Script Help - Adding Users from AD Group to Computer Object Attribute

Computer Objects have the following name convention - USERNAME-INV#-PC.  An example is TEST1-54321-D.  There is a GPO in place that adds any user populated under the managedBy attribute in a computer object to the administrators group for that computer
Create "Local PC Admin" group
When user TEST1 gets added to the "Local PC Admin" group, a powershell script that runs on an hourly scheduled task goes out and finds any computer object (that is not a server) that has TEST1 in its name.  For example, TEST1-54321-D for desktop
and TEST1-98765-L for laptop.
It then adds the user to the managedBy attribute of the computer object and appends the text "added as local admin on <currentdate>" to the computerobject description.
If TEST2 is added to the group later, the script should see that TEST1 has already been added and only add TEST2 to the managedBy attribute to the appropriate computer as well as the "added as local admin on <currentdate>".
Still thinking how this can be automated when a user is removed from the "Local PC Admin" group.
Can somebody please find holes in this scenario or suggest a better method to approach this?

Security nightmare?  How so?  Regular domain users cannot modify the "managedBy"  computer object attribute.
The "Local PC Admin" group would be a ADUC security group.  The Help Desk and Network Admins would be the only ones that can either add users to the group or directly modify the "managedBy" computer object attribute.
The Group Policy that runs against the desktops/laptops looks to see if the managedBy attribute of the computer object is populated.  If so, it adds that user as a local admin to their workstation/laptop and removes any other user/group not specified
and given local admin rights.  This would only be done for a handful of users (those in the Local PC Admin group) that need admin access ; in other words, the attribute would only be populated for a few computer objects and not the entire organization.
 If it is not populated, it does nothing and leaves the default admins on it. 
More info on how the GPO works here:

Similar Messages

  • I have a requirement where I have to give the list of users who can access a specific computer. I am new with PS. Do you have a script to list users that can access a computer object of AD ?

    I have a requirement where I have to give the list of users who can access a specific computer define in AD.
    I am new with PS.
    Do you have a script to list users that can access a computer object of AD ?
    I have executed the following script  but it does not give me the access rights of who can access the computer 'computername'
    How can i have this information. please help
    Import-Module activedirectory
    $computer=get-adcomputer "computername" -properties ntSecurityDescriptor
    $omputer.ntsecurityDescriptor.Access | select-object -expandproperty IdentityReference | sort-object -unique

    I would say that, since the OP has so little info, there are no policies in use.  It there were then this question would never be asked the way it is being asked.
    I had a client call with a letter from their insurance company; an accountant with malpractice insurance.  THey asked the same question inmuch the same way.  "What computer can you users access?"  The question should be more like
    "Do you have a policy that restricts access to computers and do you audit for compliance?"
    I have had other clients whose insurance asked the question in that way.  It produces a better view of what should be happening and how to show compliance.
    I recommend that companies being asked these questions by their legal departments or insurance companies should contract with a god computer security consultant to assist with answering these very tricky questions.  Of course if it is just you boss's
    curiosity  then you may need to discuss his requirements with him in more depth.

  • Script to logout users from a specific group, when queries are long

    I have a requirement that users from a specific group need to be logged out, when they are running queries for more than say 20 mins.
    I could get the list of users from that group and could get the list of active sessions on the application, but I get too many info there like connection IP request state etc. and if I spool it to a file, output is not very easy to format to select what's required, rather I have to write lot of shell scripting to format the file.
    So my question here is to know if there's a MAXL script or any other method through which I can just get only couple of columns from the "display session on application <app name>" that I require for my work like username, session ID, DB connect time, and request time.

