Active Directory Security Group membership based on specific attribute
trying figure out if there's way create ad security group , populate members user objects have specific attribute.
example:
abc security group
user xyz has attribute countrycode = 0
user cde has attribute countrycode = 1
user fgh has attribute countrycode = 1
want populate abc security group users have attribute countrycode = 1, automatically
idea is i've got thousands of users countrycode = 1 , don't want have add them, or remove them, manually. i if countrycode ever changes 0 1 or 1 0, automatically add or remove them abc security group.
thanks,
daniel
thanks, daniel
there no way automatically in active directory. noted, need periodically run script enforce group membership. following example powershell script uses ad cmdlets.
# powershell script put users groups based on value of countrycode attribute. import-module activedirectory # specify domain controller, removes , adds done on same dc. # should dns name of dc in domain. $server = "dc001.mydomain.com" # hash table of countrycode values , group distinguished names. $codes = @{"1"="cn=group1,ou=west,dc=mydomain,dc=com";` "2"="cn=group2,ou=west,dc=mydomain,dc=com";` "3"="cn=group3,ou=west,dc=mydomain,dc=com";` "4"="cn=group4,ou=west,dc=mydomain,dc=com";` "5"="cn=group5,ou=west,dc=mydomain,dc=com";} # loop through countrycodes. foreach ($country in $codes.keys) { # retrieve corresponding group dn. $group = $codes[$country] # find members of group no longer have countrycode. $users = get-aduser -ldapfilter "(&(!countrycode=$country)(memberof=$group))" if ($users) { # create array of user dn's removed group. $removeusers = @() foreach ($user in $users) { $removeusers = $removeusers + $user.distinguishedname } # remove members of group1 no longer have countrycode. remove-adgroupmember -identity $group -members $removeusers ` -server $server -confirm:$false } # find users countrycode not yet members of group. $users = get-aduser -ldapfilter "(&(countrycode=$country)(!memberof=$group))" { # create array of user dn's added group. $addusers = @() foreach ($user in $users) { $addusers = $addusers + $user.distinguishedname } # add these users group. add-adgroupmember -identity $group -members $addusers -server $server } } richard mueller - mvp directory services
Windows Server > Directory Services
Comments
Post a Comment