Ravindra Kulkarni
Problem
You want to copy one user’s group membership to another user.
Solution
Using a graphical user interface
- Open the ADUC snap-in.
- In the left pane, right-click on the domain and select Find.
- Select the appropriate domain beside In.
- Beside Name, type the name of the user you want to transfer groups from and click Find Now.
- In the Search Results window, double-click on the user.
- Click the Member Of tab.
- For each group you want to add another user in, do the following:
- Double-click on the group.
- Click the Members tab.
- Click the Add button.
- d. Find the user you want to add in the object picker and click OK.
- e. Click OK.
Using a command-line interface
The following command line will add <NewUserDN> to all of the groups that <CurrentUserDN> is a member of:
> for /F "usebackq delims=""" %i in ('dsget user
"<CurrentUserDN>" -memberof') do dsmod group %i -addmbr "<NewUserDN>"
If you want to get fancy and remove <CurrentUserDN> from each of the groups in the same operation, simply add an -rmmbr option on the end:
> for /F "usebackq delims=""" %i in ('dsget user
"<CurrentUserDN>" -memberof') do dsmod group %i -addmbr "<NewUserDN>"
-rmmbr "<CurrentUserDN>"
Using VBScript
' This code adds the "new" user to the groups the "current"
' user is a member of
' ------ SCRIPT CONFIGURATION -----
strCurrentUserDN = "<CurrentUserDN>"
' e.g. cn=jsmith,ou=Sales,dc=rallencorp,dc=com
strNewUserDN = "<NewUserDN>"
' ------ SCRIPT CONFIGURATION ------
Const ADS_PROPERTY_APPEND = 3
set
objCurrentUser = GetObject("LDAP://" &
strCurrentUserDN )
set objNewUser = GetObject("LDAP://" & strNewUserDN )
on error resume next
WScript.Echo "Transfering groups from " & strCurrentUserDN & " to " & strNewUserDN
for each strGroupDN in objCurrentUser.GetEx("memberOf")
set objGroup = GetObject("LDAP://" & strGroupDN)
objGroup.PutEx ADS_PROPERTY_APPEND, "member", Array( strNewUserDN )
objGroup.SetInfo
if Err then
WScript.Echo "Error adding user to group: " & strGroupDN
else
WScript.Echo "Added user to group: " & strGroupDN
end if
next
Discussion
Employees come and go; people take on new responsibilities and move on to new jobs. It is common to have movement within an organization. When this happens, typically someone is replacing the person that is moving on. The new person needs to get up to speed as quickly as possible, including getting accounts set up and access to any necessary resources. A big part of this includes getting added to the correct groups. You can help facilitate this by using one of the processes outlined in the Solution section to help the user gain access to the exact same groups that the former employee was a member of.
One important issue to point out is that the memberOf attribute, which was used in the Solution section to determine a user’s group membership, contains only the groups that are visible to the DC that’s being queried; this can vary depending on whether the DC in question is a Global Catalog and whether the user belongs to any universal groups. Any groups the user is a member of outside of the user’s domain will not be transferred. To transfer universal group membership outside of a domain, you will need to perform a query against the global catalog for all group objects that have a member attribute that contains the DN of the user. You can also search the Global Catalog for the memberOf attribute for a given user to determine a user’s universal group memberships.
IgNiTeD SoUL 