    There are a number of ways to accomplish this, but AFAIK none of them is straightforward like writing a script to accomplish the task.
    This could be accomplished quite readily with the Essbase API.
    Unfortunately, when Maxl outputs tabular data such as what comes out after DISPLAY SESSION ALL; - it comes out as all one big string with lots of spaces.
    So to parse that output you would need to use a language that can tokenize the text into a collection and parse that for the users.
    Then you need to do the same sort of thing after running DISPLAY USER IN GROUP ALL; (or instead of all, use a specific group name);
    Then run ALTER SYSTEM LOGOUT SESSION BY USER <parsed_username>;
    What would be ideal (hello Oracle... <wink> ) is a MAXL command ALTER SYSTEM LOGOUT SESSION BY GROUP <GroupName>;
    The way I would approach this would be to write a little utility that does exaclty what you seek:
    - Scan the current session periodically (say, once every 5 mins)
    - for each user that belongs to group(s) <group>(<group>...)
    - if user has an open query running longer than n minutes, kill the user request.
    This way you're not kicking people, your just taking back resources. Of course you can be more aggressive and code it to kick the user by forcefully ending (invalidating) his session too.
    I can give you a hand with this offline if you want.

  • Remove user from multiple groups

    Hello everyone, first time posting here with a question and I apologize if I'm asking in the wrong location.
    To give an idea of what I'm attempting to do, I've recently been developing a vbscript that will take a nightly csv export from my student information system and either create or deactivate student accounts based upon their enrollment status.  I have
    this function working great now, another function I've been developing is to have accounts moved between OU's based upon the school building code assigned to students which I have working as well.  The problem I'm running into right now is having students
    removed from existing active directory groups when they move between OU's.  Essentially what I would like to do is have the script load the users group membership into an array and then remove any groups that end with STUDENTS, below is the code I have
    been working on to accomplish this but have literally hit a brick wall.  If it helps all my student groups for each location runs in this fashion.
    Any suggestions would be greatly appreciated.
    ' Student changing OU then we need to update their account to reflect appropriate group memberships.
    Set UserObj = GetObject("WinNT://" & ADusrname) 'This must be hardcoded to domain controller
    strUserDN = DN
    strUserCN =
    'Add user to the school group if not correct
    Set objGroup = GetObject(varSchoolGroup)
    strUserDN = DN ' Bind to the user object.
    strGroupDN = varSchoolGroup ' Specify group Distinguished Name and check for membership.
    Set objADObject = GetObject("LDAP://"& strUserDN)
    objmemberOf = objadobject.GetEx("memberOf")
    If Not (funIsMember (GetObject("LDAP://" & strUserDN),varSchoolGroup)) Then
    objmemberOf = objadobject.GetEx("memberOf")
    For Each objGroup in objmemberOf
    Set objGroupDelete = GetObject ("LDAP://" & objGroup)
    If Mid(objgroup,7,8) = "STUDENTS" Then
    msgbox "test remove"
    objGroupDelete.PutEx ADS_PROPERTY_DELETE,"member",Array(strUserDN)
    subUpdateLogFile studentcounter & " - Removed from student group " & objgroup,student_guid,student_username,student_fullname,"removed group"
    End If
    'Add user to school group
    Set objGroup = GetObject(varSchoolGroup)
    objGroup.PutEx ADS_PROPERTY_APPEND, "member", Array(struserdn)
    subUpdateLogFile studentcounter & " - Updated school group to " & student_schoolgroup_ldap,student_guid,student_username,student_fullname,"school group"
    updated = "yes"
    End If
    Any suggestions would be greatly appreciated.

    With Bill.  This can be done with AD and PowerShell in a couple of lines for reach item.
    You are taking an incorrect approach which is making this much harder than it needs to be.  Your question is also hard to understand.
    Each AD usre object obtained via ADSI will have a list of groups the account is a member of.  You use this to remove the user from the group.  How you choose this is up to you.  You can use an array or a file.  You can also =just use
    OU associated groups.  A user then is added to all or some groups associated with the OU and removed from the groups associated with the OU by just returning the OU associated group list from the OUs.
    Designing AD systems is a specialty.  Once you fully understand the features and capabilities of AD these things are usually simple and painless.  If the design is not done well they are painful and faulty.
    We can answer specific questions.  Understaning the design and capabilities of AD is mostly up to you.
    Start with a tool that is designed to work well with AD like PowerShell. VBScritp is onluy useful to those who are skilled with AD and scripting in VBSdcript.  From your script we can see you are a beginner at both.  As Bill yourself
    a favor and switch to PowerShell.

