Automating the Creation and Management of Groups

Creating Groups with Dsadd. The Dsadd command, introduced earlier, enables you to add objects to Active Directory. To add a group, type the command dsadd group GroupDN, where GroupDN is the DN of the group, such as “CN=SalesManagers,OU=Managers,DC=es-net,DC=co,DC=uk.”

Use the buttons below to navigate through the lesson


Creating Groups with Dsadd
Be certain to surround the DN with quotes if the DN includes spaces. For example, to create a new global security group named Marketing in the Sales OU of the Es-net.co.uk domain, the command would be:
dsadd group “CN=Marketing,OU=Sales,DC=es-net,DC=co,DC=uk”
-samid Marketing -secgrp yes –scope g

You can also provide the GroupDN parameter by one of the following ways:

  • By piping a list of DNs from another command such as Dsquery.
  • By typing each DN on the command line, separated by spaces.
  • By leaving the DN parameter empty, at which point you can type the DNs one at a time at the keyboard console of the command prompt.

Press Enter after each DN. Press Ctrl + Z and Enter after the last DN.  Because you can include more than one DN on the command line, separated by a space, you can generate multiple groups at once with Dsadd.

The Dsadd command can also configure group attributes of the groups you create with the following optional parameters:

  • –secgrp { yes | no } specifies group type: security (yes) or distribution (no).
  • –scope { l | g | u } determines the group scope: domain local (l), global (g), or universal (u).
  • –samid Name specifies the sAMAccountName of the group. If not specified, the name of the group from its DN is used. It is recommended that the sAMAccountName and the group name be the same, so you do not need to include this parameter when using
    Dsadd.
  • –desc Description configures the group’s description.
  • –members MemberDN adds members to the group. Members are specified by their DNs in a space-separated list.
  • –memberof GroupDN … makes the new group a member of one or more existing groups. The groups are specified by their DNs in a space-separated list.

Importing Groups with CSVDE

Earlier you were introduced to CSVDE, which imports data from comma-separated values (.csv) files. It is also able to export data to a .csv file. The following example shows a .csv file that will create a group, Marketing, and populate the group with two initial members, Freda Smith and Fred Smith.
objectClass,sAMAccountName,DN,member
group,Marketing, “CN=Marketing,OU=Groups,DC=es-net,DC=co,DC=uk”,
“CN=Freda Smith,OU=People,DC=es-net,DC=co,DC=uk”;
“CN=Fred Smith,OU=People,DC=es-net,DC=co,DC=uk”

The objects listed in the member attribute must already exist in the directory service. Their DNs are separated by semicolons within the member column.

You can import this file into Active Directory by using the command: csvde -i -f “Filename” [-k]
The –i parameter specifies import mode. Without it, CSVDE uses export mode. The –f parameter precedes the filename, and the –k parameter ensures that processing continues even if errors are encountered.

Managing Groups with LDIFDE

LDIFDE, as you learned earlier, is a tool that imports and exports files in the Lightweight Directory Access Protocol Data Interchange Format (LDIF) format.

LDIF files are text fileswithin which operations are specified by a block of lines separated by a blank line. Each operation begins with the DN attribute of the object that is the target of the operation.

The nextline, changeType, specifies the type of operation: add, modify, or delete. The following LDIF file creates two groups, Finance and Research, in the Managers OU of the Es-net.co.uk domain:

DN: CN=Finance,OU=Managers,DC=es-net,DC=co,DC=uk
changeType: add
CN: Finance
description: Finance Users
objectClass: group
sAMAccountName: Finance
DN: CN=Research,OU=Managers,DC=es-net,DC=co,DC=uk
changeType: add
CN: Research
description: Research Users
objectClass: group
sAMAccountName: Research

Save the file with an .ldf extension, for example Groups.ldf. To import the groups into the directory, issue the Ldifde.exe command as shown here: ldifde -i -f groups.ldf

Modifying Group Membership with LDIFDE
LDIFDE can also be used to modify existing objects in Active Directory, using LDIF operations
with a changeType of modify. To add two members to the Finance group, the LDIF file would be:
dn: CN=Finance,OU=Managers,DC=es-net,DC=co,DC=uk
changetype: modify
add: member
member: CN=April Stewart, OU=Managers,DC=es-net,DC=co,DC=uk
member: CN=Mike Smith, OU=Managers,DC=es-net,DC=co,DC=uk

The changeType is set to modify, and then the change operation is specified: add objects to the member attribute. Each new member is then listed on a separate line that begins with the member attribute name.

The change operation is terminated with a line containing a single dash. Changing the third line to the following would remove the two specified members from the group: delete: member

Retrieving Group Membership with Dsget

The Dsmod and Dsget commands discussed in earlier are particularly helpful for managing the membership of groups. There is no option in the Active Directory Users and Computers snap-in to list all the members of a group, including nested members.
You can see only direct members of a group on the group’s Members tab. Similarly, there is no way to list all the groups to which a user or computer belongs, including nested groups.
You can see only direct membership on the user’s or computer’s Member Of tab. The Dsget command enables you to retrieve a complete list of a group’s membership, including nested members, with the following syntax:
dsget group “GroupDN” -members [-expand]

Retrieving Group Membership with Dsget

The expand option performs the magic of expanding nested groups’ members. Similarly, the Dsget command can be used to retrieve a complete list of groups to which a user or computer belongs, again by using the expand option in the following commands:
dsget user “UserDN” -memberof [-expand]
dsget computer “ComputerDN” -memberof [-expand]
The memberof option returns the value of the user’s or computer’s memberOf attribute, showing the groups to which the object directly belongs. By adding the expand option, those groups are searched recursively, producing an exhaustive list of all groups to which object the user belongs in the domain.

