New Users --> specific group

  • Thread starter Thread starter Starbuck
  • Start date Start date
S

Starbuck

Guest
When a new user is created, they are automatically added to
the "Domain Users" group. I would like to create(or modify) some
kind of a Group policy that also adds them to another group as
well, automatically.

Is this do-able?
If so, can someone point me in the right direction?

Thanks much,

*$

aa#2290
 
Re: New Users --> specific group

Copy another user or create a template to copy from.

- Bjarne



"Starbuck" <Starbuck@BogusDomain.com> skrev i meddelelsen
news:eacra4l316hf2htvqvglk4l6ridtj53scn@4ax.com...
> When a new user is created, they are automatically added to
> the "Domain Users" group. I would like to create(or modify) some
> kind of a Group policy that also adds them to another group as
> well, automatically.
>
> Is this do-able?
> If so, can someone point me in the right direction?
>
> Thanks much,
>
> *$
>
> aa#2290
 
Re: New Users --> specific group

I think you mean OU, not group. You can specify the OU when creating a user
with dsadd:
dsadd user "cn=gstigers, ou=BigCoUsers, dc=BigCo, dc=com"
That is just a UserDN. There are quite a few other arguments you will want
and need to provide when creating a new user. See "dsadd user" at
http://technet.microsoft.com/en-us/library/cc731279.aspx.

You can also use CSVDE or LDIFDE.
______
Greg Stigers, MCSE
remember to vote for the answers you like
 
Re: New Users --> specific group

On Thu, 21 Aug 2008 16:17:09 -0400, "Greg Stigers"
<gregstigers+msnews@spamcop.net> wrote:

>I think you mean OU, not group. You can specify the OU when creating a user
>with dsadd:
>dsadd user "cn=gstigers, ou=BigCoUsers, dc=BigCo, dc=com"
>That is just a UserDN. There are quite a few other arguments you will want
>and need to provide when creating a new user. See "dsadd user" at
>http://technet.microsoft.com/en-us/library/cc731279.aspx.
>
>You can also use CSVDE or LDIFDE.
>______
>Greg Stigers, MCSE
>remember to vote for the answers you like
>

No, I do mean groups.

If I create a new user account, they are automatically added to the
"Domain Users" group by simply hitting the Add button.

But I also want them added to *another* group at the same time.
Without having to manually add them.


*$

aa#2290
 
Re: New Users --> specific group

The idea to copy a template user (that is a member of your other group) is
the only solution I know of. However, you could make the Domain Users group
a member of your other group, which gives all users all of the permissions
granted to the other group (if that is the purpose).

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

"Bjarne Duelund" <duelund (at) danbbs.dk> wrote in message
news:uFu6AW8AJHA.756@TK2MSFTNGP02.phx.gbl...
> Copy another user or create a template to copy from.
>
> - Bjarne
>
>
>
> "Starbuck" <Starbuck@BogusDomain.com> skrev i meddelelsen
> news:eacra4l316hf2htvqvglk4l6ridtj53scn@4ax.com...
>> When a new user is created, they are automatically added to
>> the "Domain Users" group. I would like to create(or modify) some
>> kind of a Group policy that also adds them to another group as
>> well, automatically.
>>
>> Is this do-able?
>> If so, can someone point me in the right direction?
>>
>> Thanks much,
>>
>> *$
>>
>> aa#2290
>
 
Re: New Users --> specific group

On Thu, 21 Aug 2008 14:00:30 -0700, Starbuck
<Starbuck@BogusDomain.com> wrote:

>On Thu, 21 Aug 2008 16:17:09 -0400, "Greg Stigers"
><gregstigers+msnews@spamcop.net> wrote:
>
>>I think you mean OU, not group. You can specify the OU when creating a user
>>with dsadd:
>>dsadd user "cn=gstigers, ou=BigCoUsers, dc=BigCo, dc=com"
>>That is just a UserDN. There are quite a few other arguments you will want
>>and need to provide when creating a new user. See "dsadd user" at
>>http://technet.microsoft.com/en-us/library/cc731279.aspx.
>>
>>You can also use CSVDE or LDIFDE.
>>______
>>Greg Stigers, MCSE
>>remember to vote for the answers you like
>>
>
>No, I do mean groups.
>
>If I create a new user account, they are automatically added to the
>"Domain Users" group by simply hitting the Add button.
>
>But I also want them added to *another* group at the same time.
>Without having to manually add them.
>
>
>*$
>
>aa#2290

Maybe I should back up here and explain myself. My issue
is actually more LDAP related and it sounds like you are
brushed up on the subject. My apologies if this is a bit long.

If you look at this article here:
http://support.microsoft.com/kb/275523

"When you view Active Directory with a Lightweight Directory Access
Protocol (LDAP) utility such as Ldp.exe, the Members attribute is not
populated with the Primary group."

Further:
"The memberof attribute of the user object is not populated with the
group name. This can cause problems if programs do not query Active
Directory for the PrimaryGroupID attribute, and only for the Members
attribute of the group. "


Now for reasons which have not been explained to me, our programmers
are unable (or perhaps unwilling) to query the PrimaryGroupID. They
expect to query the Members Attribute and determine if the user is
an employee or not.