  • Bulk move users from one group to another in XI 3.1

    Hi all,
    I have a group that contains approximately 20,000 users. I now need to move around 7,500 of these users into a different group.
    How can I do this programatically in bulk as I don't want to go through and manually change the groups of 7,500 users?

    Hi Christian,
    Assuming you would need to move users from one group to another and remove them from the previous group, you could use the attached java code.
    To run the code, you would need to save it as .jsp file and paste it inside AdminTools application context.
    The pre-requisite to run this code is to create a Text file with all the 7500 user names in it. The text file should contain one user per line
    You can get this information from query builder by running the below query
    Select top 20000 si_name from ci_systemobjects where si_kind='user'
    Initially do it for 2-3 users to text the results.
    You would need to edit the jsp and modify these three lines
                    * Assign user to a group
                   //Query for the group ID
                   boQuery = "Select SI_ID From CI_SYSTEMOBJECTS Where SI_KIND='UserGroup' And SI_Name='UserGroup name'";
    Above in SI_NAME, you would need to provide the usergroup name you want your users to be added to.
    if (boUserInfoObject.getGroups().remove(Group Id from which it has to be removed)) {
                            out.print("User removed from group successfully. ");
    Above you would need to provide the id of the group you want the users to be removed from(i.e the current group from where you want them to be moved).
    * Path to file containing User names.
    final String USER_FILE_PATH = "<Path of txt file from which list of users will be imported>";
    Above you need to specify the path of the text file which contains all the user names.
    Incase you require further assistance on SDKs, raise your concerns in the below space

  • Added user to SharePoint Group -- Not inheriting the groups rights

    I created a SharePoint 2013 Workflow, where a subsite is being created and after that, the workflow will create a Group with "full control" rights on the subsite. At the end, I add the workflow Initiator to the group. All is done by the REST Api
    like declared in many tutorials.
    Everything is working fine so far, I can Access the site, the group is there with correct privileges and it contains the desired user I am adding with the workflow.
    The strange Thing happens, when I try to surf on the site with that user from the group, because he has no rights at all. Even with the "check permissions" under the Website Settings, there is no permission listed.
    Can anyone explain this to me? It feels like a bug for me, or did I Forget to make something like an "update" command after adding the user?
    Many thanks in advance!

    I haven't seen this with SharePoint groups, but have seen similar behavior with AD groups.  With AD groups its a problem associated with the claims token timeouts.  The solution there was to decrease the timeout for the claims token or wait 24
    hours for the token to timeout.  I suggest waiting a day to see if the user shows up in Check permissions tomorrow.
    Paul Stork SharePoint Server MVP
    Principal Architect: Blue Chip Consulting Group
    Twitter: Follow @pstork
    Please remember to mark your question as "answered" if this solves your problem.

  • Getting error while removinf user from AD group

    In AD User process definition, there is a default taks called :Remove user from Group. This task runs after another task called Organization Name Update . Whenever, an user is moved from one org to another org, his organization gets updated in AD user form and this task"Remove user from Group" runs. The work of this task is to remove the user from old groups. BUt the task is getting rejected and i see the below error in log files.
    11/07/04 00:24:17 Data AccessException:
    11/07/04 00:24:17 com.thortech.xl.orb.dataaccess.tcDataAccessException: DB_READ_FAILEDDetail: SQL: select UD_ADUSRC_GROUPNAME from UD_ADUSRC where UD_ADUSRC_KEY = Description: ORA-00936: missing expression
    SQL State: 42000Vendor Code: 936Additional Debug Info:com.thortech.xl.orb.dataaccess.tcDataAccessException
    at com.thortech.xl.dataaccess.tcDataAccessExceptionUtil.createException(Unknown Source)
    at com.thortech.xl.dataaccess.tcDataBase.createException(Unknown Source)
    at com.thortech.xl.dataaccess.tcDataBase.readPartialStatement(Unknown Source)
    at com.thortech.xl.dataobj.tcDataBase.readPartialStatement(Unknown Source)
    at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
    at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
    at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
    at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
    at Source)
    at Source)
    at Source)
    at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpADREMOVEUSERFROMGROUP.implementation(
    If anybody knows the solution for this then plz let me know.

