Scripting Group membership

I have a ODM that has jut been added to AD. I have OD groups that I now need to add AD members to push MCX down to my clients, the problem is if I do it from WGM I'm only able to do one member at a time. This is not so bad when I have to do it to groups with about ten members, but it gets REALLY boring when I have groups with a large number of users. Seems this would be a great task to do from a script, has anyone done this or could lead me to some info on how to do it?

Thanks for the reply.
Will dseditgroup work with AD? After reading the man page for it I tried,
dseditgroup -o read -n /Active\ Directory/All\ Domains/ testgroup
*testgroup= Group we created in AD with about five users in it.
After I hit enter the shell returns with nothing, not even a error. Do I have the syntax wrong or can I not use dseditgroup to read group membership from a AD group?

Similar Messages

  • Report of Groups owned along with group memberships for each group, all in a single .csv file

    Hello all,
    What I'm trying to do is generate a report of all groups owned by a specific user, along with the group memberships, and output it all to a single .csv file. In the .csv file, I would like to have the group names as the column headers, and underneath
    the group name, list all the members of the group down through the column. So for example, if User1 owns 3 groups, the output would look like:
    What I'm having trouble with is outputting the objects to the .csv using New-Object psobject, and I'm starting to wonder if there is an easier way to do this and my brain is just fried.
    Any ideas?

    OK so I can try and give some code here, but I'm asking more of a concept question about how PowerShell builds objects so I'm not sure it will help....
    $User = "User1"
    get-adgroup -filter {managedby -eq $user} -pr member | %{
    $_.name
    $_.member
    OK so this is a simple script that outputs a group name followed by the membership, all in a single column. What I would like is for the group names to each be the header of a column, and have the membership listed underneath. For example:
    Is this possible in PowerShell?

  • Unable to edit Distribution Group membership via Outlook (works via ECP).

    SITUATION: I am attempting to enable the ability for specified users to edit the membership of Exchange 2010 distribution groups via Outlook 2010.  I have configured permissions via RBAC for them to be able to do this by following the instructions and
    running the script found here:
    http://msexchangeteam.com/archive/2009/11/18/453251.aspx
    After running the script, users specified as group managers are able to edit group membership through the ECP.  But when they attempt to do so via Outlook, they receive the same message that they would see if the permission to edit group membership
    was not enabled:
    "Changes to the public group membership cannot be saved.  You do not have sufficient permission to perform this operation on this object."
    QUESTION:  Does anyone have any idea as to why we are still unable to edit group membership via Outlook, when all the permissions appear to be enabled doing so?

    Click Start
     Collapse this imageExpand this image
    , point to All Programs , point to Exchange Server 2010 , and then click
    Exchange Management Shell .
    At the command prompt, run the following cmdlet:
    New-RoleGroup DistributionGroupManagement -Roles "Distribution Groups"
    At the command prompt, run the following cmdlet:
    Add-RoleGroupMember DistributionGroupManagement -Member <var>UserName</var>
    Open Outlook and try to remove from your distribution list those members that you could not remove before

  • Mapping shares based on ADS Group membership

    Hello,
    I am a pc person and do not know much about Macs. I have been charged to find a way to attach all of our new macs to our Active Directory. I have been able to bind a test machine to the directory and get the home share. Now the "higher ups" want the macs to mimic a pc in logon. They want the mac to map all the shares based on group membership at login. Some of these people connect to 4 to 5 different shares depending on their job duties.
    I have looked on line and all the questions/answers like this seem to end at binding to the ADS and getting a home share. I need to go one step further. Any help would be greatly appriciated.

    Logon scripts, not Active Directory, are typically used to map drives to Windows computers at login. You assign a script to a user via Active Directory.
    Macs can't be administered from Active Directory and therefore can't use the logon scripts from Active Directory, so you'll need a different solution. The Workgroup Manager from Mac OS X Server used with Active Directory in a Golden Triangle is a common solution. It does require a Mac OS X Server.
    You won't find many other options, if any.
    Hope this helps! bill
    1 GHz Powerbook G4   Mac OS X (10.4.8)  

  • Read group membership for a user object and populate every group with matching user from another domain

    I have LON\JSmith in LON domain and DEL\JimSmith in DEL domain
    I would like to extract group memberships of LON\JSmith in LON domain and append matching by email (i.e. DEL\JimSmith) user object in every group in LON domain.
    for instance
    LON\JSmith and DEL\JimSmith is the same person and has same email address [email protected]
    LON\JSmith belongs to 3 groups - LON\localadmingroup;LON\univdesktop;LON\globalsurvey
    The outcome of the script should be
    LON\JSmith; DEL\JimSmith    should be in 3 groups - LON\localadmingroup;LON\univdesktop;LON\globalsurvey.
    How can i do it?
    Navgup

