements? Is it passing the right info?
Try running this without the If Then just to verify that you are not failing on the conditional statement.
I hope you find this post helpful. Please let me know if it was.
Regards,
Mark
What are you getting from the Echo statements? Is it passing the right info?
Try running this without the If Then just to verify that you are not failing on the conditional statement.
I hope you find this post helpful. Please let me know if it was.
Regards,
Mark
- Thread starter
- #8
I am actually looping through all of the users in ADS, and if i don't have the conditional statements, it will change 500 users and all of the generic user accounts. The thing that tips me off is that the echo statements show nothing. they are blank. just the "done" echo has anything. So i know the conditional statement is working, just the group isn't being pulled or displayed correctly.
is their a user field for groups that the user is a member of? i tried the "memberOf" field, but that wasn't it.
is their a user field for groups that the user is a member of? i tried the "memberOf" field, but that wasn't it.
- Thread starter
- #10
I've never used WinNT provider....how do i do that?
what i did to get the users is this:
strDefaultDomainNC = GetObject("LDAP://RootDSE").Get("DefaultNamingContext")
Set conADS = CreateObject("ADODB.Connection")
conADS.Provider = "ADsDSOObject"
conADS.Open "Active Directory Provider"
Set cmdAds = CreateObject("ADODB.Command")
Set cmdADS.ActiveConnection = conADS
strADS = "SELECT samAccountName, givenName, sn, adsPath" & _
" FROM 'LDAP://" & strDefaultDomainNC & "'WHERE objectClass= 'user'"
cmdADS.CommandText = strADS
'Open connection to ADS Server
Set rstADS = cmdADS.Execute
Do While Not rstADS.EOF
Set objUser = GetObject(rstADS.Fields("ADsPath").Value)
I then cycle through each user, (i check for last name to verify that it is a real user). Then i need to add them to a group. is there a better way to do this??? (this was my second vbscript - i couldn't have done it without tek-tips, but if there is a better way, i'd love to use it instead)
what i did to get the users is this:
strDefaultDomainNC = GetObject("LDAP://RootDSE").Get("DefaultNamingContext")
Set conADS = CreateObject("ADODB.Connection")
conADS.Provider = "ADsDSOObject"
conADS.Open "Active Directory Provider"
Set cmdAds = CreateObject("ADODB.Command")
Set cmdADS.ActiveConnection = conADS
strADS = "SELECT samAccountName, givenName, sn, adsPath" & _
" FROM 'LDAP://" & strDefaultDomainNC & "'WHERE objectClass= 'user'"
cmdADS.CommandText = strADS
'Open connection to ADS Server
Set rstADS = cmdADS.Execute
Do While Not rstADS.EOF
Set objUser = GetObject(rstADS.Fields("ADsPath").Value)
I then cycle through each user, (i check for last name to verify that it is a real user). Then i need to add them to a group. is there a better way to do this??? (this was my second vbscript - i couldn't have done it without tek-tips, but if there is a better way, i'd love to use it instead)
- Thread starter
- #11
what i am trying to do is this...
i have a script that edits a file in a protected folder on a local machine. I am trying to write this script (that i am trying to do now) to add users to the domain admins group, then the file modifying script will run on their login script. I first tried to get the script to do a runas admin, but it prompts for password, and i would have to go to the machines and type it in, i obviously do not want to give the users the admin password, and if i add them for a day or two without telling them, they will never know they have admin rights for a while.
Mostly, if i can just remove them from the admin group in a script, that'd be great. i can add all the users to the admin group by highlighting them and then adding them to the group, but removing them has to be done one by one, and there are way too many users for me to really want to do that.
i have a script that edits a file in a protected folder on a local machine. I am trying to write this script (that i am trying to do now) to add users to the domain admins group, then the file modifying script will run on their login script. I first tried to get the script to do a runas admin, but it prompts for password, and i would have to go to the machines and type it in, i obviously do not want to give the users the admin password, and if i add them for a day or two without telling them, they will never know they have admin rights for a while.
Mostly, if i can just remove them from the admin group in a script, that'd be great. i can add all the users to the admin group by highlighting them and then adding them to the group, but removing them has to be done one by one, and there are way too many users for me to really want to do that.
Yikes!
Even if they don't know they are admins they can still hurt themselves or your network.
Do a little searching, there are some examples of how to pass the admin password via script when using RUNAS so that you don't have to do what you are trying to do.
I hope you find this post helpful. Please let me know if it was.
Regards,
Mark
Even if they don't know they are admins they can still hurt themselves or your network.
Do a little searching, there are some examples of how to pass the admin password via script when using RUNAS so that you don't have to do what you are trying to do.
I hope you find this post helpful. Please let me know if it was.
Regards,
Mark
holidayIT,
Let a domain group be "a1b2c3/wkstadm" with a selected admin members, a local group "admin" be on server "d4e5f6". To add the former to the latter is this.
- tsuji
Let a domain group be "a1b2c3/wkstadm" with a selected admin members, a local group "admin" be on server "d4e5f6". To add the former to the latter is this.
Code:
sDGroup="WinNT://a1b2c3/wkstadm,group"
set oDGroup=getobject(sDGroup)
set oLGroup=getobject("WinNT://d4e5f6/admin,group")
if not oLGroup.IsMember(sDGroup) then
oLGroup.add oDGroup.AdsPath
end if- Thread starter
- #14
holidayIT,
Add a domain group to locals may simplify maintenance. If you add domain user, it is more or less the same.
- tsuji
Add a domain group to locals may simplify maintenance. If you add domain user, it is more or less the same.
Code:
sDUser="WinNT://a1b2c3/jsmith,user"
set oLGroup=getobject("WinNT://d4e5f6/admin,group")
oLGroup.add sDUser
desktoprat
MIS
Not sure whether to start a new post or not, but it seems in the right thread.
We are still slowly cleaning, condensing, straightening up years of doing things not as well as we could have. Nearly every user is an administrator. Currently, I am going through with Dameware and manually moving people out of administrator and down to power user. I can do a script where I provide a user name and it moves them to appropriate group. To me, a good place to do another mass script.
What I am thinking, but not sure how to pull off is basically any account not named administrator gets moved to the power user group. I know from copying files there is the FileExistsNot method. Any method similar in concept that I could use against account names?
We are still slowly cleaning, condensing, straightening up years of doing things not as well as we could have. Nearly every user is an administrator. Currently, I am going through with Dameware and manually moving people out of administrator and down to power user. I can do a script where I provide a user name and it moves them to appropriate group. To me, a good place to do another mass script.
What I am thinking, but not sure how to pull off is basically any account not named administrator gets moved to the power user group. I know from copying files there is the FileExistsNot method. Any method similar in concept that I could use against account names?
- Status
Similar threads
- Question