    I think the mappings and all would be correct. Here is what Kevin meant:
    - Let's assume the AD user account is a part of GroupA, GroupB and GroupC
    - Now on Change Organization completion if you invoke Remove user from Group then the adapter/process task has no way to know that which 3 of those groups has to be removed (or all 3 for your case)
    - Alternatively if you use API's to remove the group then this task would be invoked by the original OIM process/triggers and so the actual value would be known to adapter/process task.

  • Adding Users from sharepoint into Active Directory Groups

    I have a requirement for Approval Workflow where the Approved User gets added   to AD group directly,i think 2 way sync is possible.plz help

    Out of the box, I really doubt that this is possible BUT it can more than likely be achieved via the Object Model.  A good discussion and some attached code can be seen here.
    Steven Andrews
    SharePoint Business Analyst: LiveNation Entertainment
    Twitter: Follow @backpackerd00d
    My Wiki Articles:
    CodePlex Corner Series
    Please remember to mark your question as "answered" if this solves (or helps) your problem.

  • Remove user from multiple Group

    Hi All,
    Can any one help me on this . 
    we have around 100 different  SSLVPN AD security groups. Need a script or command to remove 790 users
    from all these groups.
    we have list of user in excel sheet we want to remove from group only. 
    Regards, Triyambak

    Just checking in to see if the suggestion was helpful. Please let us know if you would like further assistance.
    TechNet Subscriber Support
    If you are
    TechNet Subscription
    user and have any feedback on our support quality, please send your feedback
    Regards, Yan Li

  • Moving users from One Group to another

    Hi Guys,
    I am looking for a script which will allow me to move users from One ADGroup to another ADGroup. I have checked ther scripts which are currently present. However, none of them if fixing my issue.
    I have Different locations and users moves from one location to another location and same thing happens as they gets moved from one Tower to another Tower (Like From TOWER A to Tower B). Also users gets promoted and most of the time they are in bulk.We also
    have 2 domains one is parent and another is child domain.
    So, I hope above information is making sense and also I Completely new to PS so after going to lot of scripts i asking for help on this. I hope I can gets this sorted out as soon as possible as my work is piling up.

    You are asking a lot of questions about AD.  Do you know how to do this in AD with D tools?
    There is no magic way to guess at what you need. I recommend that you start by learning AD and PowerShell.  There are good resources here:

  • SP 2010-After adding user from IIS is not found in central admin

    Hi Experts,
    I am trying to configure my SP 2010 with Form Based Authentication.
    After configuring WebSite, STS and Central Admin I added the user from IIS , But not able to found from central admin in Form Authentication.
    I checked in database the user is added.
    I followed the below blog .
    Can experts help me how to get the added user to central admin.

    I was finally able to get the FBA working. After many failed attempts, I knew there was a configuration issue which was causing the error.
    I provided connection string and provider details at 4 places, instead of the 3 mentioned  in various blogs around ->
    1. Sharepoint Central Admin
    2. Sharepoint Web Services
    3. SecurityTokenServiceApplication
    4. And finally the web application itself.
    The connection string for 2nd and 3rd will remain same however, provider details need to be added.
    After completing this step, I was able to login using Form Based Authentication without an issue.

  • Deleting user from Everyone group

    Has anyone done this?
    We have a business need to delete a user from the "Portal Everyone" group and am not able to do it.
    I have tried to pull up the everyone group to list the users in the said group and the "Group" iview times out and also the number of users maxes out the cache.
    Further the users in this could roughly total to 40,000+.
    Thoughts I have range from the following:
    Is there any tweak i can do the server's cache settings to handle that high a volume of users? What/where would I be doing some like that?
    Should I be doing this programatically perhaps?
    Any light on the matter would be grealty appreciated.
    Lastly is there a easier solution I am missing?

    Hi Ray,
    > Should I be doing this programatically perhaps?
    This maybe would be the fastest solution. Should be something about a five-liner. Use management engine - version 4.0/com/sap/security/api/igroup.html#removeusermember(java.lang.String) and save/commit.
    Hope it helps
    PS: Please consider rewarding points for helpful answers on SDN. Thanks in advance!