    Hi Navgup,
    Please refer to the script below, to query users in other domain by specifying the parameter "-Server" in the cmdlet "get-aduser", and also note I haven't tested the script below:
    import-module activedirectory
    get-adgroupmember "group"|foreach{
    $email=(get-aduser $_.samaccountname -properties *).EmailAddress#get the user email
    Get-ADUser -filter {EmailAddress -eq $email} -properties * -server DomainB.company.com|select samaccountname, memberof}#filter user name and group with the email in other domain
    To get users across domain, please also refer this blog:
    Adding/removing members from another forest or domain to groups in Active Directory:
    http://blogs.msdn.com/b/adpowershell/archive/2010/01/20/adding-removing-members-from-another-forest-or-domain-to-groups-in-active-directory.aspx?Redirected=true
    I hope this helps.

  • Extracting user group membership to a spreadsheet - tip?

    Hello,
    This is a tip that works for me.
    Sometimes I need to extract the Group Membership names for a user or users.
    What I do is have PTSpy running when I find their name from an administrative search. Clicking on the user name opens up the EDIT USER page where you can see the users groups.
    At this point look in PTSpy for the line:
    Create query: '/* QUERY_DYNAMIC_USERGROUPS:ANSI */ SELECT DISTINCT(a.ObjectID), a.Name, a.IsLocalized      FROM PTUSERGROUPS a, PTUSERLINKS b      WHERE a.ObjectID=b.GroupID           AND b.UserID=?           AND (b.ISSTATIC=? AND b.ISDYNAMIC=?) ORDER BY a.ObjectID DESC'
    followed by 3 lines:
    setInt, index: 0, value: 0001. <--user ID
    setInt, index: 0, value: 1. <--Static Group Membership
    setInt, index: 0, value: 0. <--Dynamic
    Copy and drop that into SQL Query Analyser, plug in the value provided and save it to a spreadsheet or just copy and paste it.
    If you want find dynamic groups - there is a similar query in the PTspy log - look for the /*QUERY_DYNAMIC_USERGROUPS:ANSI
    in PTSpy log
    If anyone has anything else to add - please do!
    Thanks,
    V
    Computers are like Old Testament gods; lots of rules and no mercy. ~Joseph Campbell

    Hi,
    To identify members of a local group by using a command line, refer to:
    1. Open Command Prompt.
    2. To list members of a group, type: net localgroup "groupname"
    Note: You must include the quotation marks.
    For example, export the members of the local group Administrators to a text file named group.txt, refer to:
    net localgroup “Administrators” > C:\group.txt
    You can also write a script as you want.
    Best Regards,
    Nina Liu
    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact
    [email protected]  
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thanks this does seem to work. It does seem that just copying the command does not work because of the quotes, and that you have to manually type the quotation marks into the command prompt, I'm thinking they are picked up as a different character when you
    copy paste from a html page or other document.

  • PowerShell: AD Group Membership

    Is it possible to generate group membership for all groups in AD, b member of that group?
    Thanks
    *alex

