Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Add existing Ad user to existing AD group

Answered Add existing Ad user to existing AD group

  • Tuesday, April 24, 2012 3:11 PM
     
     
    Sign In to Vote
    0

    I have modified the following script for my own purposes. It works great.

    http://blogs.msdn.com/b/aaronsaikovski/archive/2009/06/24/powershell-script-to-create-ad-groups-from-a-csv-file.aspx

    I need to very simply (ha!) add an existing user to the group(s) that are created. So while my CSV file contains the list of groups that will be created, as each is created I want to add an existing statically named user to that group.

    I've already tried several variations on group.add but am something of a newbie here. I understand there are resources out there and I am looking around, Googling. It's bit bewlidering as there seems to much a multitude of methods, means and ways to run, write and execute PS scripts, as well as verions and styles.

    I'm really hoping for something quite straight forward. I know the user name, I know the user's domain. The group creation does work (I tested it with one group).

    Thanks...

     

All Replies

  • Tuesday, April 24, 2012 3:40 PM
     
      Has Code
    Sign In to Vote
    0
     
    Write-Host -ForegroundColor green "Adding ADGroup - $ADGroupName"; 
#Create the AD Group 
$objGroup = $objOU.Create("group", "CN=" + $ADGroupName) 
$objGroup.Put("sAMAccountName", $ADGroupName ) 
$objGroup.SetInfo() 
$objGroup.Add("CN=Grant,CN=Users,DC=contoso,DC=local")

    You can add the user after the group is created.

    Grant Ward, a.k.a. Bigteddy

    What's new in Powershell 3.0 (Technet Wiki)

     
  • Tuesday, April 24, 2012 3:54 PM
     
      Has Code
    Sign In to Vote
    0
     
    Write-Host -ForegroundColor green "Adding ADGroup - $ADGroupName"; 
#Create the AD Group 
$objGroup = $objOU.Create("group", "CN=" + $ADGroupName) 
$objGroup.Put("sAMAccountName", $ADGroupName ) 
$objGroup.SetInfo() 
$objGroup.Add("CN=Grant,CN=Users,DC=contoso,DC=local")

    You can add the user after the group is created.

    Grant Ward, a.k.a. Bigteddy

    What's new in Powershell 3.0 (Technet Wiki)

    It appears to be expecting an additional argument?

    Exception calling "Add" with "1" argument(s): "Exception from HRESULT: 0x80005000" At K:\Transfer\sschro\ew-adgroup.ps1:43 char:30

     
  • Tuesday, April 24, 2012 4:17 PM
     
     Answered Has Code
    Sign In to Vote
    0

    The Add method of the group requires the ADsPath of the new member, not the distinguishedName. Add "LDAP://" to the distinguished name. For example:

    $objGroup.Add("LDAP://CN=Grant,CN=Users,DC=contoso,DC=local")

    I like to bind to an object reference to the user, then use the ADsPath property. I also use the IsMember method if there is a possibility that the user is already a member of the group. For example, I have used the following:

    $Group = [ADSI]"LDAP://cn=Test Group,ou=West,dc=MyDomain,dc=com"
    $User = [ADSI]"LDAP://cn=Jim Smith,ou=East,dc=MyDomain,dc=com"

    If ($Group.IsMember($User.ADsPath) -eq $False)
    {
        $Group.Add($User.ADsPath)
    }

    -----


    Richard Mueller - MVP Directory Services


     
  • Tuesday, April 24, 2012 4:18 PM
     
     Answered Has Code
    Sign In to Vote
    0

    Correction to my last code (I left out the "LDAP://") ...

    $objOU = [ADSI]"LDAP://localhost:389/cn=users,DC=contoso,DC=local" 
Write-Host -ForegroundColor green "Adding ADGroup - $ADGroupName"; 
#Create the AD Group 
$objGroup = $objOU.Create("group", "CN=Test2") 
$objGroup.Put("sAMAccountName", "Test2" ) 
$objGroup.SetInfo()
$objGroup.Add("LDAP://CN=Grant,CN=Users,DC=contoso,DC=local")

    Grant Ward, a.k.a. Bigteddy

    What's new in Powershell 3.0 (Technet Wiki)

     
  • Tuesday, April 24, 2012 4:19 PM
     
     
    Sign In to Vote
    0

    Yup, just figured that out myself by trial and error...and error and error...

    Thanks BigTeddy, you da Man!


    Also...my first instict was to use the user's login name, which apparently is wrong as the DN uses their full name. Odd.
    • Edited by ITMn0403 Tuesday, April 24, 2012 4:20 PM
    •  
     
  • Tuesday, April 24, 2012 4:40 PM
     
     Answered
    Sign In to Vote
    0

    What you call the user's login name is probably the value of the sAMAccountName attribute. This is also the "pre-Windows 2000 logon" name. It would be nice if that worked, since it uniquely identifies the object in the domain, but it does not uniquely identify the object in the forest. The DN (distinguishedName) does, but it uses the Common Name of the object (the value of the cn attribute). Unfortunately, when you create a user in ADUC, the GUI refers to this as the "Full name". There really is no such thing as "Full name". The value in the GUI is assigned to both the displayName and cn attributes of the new user object. The displayName is optional and can really be anything. The cn attribute is mandatory and must be unique in the OU/container. Unfortunately, it is not unique in the domain, so by itself it cannot be used to identify the object. There can be many objects in the domain with the same Common Name. It is the Relative Distinguished Name (RDN) of the object, meaning it's name in the parent OU/Container. This is a source of much confusion: the "Name" of the user cannot be used to identify the user object. However, the full DN is unique in the domain and the forest.

    Richard Mueller - MVP Directory Services

     
  • Tuesday, April 24, 2012 8:03 PM
     
     
    Sign In to Vote
    0
    Thank you Richard for clarifying (I think!).