  • Unable to remove user from SharePoint Group using PowerShell

    I am trying to remove a user from a SharePoint Group using PowerShell.
    I can see the user in the Site Collection as part of the SharePoint Group, however, when I attempt to run the script, I get an error message stating "Can not find the user with ID: 10"
    Below is the PowerShell script that I am using:
    $url = ""
    $userName = "spfarm\sp2013_svc"
    #$userName = "spfarm\spprofileimport";
    $site = New-Object Microsoft.SharePoint.SPSite($url)
    $web = $site.OpenWeb()
    $siteGroups = $web.SiteGroups;
    $mySiteGroups = @();
    foreach($group in $siteGroups)
    Write-Host $group
    $mySiteGroups += $group;
    $members = $web.SiteGroups[$mySiteGroups[0]];
    $owners = $web.SiteGroups[$mySiteGroups[1]];
    $visitors = $web.SiteGroups[$mySiteGroups[2]];
    #Remove the user from the specified SharePoint Group
    $spUser = Get-SPUser -Identity $userName -Web $url
    Write-Host $spUser.ID
    Remove-SPUser -Identity $spUser -Web $url -Group $owners
    Write-Host "User " $userName "removed from " $owners
    Please advise.

    I had to update the code to the following because Get-SPUser was not working properly:
    $url = ""
    $userName = "spfarm\spprofileimport";
    $site = New-Object Microsoft.SharePoint.SPSite($url)
    $web = $site.OpenWeb()
    $siteGroups = $web.Groups;
    $mySiteGroups = @();
    foreach($group in $siteGroups)
    Write-Host $group
    $mySiteGroups += $group;
    $members = $web.Groups[$mySiteGroups[0]];
    $owners = $web.Groups[$mySiteGroups[1]];
    $visitors = $web.Groups[$mySiteGroups[2]];
    #Convert the user name to an SPUser account
    $spUser = $web.Site.RootWeb.EnsureUser($userName);
    Write-Host $spUser.ID
    Remove-SPUser -Identity $spUser -Web $url -Group $owners
    Write-Host "User " $userName "removed from " $owners
    Was I not using Get-SPUser correctly?

  • Scheduling users from work group manager

    I am curious how much control can you have in scheduling users or groups to when they can log on to a machine. I have a biology lab and I wanting to implement group policies that would allow/disallow login based on user ID or Group ID. Is anyone doing this with success. What I am thinking of doing in the future is create user based on a text file and then they will only be allowed to login if there are in a certain sections hours. I think I could group the users into section groups and apply the schedule to the group.

    Hi RGrimmes,
    Based on your description, I understand that you want to deploy printers via Workgroup Manager. Please refer to following articles and check if
    can help you.
    Managed Client: How to manage printer options
    Managing printers via Workgroup Manager and MCX
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this
    However, for Workgroup Manager software, I suggest that you should contact Apple Support or post the question in
    Apple Support Communities.
    Hope this helps.
    Best regards,
    Justin Gu
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • How to stop users not in any group and users from other groups accessing sites they have no permission to access on top link bar?

    Hello Community
        Using SharePoint 2010 Server and UI, a web application
    was created with subsites.
        The subsites have unique permissions and Owner, Member
    and Visitor groups.
        The problem is however even if a user does not exist
    in a group that user can access the top link bar/navigation
    bar and its sub sites.
        Also any user in any group can access any top link bar/navigation bar and its subsites.
        How do you enforce that if a user is not in a group
    they are denied access the top link bar/navigation bar and its
        Thank you

    If you are using the built in SharePoint navigation links, SharePoint will automatically hide links to sites that a given user doesn't have access to.
    The problem is, it sounds to me like you have a fixed top link bar that lists the content and if a user doesn't have access, the link still shows up.
    You may want to look at how the top link bar was encapsulated in the design of the page.  If it isn't wrapped in the permissions provider code, that could be the problem.
    I trust that answers your question...
    RSS | |
    SharePoint Scripts | Twitter |
    Google+ | LinkedIn |
    Facebook | Quix Utilities for SharePoint

Maybe you are looking for