    One good thing about using DirectoryServices.DirectorySearcher in PowerShell is that the syntax is so similar to similar VBScript programs using ADODB. The first program in VBScript would be as follows:
    Option Explicit
    Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
    Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strName, strDN
    Dim strLine, arrMembers, strMember
    ' Setup ADO objects.
    Set adoCommand = CreateObject("ADODB.Command")
    Set adoConnection = CreateObject("ADODB.Connection")
    adoConnection.Provider = "ADsDSOObject"
    adoConnection.Open "Active Directory Provider"
    Set adoCommand.ActiveConnection = adoConnection
    ' Search entire Active Directory domain.
    Set objRootDSE = GetObject("LDAP://RootDSE")
    strDNSDomain = objRootDSE.Get("defaultNamingContext")
    strBase = "<LDAP://" & strDNSDomain & ">"
    ' Filter on group objects.
    strFilter = "(objectCategory=group)"
    ' Comma delimited list of attribute values to retrieve.
    strAttributes = "distinguishedName,sAMAccountName,member"
    ' Construct the LDAP syntax query.
    strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
    adoCommand.CommandText = strQuery
    adoCommand.Properties("Page Size") = 200
    adoCommand.Properties("Timeout") = 30
    adoCommand.Properties("Cache Results") = False
    ' Run the query.
    Set adoRecordset = adoCommand.Execute
    ' Enumerate the resulting recordset.
    Do Until adoRecordset.EOF
        ' Retrieve values and display.
        strDN = adoRecordset.Fields("distinguishedName").Value
        strName = adoRecordset.Fields("sAMAccountName").Value
        strLine = """" & strDN & """,""" & strName & """"
        arrMembers = adoRecordset.Fields("member").Value
        If Not IsNull(arrMembers) Then
            For Each strMember In arrMembers
                strLine = strLine & ",""" & strMember & """"
            Next
        End If
        Wscript.Echo strLine
        ' Move to the next record in the recordset.
        adoRecordset.MoveNext
    Loop
    ' Clean up.
    adoRecordset.Close
    adoConnection.Close
    The second program, where sAMAccountName's are substituted for member DN's, would be as follows:
    Option Explicit
    Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
    Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strName, strDN
    Dim strLine, arrMembers, strMember, objMemberList
    ' Setup ADO objects.
    Set adoCommand = CreateObject("ADODB.Command")
    Set adoConnection = CreateObject("ADODB.Connection")
    adoConnection.Provider = "ADsDSOObject"
    adoConnection.Open "Active Directory Provider"
    Set adoCommand.ActiveConnection = adoConnection
    ' Search entire Active Directory domain.
    Set objRootDSE = GetObject("LDAP://RootDSE")
    strDNSDomain = objRootDSE.Get("defaultNamingContext")
    strBase = "<LDAP://" & strDNSDomain & ">"
    ' Retrieve all users, groups, and computers.
    strFilter = "(|(objectCategory=user)(objectCategory=group)(objectCategory=computer))"
    ' Comma delimited list of attribute values to retrieve.
    strAttributes = "distinguishedName,sAMAccountName"
    ' Dictionary object (hash table).
    Set objMemberList = CreateObject("Scripting.Dictionary")
    objMemberList.CompareMode = vbTextCompare
    ' Construct the LDAP syntax query.
    strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
    adoCommand.CommandText = strQuery
    adoCommand.Properties("Page Size") = 200
    adoCommand.Properties("Timeout") = 30
    adoCommand.Properties("Cache Results") = False
    ' Run the query.
    Set adoRecordset = adoCommand.Execute
    ' Enumerate the recordset.
    Do Until adoRecordset.EOF
        ' Retrieve values and display.
        strDN = adoRecordset.Fields("distinguishedName").Value
        strName = adoRecordset.Fields("sAMAccountName").Value
        ' Skip contacts.
        If (strName <> "") Then
            objMemberList.Add strDN, strName
        End If
        ' Move to the next record in the recordset.
        adoRecordset.MoveNext
    Loop
    ' Recordset must be closed before it can be opened again.
    adoRecordset.Close
    ' Filter on all group objects.
    strFilter = "(objectCategory=group)"
    ' Comma delimited list of attribute values to retrieve.
    strAttributes = "distinguishedName,sAMAccountName,member"
    ' Construct the LDAP syntax query.
    strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
    adoCommand.CommandText = strQuery
    ' Run the query.
    Set adoRecordset = adoCommand.Execute
    ' Enumerate the resulting recordset.
    Do Until adoRecordset.EOF
        ' Retrieve values and display.
        strDN = adoRecordset.Fields("distinguishedName").Value
        strName = adoRecordset.Fields("sAMAccountName").Value
        strLine = """" & strDN & """,""" & strName & """"
        arrMembers = adoRecordset.Fields("member").Value
        If Not IsNull(arrMembers) Then
            For Each strMember In arrMembers
                If (objMemberList.Exists(strMember) = True) Then
                    ' Substitute the sAMAccountname from dictionary object.
                    strLine = strLine & ",""" & objMemberList(strMember) & """"
                Else
                    ' Use the Distinguished Name.
                    strLine = strLine & ",""" & strMember & """"
                End If
            Next
        End If
        Wscript.Echo strLine
        ' Move to the next record in the recordset.
        adoRecordset.MoveNext
    Loop
    ' Clean up.
    adoRecordset.Close
    adoConnection.Close
    Richard Mueller - MVP Directory Services

  • Export Users data with group membership

    Hey Guys,
    I'm using csvde to export users data for management reports.
    I'm asked to add to the exported data the group membership of the users and I'm having problem doing that.
    My current script is:
    csvde.exe -s 192.168.xx.xx -d "ou=CS,dc=Domain,dc=com" -r objectClass=user -l "Company,DisplayName,sAMAccountName,title,lastlogon,pwdLastSet" -f c:\usersonly-Users.csv
    Can anyone help me adding column with groups the user is member of?
    Thanks
    Nir 

    Add the memberOf attribute to the list of attribute values to retrieve.
    Richard Mueller - MVP Directory Services

  • Get-Mailbox filter group membership

    I am trying to create a powershell script that reports on information for a set of mailboxes. How can I use the Get-mailbox command and filter by the group membership of the AD account connected to the mailbox? I just want a list of mailboxes from accounts
    that are in the VoicemailEnabled group.
    I know this isn't possible but to illustrate what I am trying to do:
    $mailboxes = Get-Mailbox -OrganizationalUnit "ou=Rooms,dc=contoso,dc=com" -Filter "Memberofgroup -eq 'VoicemailEnabled'"
    Any suggestions on how to do this?