So, my thought was to create a NEW group, call it something like
"All Employees" and then add all employees to the group. (Basically,
a copy of "domain users".) The advantage here is that this new group
would appear in the members attribute when querying LDAP, so long
as it isn't the primary group.

But we've got a couple junior admins here who are going to forget to
add new employees to the "All employees" group at the time the account
is created. And its kind of a pain to have to remember...

So wouldn't it be nice if I could create a new user account and have
this new user automatically added to the "All employees" group at the
time of creation?

I hope this is a little more clear to you.
And thanks very much for your input.


*$

aa#2290
 
Re: New Users --> specific group


"Starbuck" <Starbuck@BogusDomain.com> wrote in message
news:1hmra4ldlnk9t1pednrcrt2q31652m2qod@4ax.com...
> On Thu, 21 Aug 2008 14:00:30 -0700, Starbuck
> <Starbuck@BogusDomain.com> wrote:
>
>>On Thu, 21 Aug 2008 16:17:09 -0400, "Greg Stigers"
>><gregstigers+msnews@spamcop.net> wrote:
>>
>>>I think you mean OU, not group. You can specify the OU when creating a
>>>user
>>>with dsadd:
>>>dsadd user "cn=gstigers, ou=BigCoUsers, dc=BigCo, dc=com"
>>>That is just a UserDN. There are quite a few other arguments you will
>>>want
>>>and need to provide when creating a new user. See "dsadd user" at
>>>http://technet.microsoft.com/en-us/library/cc731279.aspx.
>>>
>>>You can also use CSVDE or LDIFDE.
>>>______
>>>Greg Stigers, MCSE
>>>remember to vote for the answers you like
>>>
>>
>>No, I do mean groups.
>>
>>If I create a new user account, they are automatically added to the
>>"Domain Users" group by simply hitting the Add button.
>>
>>But I also want them added to *another* group at the same time.
>>Without having to manually add them.
>>
>>
>>*$
>>
>>aa#2290
>
> Maybe I should back up here and explain myself. My issue
> is actually more LDAP related and it sounds like you are
> brushed up on the subject. My apologies if this is a bit long.
>
> If you look at this article here:
> http://support.microsoft.com/kb/275523
>
> "When you view Active Directory with a Lightweight Directory Access
> Protocol (LDAP) utility such as Ldp.exe, the Members attribute is not
> populated with the Primary group."
>
> Further:
> "The memberof attribute of the user object is not populated with the
> group name. This can cause problems if programs do not query Active
> Directory for the PrimaryGroupID attribute, and only for the Members
> attribute of the group. "
>
>
> Now for reasons which have not been explained to me, our programmers
> are unable (or perhaps unwilling) to query the PrimaryGroupID. They
> expect to query the Members Attribute and determine if the user is
> an employee or not.
>
> So, my thought was to create a NEW group, call it something like
> "All Employees" and then add all employees to the group. (Basically,
> a copy of "domain users".) The advantage here is that this new group
> would appear in the members attribute when querying LDAP, so long
> as it isn't the primary group.
>
> But we've got a couple junior admins here who are going to forget to
> add new employees to the "All employees" group at the time the account
> is created. And its kind of a pain to have to remember...
>
> So wouldn't it be nice if I could create a new user account and have
> this new user automatically added to the "All employees" group at the
> time of creation?
>
> I hope this is a little more clear to you.
> And thanks very much for your input.
>
>
> *$
>
> aa#2290

You have the DN of a user, but don't know if the user is a member of Domain
Users. If every user is a member of Domain Users, then the fact that a user
has a DN implies they must be a member of the group. Or perhaps you have a
candidate DN and you aren't sure it is valid. Then attempt to bind to the
user object and trap the error if it fails. If the bind is successful, the
user is a member of Domain Users. If the bind fails, the user is not a
member. If you have a "pre-Windows 2000 logon name" (sAMAccountName) you can
use the NameTranslate object to convert to the DN. Again you trap the
possible error, because if there is no such user in the domain an error is
raised. If you retrieve a DN, then the user exists in the domain and is a
member of Domain Users. This assumes you never alter the primary group of
users (there is no reason to). For more on using NameTranslate see this
link:

http://www.rlmueller.net/NameTranslateFAQ.htm

Regarding the primaryGroupID. You can only determine this if you can bind to
the user object. If you bind to the user object, and find that the value of
primaryGroupID is 513, then you know the user is a member of Domain Users,
because that is always the value of the primaryGroupToken attribute of the
group Domain Users. There is no need to search for the group with this
value. There should be no problem retrieving primaryGroupID if you can bind
to the object, as it is single valued, indexed, replicated, not operational,
and in the GC. The primaryGroupToken attribute of groups is operational so
you need to know how to retrieve the value.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
 

Similar threads

A
New $1,400 stimulus checks might be sent to this group of Americans
Replies
0
Views
118
Andy Meek
A
N
Event ID 2269 (HTTP.SYS communication error)
Replies
0
Views
258
Nedim
N
A
Mark Zuckerberg is about to ruin Facebook for the last group of people who don’t hate it yet
Replies
0
Views
126
Andy Meek
A
D
Windows Defender Antimalware Platform 4.18.2101.4-0 causes problems with group policy and Active Directory MMC add-in.
Replies
0
Views
142
D4rtual
D
A
Watch: This new K-pop group was created with AI and deepfake technology
Replies
0
Views
71
Andy Meek
A
Back
Top