This page will show you how take a user and then add them to a named group. I will also give you an example of
adding all users in a named OU to a particular group.
Anything and everything to do with groups is tricky to
script.
Fortunately, adding members to a group is relatively straightforward.
When you examine any Group in Active Directory Users and Computers, observe two similar tabs, Members (who is in this group) and Member Of, which shows other groups to which this group belongs. It really is worth mastering this semantic difference.
We have two missions, firstly to add one user to a group of your choice. Secondly, to add all the users who match our criteria, to a named group.
Recommended: that you logon as administrator, preferably at a domain controller. If you are a long way from the server, Remote Desktop would be a suitable alternative.
If that is not possible, you could get these scripts to work from an XP machine as a non-administrator. However, why introduce extra complications? Especially at the beginning, you want easy success, with fewest obstacles.
Instructions for Adding one User to a Group
You should run this VBScript on a Windows Active Directory domain.
Copy and paste the example script below into notepad or a VBScript editor.
Decide upon your tactics. Either create users, groups and OUs to match the script, or change the script to match your existing users, groups and OUs.
Save the file with a .vbs extension, for example: GroupAdd .vbs.
Double click GroupAdd .vbs and check the strOU for your new group.
Guy Recommends: SolarWinds' Free Bulk Import Tool
Import users from a spreadsheet. Just provide a list of the
users with their fields in the top row, and save as .csv file.
Then launch this FREE utility and match your fields with AD's
attributes, click and import the users.
' GroupAdd.vbs ' VBScript add user to a group. ' Author Guy Thomas http://computerperformance.co.uk/ ' Version 2.6 - May 2010 '
------------------------------------------------' Option Explicit Dim strOU, strGroup, strUser, strDNSDomain Dim objRootLDAP, objGroup, objUser
' Check these objects referenced
by strOU, strGroup exist in strOU strOU = "OU=Newport," strUser = "CN=Len Murray," strGroup = "CN=Coal Porters,"
' Bind to Active Directory and get LDAP name Set objRootLDAP =
GetObject("LDAP://RootDSE") strDNSDomain = objRootLDAP.Get("DefaultNamingContext")
' Add (str)User to (str)Group Set objUser = GetObject("LDAP://"& strUser _ & strOU & strDNSDomain) Set
objGroup = GetObject("LDAP://"& strGroup _ & strOU & strDNSDomain) objGroup.add(objUser.ADsPath)
Peter C found a problem with strOU:. Kindly, Peter discovered this
solution to his problem.
' Add (str)User to (str)Group Set objUser = GetObject("LDAP://"& strUser & strOU & strDNSDomain) Set objGroup = GetObject("LDAP://"& strGroup & strOU &
strDNSDomain) objGroup.add(objUser.ADsPath)
replaced with: ' Add (str)User to (str)Group Set objUser = GetObject("LDAP://"& strUser & strOU & strDNSDomain)
Set objGroup = GetObject("LDAP://"& strGroup & strDNSDomain) objGroup.add(objUser.ADsPath)
Note 1: The header section deals with the usual preamble of explaining the purpose
of the script and declaring the variables.
Note 2: This script does not create any objects. Therefore, it is vital to check that the values for strOU, strUser and strGroup are what
you expect.
Note 3: Pay particular attention to commas with strOU. Remember where to employ: CN= (common name).
Note 4: During testing, the GetObject method gave me the most trouble. I
had to go back to basics and remind myself that what the script needs to do is get a handle on the full name of the object, for example: "LDAP://CN=Len Murray,OU=Newport,DC=CP,DC=COM". Because
of the many advantages of using variables, I built up the name like this : "LDAP://" & strUser & strOU & strDNSDomain. strUser converts to: CN=Len Murray, Note the
CN= also the comma at the end. strOU converts to OU=Newport, Note the use of OU=Newport but CN=Users (one is an OU, the other a container object).
Note 5: The key verb is .add.
If you make a script to undo your action you would substitute objGroup.remove for objGroup.add.
Note 6: .ADsPath is a handy property of the objUser. In this instance .ADsPath
translates to CN=Len Murray,OU=Newport,DC=CP,DC=COM. Clearly it is much more efficient to use .ADsPath (Active Directory Path).
Recommended: Solarwinds' Permissions Analyzer - Free Active Directory Tool
I like the
Permissions Analyzer because it enables me to see WHO has permissions
to do WHAT at a glance. When you launch this tool it analyzes a users effective NTFS
permissions for a specific file or folder, and takes into account network share
access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free SolarWinds utility saves when you are
troubleshooting authorization problems for user's access to a resource.
Give this permissions monitor a try - it's free!
The whole point of scripting is to make life easier. We invest time in creating VBScripts which repay by saving time when it comes to boring repetitive tasks. Example 1
shows you how to add a user to a group. This second example builds on that method and adds a loop to add all the objects, which match a simple criteria, namely they are User objects and not computers
or contacts.
Sample VBScript to Add Users to a Group
' GroupAddLots.vbs ' Free example VBScript to add users to a group. ' Author Guy Thomas http://computerperformance.co.uk/ ' Version 2.3 - May 2010 '
------------------------------------------------' Option Explicit Dim objRootLDAP, objGroup, objUser, objOU Dim strOU, strGroup, strDNSDomain Dim intCounter
' Check these
objects referenced by strOU, strGroup exist in strOU strOU = "OU=Newport," strGroup = "CN=Coal Porters,"
' Bind to Active Directory and get LDAP name Set objRootLDAP =
GetObject("LDAP://RootDSE") strDNSDomain = objRootLDAP.Get("DefaultNamingContext")
' Prepare the OU and the Group Set objGroup = GetObject("LDAP://"& strGroup _ & strOU & strDNSDomain) Set
objOU =GetObject("LDAP://" & strOU & strDNSDomain)
' On Error Resume next intCounter = 1 For Each objUser In objOU If objUser.Class = lcase("User") then
objGroup.add(objUser.ADsPath) intCounter = intcounter +1 End If Next WScript.Echo strGroup & " has " & intCounter & " new members"
Note 1: The key additional feature of this script is the simple but
effective loop. It starts with 'For Each', rather than plain 'For' it also includes the crucial word 'In'. The reason for these extra words in the For....Next loop is because in this example, we have a collation (collection) of user objects in objOU.
Note 2: If you compare the
Set... GetObject statements with the first example, you will notice an extra statement which connects to a specific OU, this is what I mean, Set objOU =GetObject("LDAP://" & strOU & strDNSDomain).
Note 3:
At the outset I said scripting groups was tricky. What nearly drove me mad with this script was "User". The solution was to change it to: "user" - a rare case of case sensitivity. This is the reason I left lcase("User") in the final script.
If you like this page then please share it with your friends
Windows Management Instrumentation (WMI) is
most useful for PowerShell scripting.
SolarWinds
have produced this
Free WMI Monitor to take the guess work out of which
WMI counters to use for applications like Microsoft Active Directory,
SQL or Exchange Server.