    Unless I'm misunderstanding, this cmdlet does it for you: Get-DistributionGroupMember
    The above cmdlet doesn't have server-side filtering, because the members are actually only learned AFTER the group is returned.  So that means you'd have to do something like:
    Get-DistributionGroupMember group1 | where {$_.OrganizationalUnit -eq 'laptop.lab/Demo Users'}
    Mike Crowley | MVP
    My Blog --
    Planet Technologies

  • Local Groups Membership on All Servers in the Network

    Hi,
    I have about 150 servers running Windows Server 2008 R2. Most of them are domain members but some are standalone (workgroup). There is only one Forest and one Domain.
    I need to generate a list/report with users names and group names that are member of local "Administrators" and "Remote Desktop Users" groups on every server in the network.
    I certainly don't want to log into each server one-by-one to generate reports. I might have to do that on Standalone servers, but at least I want to generate this remotely on all domain joined servers.
    Any ideas how it can be done? Windows PowerShell (I would need the script), some other built-in tool, or third-party tool.

    You can use net localgroup <group> command to get local group membership. To run this remotely, you can use
    psexec. You can mainly create a script that gets the list of domain-joined servers from AD and then runs
    psexec against them for data extraction.
    This posting is provided AS IS with no warranties or guarantees , and confers no rights.
    Ahmed MALEK
    My Website Link
    My Linkedin Profile
    My MVP Profile

  • ACS 5.3 Group Mapping based on AD group membership

    Hi,
    I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.
    What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.
    It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
    I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.
    Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
    Thank you,
    Sami

    Ok, my case is like this.
    I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)
    I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.
    In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.
    Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.
    I have a case with Cisco engineer now and still in the middle to sort things out.
    The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.
    Wondering whether there is a fix for this.
    Thanks.

  • Weblogic 10.3.0 -  Security Violation when Group Membership Lookup enabled

    Dear Admins,
    We're running a Weblogic 10.3.0 cluster with our own software deployed.
    We're using SQL authentication (JDBC to Oracle DB) to authenticate users.
    Recently we've been tuning our WL cluster to improve performance, and have enabled Group Membership Lookup Hierarchy Caching.
    Sometimes users log into our application and get inssuficient rights (or some other error). This appears to happen at random. Most of the times they can log in without problems.
    We determined it's not something to do with the cluster, although it can happen on one node and the other node will work as normal.
    In the Managed server we see this error (with test user):
    Managed7Server.out00011:java.rmi.AccessException: [EJB:010160]Security Violation: User: 'test' has insufficient permission to access EJB: type=<ejb>, application=leanapps, module=process_general.jar, ejb=LaLifeProcessController,
    method=create, methodInterface=Home, signature={}.
    When we disable Group Membership Lookup Hierarchy Caching, this error never occurs.
    Our settings (Security Realms -> myrealm -> Providers -> SQL Authenticator -> Performance):
    Max Group Hierarchies In Cache: 5000 (we have approx. 2000 groups)
    Group Hierarchy Cache TTL: 3600
    provider specific settings :
    Group Membership Searching: unlimited
    Max Group Membership Search Level: 0
    Also in Myrealm -> Performance we have set :
    Enable WebLogic Principal Validator Cache
    Max WebLogic Principals In Cache: 5000
    If we put the TTL really low (default 60 seconds), the error hardly ever occurs. But we want to have cache that lasts longer then one minute.
    This might be a bug, as we have other clusters running on WL 10.3.5, 12c where we use the same cache settings. This issue does not occur there.
    I'm more then willing to provide more info or config files
    Edited by: user5974192 on 21-nov-2012 5:17

    This is fixed now. Someone had defined a Servlet for the web service in web.xml that was preventing the EJB container to kick in.
    Edited by: user572625 on Aug 25, 2011 11:54 PM

  • OIM: What is the purpose of "Update" while editing group memberships

    Hi,
    This is when you lookup a user's Resource Profile and go to "Edit" link. The process form shows up along with a drop down to edit the group memberships. When we select one of the choices such as "Groups" another window pops up where we could add more entires into the child form. In this form there is an "Update" column with a radio button besides a "Remove" column. What is the purpose of this "Update" column? We can add or delete child entries but what does update do? Is there a way to remove this selection altogether?
    Thanks in advance

    Update I can see used for a cases where you have multiple columns on a child table entry and want to change one of them. Strictly speaking, you can update a single column child table rather than delete and insert also. Access policies always do insert and delete actions, but you will want to implement an update task as well if you expect anyone to be editing child tables on resources directly.

