locked
Set primary group in AD using PowerShell RRS feed

  • Question

  • Dear All!

    I need a hint :)

     

    I am creating a script that creates AD Users, creates HomeFolders with special security settings, sets their groups and creates an Mailbox (Exchange).

    For users from different countries I need to use different Domain Controllers. This works, except of setting the primary group.

    If I create the user on the logonserver of the server from which the script is executed it works, but not on others.

    The part of the script I use for setting the primary group is:

    "

    $userP = Get-QADuser $login
    $groupP = Get-QADGroup $mainGroupSec
    $groupP | Add-QADGroupMember -Member $login
    $userP | Set-QADUser -ObjectAttributes @{PrimaryGroupID=$groupP.PrimaryGroupToken} | Remove-QADGroupMember

    "

    Is there any way to set the server where to do this? Like f.e. Set-ADuser -server $DCServer?

    Or is there a way to do this without using the Quest.ActiveRoles.ADManagement snapin?

    Thanks for any suggestion.

    Best Regards,

    Daniel

     

     

     

     

     

     

     

     

    Monday, February 17, 2014 1:11 PM

Answers

  • Thanks one more time for any answer. After many hours of testing I found a way how to achieve exactly what I need:

    # Set primary Group

    # PrimaryGroupToken of the group

    $TokenPart1 = Get-ADGroup -Identity $mainGroupSec -Properties primarygrouptoken | select primarygrouptoken
    $Token = $TokenPart1 | Select -ExpandProperty primarygrouptoken

    # DistinguishedName
    $DNName = "CN=" + $DisplayName2 + "," + $ProfilePath

    #Replace variable

    $Replace = @{"PrimaryGroupID"="$Token"}

    # replace default PrimaryGroup
    Set-ADObject $DNName -Server $server -Replace $Replace

    I know it isnt an elegant way but it works :)

    Thank You!

    • Marked as answer by StefkoDan Tuesday, February 18, 2014 3:33 PM
    Tuesday, February 18, 2014 3:32 PM

All replies

  • What domain?  Windows 2003?

    Users are not on different DCs by country.  Do you mean they are on a different domain?  If you set the domain it will stick.

    The following line makes no sense:

    userP | Set-QADUser -ObjectAttributes @{PrimaryGroupID=$groupP.PrimaryGroupToken} | Remove-QADGroupMember

    Get-QADUser does not create a user it gets an existing user. All users in a domain exist on ALL domain controllers in the domain.


    ¯\_(ツ)_/¯

    Monday, February 17, 2014 2:29 PM
  • Thank You for Your answer.

    I know the facts You have written.

    I create the user by:

    New-ADUser-Server$Server-SamAccountName$login-Path$ProfilePath-Surname$SurName-GivenName$Name-Name$DisplayName2-Type$ObjType-DisplayName$DisplayName2-AccountPassword$SecurePassword-City$City-Company$Firma-PostalCode$psc-Country$Country-Description$Function-StreetAddress$Street-Office$Departement-Fax$Fax-MobilePhone$Handy-HomePhone$Phone-EmailAddress$Email-Enabled$true

    The commands I send before are used to set the primary group.

    As You can see there is the -Server attribute when using New-ADUser

    Here I can specify on which Domain Controller the user should be created.

    And I need to specify this attribute for the Set-QADUser.

    Its a 2008 domain

    The scipt works if I set only one Domain Controller but I need to use 4 different.

    Any Idea how?

    Monday, February 17, 2014 2:48 PM
  • Hi,

    I can't vouch for this, but here's one of the first results I got back when I searched for 'powershell set primary group':

    http://www.indented.co.uk/2010/01/22/changing-the-primary-group-with-powershell/


    Don't retire TechNet! - (Don't give up yet - 12,575+ strong and growing)

    Monday, February 17, 2014 2:51 PM
  • Normally we do not use primary group.  Primary Group is legacy for Windows NT 4 and for Mac clients.  If these are not Mac clients the group is never used.

    The command I posted is impossible.  It attempt to set a group and remove a member at the same time.

    If you are not on Windows 2003 AD then you should not be using QAD CmdLets.

    There is no need to chose a domain controller.  All users exist on all Domain controllers.  You do not choose a domain when you are using a user object returned with Get-QADUser.


    ¯\_(ツ)_/¯

    Monday, February 17, 2014 3:12 PM
  • Thanks one more time for any answer. After many hours of testing I found a way how to achieve exactly what I need:

    # Set primary Group

    # PrimaryGroupToken of the group

    $TokenPart1 = Get-ADGroup -Identity $mainGroupSec -Properties primarygrouptoken | select primarygrouptoken
    $Token = $TokenPart1 | Select -ExpandProperty primarygrouptoken

    # DistinguishedName
    $DNName = "CN=" + $DisplayName2 + "," + $ProfilePath

    #Replace variable

    $Replace = @{"PrimaryGroupID"="$Token"}

    # replace default PrimaryGroup
    Set-ADObject $DNName -Server $server -Replace $Replace

    I know it isnt an elegant way but it works :)

    Thank You!

    • Marked as answer by StefkoDan Tuesday, February 18, 2014 3:33 PM
    Tuesday, February 18, 2014 3:32 PM
  • Why do you need to change the primary group? This is not recommended.

    Bill

    Tuesday, February 18, 2014 3:47 PM
  • My two cents for a more elegant way:

    # Change these variables
    $username = "abcd"
    $NewGroup = "Some Group"
    
    # No change after this
    # Add the user to the new group, just in case
    Add-ADGroupMember -Identity $NewGroup -Members $username
    
    $NewPrimaryGroupToken = (Get-ADGroup $NewGroup -Properties primaryGroupToken).primaryGroupToken
    Set-ADUser -Identity $username -Replace @{primaryGroupID=$NewPrimaryGroupToken}
    Hope this helps
    Monday, June 18, 2018 5:35 PM