Changing Group Membership with Dsmod

The Dsmod command was applied earlier to modify the scope and type of a group. The command’s basic syntax is:
dsmod group “GroupDN” [options]
You can use options such as samid and desc to modify the sAMAccountName and description attributes of the group. Most useful, however, are the options that enable you to modify a group’s membership:
■ –addmbr “Member DN” Adds members to the group
■ –rmmbr “Member DN” Removes members from the group

As with all DS commands, Member DN is the distinguished name of another Active Directory object, surrounded by quotes if the DN includes spaces. Multiple Member DN entries can be included, separated by spaces. For example, to add Mike Jones to the Sales group, the Dsmod command would be:
dsmod group “CN=Sales,OU=Managers,DC=es-net,DC=co,DC=uk”
-addmbr “CN=Mike Jones,OU=Managers,DC=es-net,DC=co,DC=uk”

You can use Dsget in combination with Dsmod to copy group membership. In the following example, the Dsget command is used to get information about all the members of the Sales group and then, by piping that list to Dsmod, to add those users to the Marketing group: dsget group “CN=Sales,OU=Managers,DC=es-net,DC=co,DC=uk” -members | dsmod group “CN=Marketing,OU=Managers,DC=es-net,DC=co,DC=uk” -addmbr

Moving and Renaming Groups with Dsmove

The Dsmove command enables you to move or rename an object within a domain. You cannot use it to move objects between domains. Its basic syntax is:
dsmove ObjectDN [-newname NewName] [-newparent TargetOUDN]
The object is specified by using its distinguished name in the ObjectDN parameter. To rename the object, specify its new common name as the value of the newname parameter. To move an object to a new location, specify the distinguished name of the target container as the value of the newparent parameter. For example, to change the name of the Marketing group to Public Relations, type:

The Dsmove command enables you to move or rename an object within a domain. You cannot use it to move objects between domains. Its basic syntax is:
dsmove ObjectDN [-newname NewName] [-newparent TargetOUDN]
The object is specified by using its distinguished name in the ObjectDN parameter. To rename the object, specify its new common name as the value of the newname parameter. To move an object to a new location, specify the distinguished name of the target container as the value of the newparent parameter. For example, to change the name of the Marketing group to Public Relations, type:

dsmove “CN=Marketing,OU=Managers,DC=es-net,DC=co,DC=uk”
-newname “Public Relations”
To then move that group to the Marketing OU, type:
dsmove “CN=Public Relations,OU=Managers,DC=es-net,DC=co,DC=uk”
-newparent “OU=Marketing,DC=es-net,DC=co,DC=uk”

You can also move or rename a group in the Active Directory Users And Computers snap-in by right-clicking the group and choosing Move or Rename from the context menu.

Deleting Groups with Dsrm

Deleting Groups with Dsrm
Dsrm can be used to delete a group or any other Active Directory object. The basic syntax of Dsrm is:
dsrm ObjectDN … [-subtree [-exclude]] [-noprompt] [-c]
The object is specified by its distinguished name in the ObjectDN parameter. You will be prompted to confirm the deletion of each object unless you specify the noprompt option. The –c switch puts Dsrm into continuous operation mode, in which errors are reported, but the command keeps processing additional objects. Without the –c switch, processing halts on the first error.
To delete the Public Relations group, type:

dsrm “CN=Public Relations,OU=Marketing,DC=es-net,DC=co,DC=uk”
You can also delete a group in the Active Directory Users And Computers snap-in by right clicking the group and choosing the Delete command.

Managing Group Membership with Windows PowerShell and
VBScript

In both VBScript and Windows PowerShell, there are several ways to manipulate group membership—a group’s member attribute—but the most common and effective involve these steps:

  1. Determine the aDSPath of the member. The aDSPath takes the form, LDAP://<DN of member>.
  2. Connect to the group.
  3. Use the Add or Remove method of the group object, specifying the aDSPath of the member.

A Windows PowerShell script that adds Mike Jones to the Research group would, therefore, be:
$MemberADSPath = “LDAP://CN=Mike Jones,OU=People,DC=es-net,DC=co,DC=uk”
$objGroup = [ADSI]”LDAP://CN=Research,OU=Groups,DC=es-net,DC=co,DC=uk”
$objGroup.Add ($MemberADSPath)

In VBScript, the script would be:
MemberADSPath = “LDAP://CN=Mike Jones,OU=People,DC=es-net,DC=co,DC=uk”
Set objGroup = GetObject(“LDAP://CN=Research,OU=Groups,DC=es-net,DC=co,DC=uk”)
objGroup.Add MemberADSPath

To remove members, use the Remove method instead of the Add method. The remainder of each script remains the same.