  • OIM 9.1.0.2 Group Membership Removal for Disabled Users

    Hello
    In OIM 9.1.0.2, when a user is disabled, they are removed from the groups they are a member of within 24 hours. i was wondering if this is a set time and if so, can this be extended to a specified time so membership can be left for a week before it is removed from the user. If you can let me know on this I would appreciate it.
    Thanks
    Nick

    Today, when accounts are disabled, within 24 hours all the group memberships are removed on the OIM side. I would like to change the interval for the cleanup so that when an account is disabled, all the existing group (role) memberships stay assinged to the account then after 30 days of the account being disabled, the group (role) memberships are removed. Not sure if this would be an ORM thing or OIM, but I think it would be OIM since ORM still has the role mappings for users when they are disabled.
    Thanks
    Nick

  • How to create LDAP filter-based rule to check Group membership in OAM

    Hi folks,
    I'm having hard time creating an authorization rule to verify ldap group membership. I've followed "Configure User Authorization" article from Oracle website (http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32420/v2authz.htm#BABHBFEJI) and created an Authorization scheme w ldap_attribute_name as User Parameter and ruleExpression as Required Parameter. Then, inside my policy I created an Authorization Rule based on my Authz scheme w Allow Access attrib filter-based Rule which looks like this:
    ldap://ldap_server:port/ou=People,o=Company,c=US??sub?(ldap_attribute_name=ldap_attribute_value)
    This works fine.
    Now, I've added another filter-based rule under the same Authz Rule/Allow Access:
    ldap://ldap_server:port/ou=Groups,o=Company,c=US?uniqueMember?sub?(&(objectClass=groupOfUniqueNames)(cn=ldap_group_name))
    While query looks somewhat correct and works as a command-line argument (slightly modified format), it does not work in OAM (meaning people w out req-d group membership can still login).
    Can someone steer me to the right direction as to what do I need to do:
    1. Change/fix the ldap query
    2. Create new Authz scheme with uniqueMember userParameter; create new Authz rule based on new authz scheme; create new Allow Access filter rule with the ldap query I have
    3. Do smth else
    Any help is greatly appreciated.
    Thank you, Roman

    You can create two authorization rules
    First for user with attribute
    and second for group
    and then in authorization expression you can have AND of these two.
    Regarding your query...
    First ... If your requirement is to give access to all the members of a particular group then you don't require any ldap filters
    All you have to do is in the authorization rule -> Allow access -> Select People (here you have to select group so click on the group tab, its little hard to see but its there in light blue color on dark blue tab) -> select the group you want to give access
    Second.. If your requirement is such that you want to give access to a member of a group which has certain attribute lets say group with status active ( In this case you are not aware of the name of the group because user can be a member of any group but you want to give access only to the group with specific attribute.) then you have to write custom authorization plugin.
    If the option is second let me know i can give you a solution which will work for a single domain without any effort of developing a major plugin.
    Hope this helps,
    Sagar

Maybe you are looking for

  • Is there a way of lowering/increasing volume on voice and music

    Is there a way in iMovie 8 to lower/increase voice and or music, like on iMovie HD you could when you were seeing the audio tracks?

  • RE: RD 330 Rail Kit too long for the application space

    This is my first time posting, I hope I have submitted this to the correct forum.. My situation:       We have a Middle Atlantic Rack system model RS-46-28, with 46U and a center unit depth of 23.5 in, the Lenovo servers we are using (RD340E1Us, 3 of

  • Can't use 5 GHz mode only

    Hello, I bought my TC when I was on a trip in USA. I have a Macbook (aluminum) bought in UK. 802.11n allowed channels are different for the 2 regions (but with some overlapping). And you cannot configure TC channels manually when in 802.11n 5 GHz mod

  • Vie pane instead of opening message

    My email has uddenly started opening with a single click on the message title, whereas previosuly it would simply display in the View Pane, and would only open with a double click. I can't find where these options are set.

  • Photoshop CS3 doesn't launch

    I know there must be a lot of info out there on how to resolve this issue, but I am having trouble finding anything that works. So, someone please show me where I need to go to see how to fix this issue. Photoshop CS3 randomly stopped working on my i