Jump to content

New Users --> specific group

Guest Starbuck

By Guest Starbuck
in Windows 2003 Server

 Share

Recommended Posts

Guest Starbuck

Guest Starbuck

Posted
Posted

When a new user is created, they are automatically added to

the "Domain Users" group. I would like to create(or modify) some

kind of a Group policy that also adds them to another group as

well, automatically.

 

Is this do-able?

If so, can someone point me in the right direction?

 

Thanks much,

 

*$

 

aa#2290

  • Replies 6
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Bjarne Duelund

Guest Bjarne Duelund

Posted
Posted

Re: New Users --> specific group

 

Copy another user or create a template to copy from.

 

- Bjarne

 

 

 

"Starbuck" <Starbuck@BogusDomain.com> skrev i meddelelsen

news:eacra4l316hf2htvqvglk4l6ridtj53scn@4ax.com...

> When a new user is created, they are automatically added to

> the "Domain Users" group. I would like to create(or modify) some

> kind of a Group policy that also adds them to another group as

> well, automatically.

>

> Is this do-able?

> If so, can someone point me in the right direction?

>

> Thanks much,

>

> *$

>

> aa#2290

Guest Greg Stigers

Guest Greg Stigers

Posted
Posted

Re: New Users --> specific group

 

I think you mean OU, not group. You can specify the OU when creating a user

with dsadd:

dsadd user "cn=gstigers, ou=BigCoUsers, dc=BigCo, dc=com"

That is just a UserDN. There are quite a few other arguments you will want

and need to provide when creating a new user. See "dsadd user" at

http://technet.microsoft.com/en-us/library/cc731279.aspx.

 

You can also use CSVDE or LDIFDE.

______

Greg Stigers, MCSE

remember to vote for the answers you like

Guest Starbuck

Guest Starbuck

Posted
Posted

Re: New Users --> specific group

 

On Thu, 21 Aug 2008 16:17:09 -0400, "Greg Stigers"

<gregstigers+msnews@spamcop.net> wrote:

>I think you mean OU, not group. You can specify the OU when creating a user

>with dsadd:

>dsadd user "cn=gstigers, ou=BigCoUsers, dc=BigCo, dc=com"

>That is just a UserDN. There are quite a few other arguments you will want

>and need to provide when creating a new user. See "dsadd user" at

>http://technet.microsoft.com/en-us/library/cc731279.aspx.

>

>You can also use CSVDE or LDIFDE.

>______

>Greg Stigers, MCSE

>remember to vote for the answers you like

>

 

No, I do mean groups.

 

If I create a new user account, they are automatically added to the

"Domain Users" group by simply hitting the Add button.

 

But I also want them added to *another* group at the same time.

Without having to manually add them.

 

 

*$

 

aa#2290

Guest Richard Mueller [MVP]

Guest Richard Mueller [MVP]

Posted
Posted

Re: New Users --> specific group

 

The idea to copy a template user (that is a member of your other group) is

the only solution I know of. However, you could make the Domain Users group

a member of your other group, which gives all users all of the permissions

granted to the other group (if that is the purpose).

 

--

Richard Mueller

MVP Directory Services

Hilltop Lab - http://www.rlmueller.net

--

 

"Bjarne Duelund" <duelund (at) danbbs.dk> wrote in message

news:uFu6AW8AJHA.756@TK2MSFTNGP02.phx.gbl...

> Copy another user or create a template to copy from.

>

> - Bjarne

>

>

>

> "Starbuck" <Starbuck@BogusDomain.com> skrev i meddelelsen

> news:eacra4l316hf2htvqvglk4l6ridtj53scn@4ax.com...

>> When a new user is created, they are automatically added to

>> the "Domain Users" group. I would like to create(or modify) some

>> kind of a Group policy that also adds them to another group as

>> well, automatically.

>>

>> Is this do-able?

>> If so, can someone point me in the right direction?

>>

>> Thanks much,

>>

>> *$

>>

>> aa#2290

>

Guest Starbuck

Guest Starbuck

Posted
Posted

Re: New Users --> specific group

 

On Thu, 21 Aug 2008 14:00:30 -0700, Starbuck

<Starbuck@BogusDomain.com> wrote:

>On Thu, 21 Aug 2008 16:17:09 -0400, "Greg Stigers"

><gregstigers+msnews@spamcop.net> wrote:

>

>>I think you mean OU, not group. You can specify the OU when creating a user

>>with dsadd:

>>dsadd user "cn=gstigers, ou=BigCoUsers, dc=BigCo, dc=com"

>>That is just a UserDN. There are quite a few other arguments you will want

>>and need to provide when creating a new user. See "dsadd user" at

>>http://technet.microsoft.com/en-us/library/cc731279.aspx.

>>

>>You can also use CSVDE or LDIFDE.

>>______

>>Greg Stigers, MCSE

>>remember to vote for the answers you like

>>

>

>No, I do mean groups.

>

>If I create a new user account, they are automatically added to the

>"Domain Users" group by simply hitting the Add button.

>

>But I also want them added to *another* group at the same time.

>Without having to manually add them.

>

>

>*$

>

>aa#2290

 

Maybe I should back up here and explain myself. My issue

is actually more LDAP related and it sounds like you are

brushed up on the subject. My apologies if this is a bit long.

 

If you look at this article here:

http://support.microsoft.com/kb/275523

 

"When you view Active Directory with a Lightweight Directory Access

Protocol (LDAP) utility such as Ldp.exe, the Members attribute is not

populated with the Primary group."

 

Further:

"The memberof attribute of the user object is not populated with the

group name. This can cause problems if programs do not query Active

Directory for the PrimaryGroupID attribute, and only for the Members

attribute of the group. "

 

 

Now for reasons which have not been explained to me, our programmers

are unable (or perhaps unwilling) to query the PrimaryGroupID. They

expect to query the Members Attribute and determine if the user is

an employee or not.

 

So, my thought was to create a NEW group, call it something like

"All Employees" and then add all employees to the group. (Basically,

a copy of "domain users".) The advantage here is that this new group

would appear in the members attribute when querying LDAP, so long

as it isn't the primary group.

 

But we've got a couple junior admins here who are going to forget to

add new employees to the "All employees" group at the time the account

is created. And its kind of a pain to have to remember...

 

So wouldn't it be nice if I could create a new user account and have

this new user automatically added to the "All employees" group at the

time of creation?

 

I hope this is a little more clear to you.

And thanks very much for your input.

 

 

*$

 

aa#2290

Guest Richard Mueller [MVP]

Guest Richard Mueller [MVP]

Posted
Posted

Re: New Users --> specific group

 

 

"Starbuck" <Starbuck@BogusDomain.com> wrote in message

news:1hmra4ldlnk9t1pednrcrt2q31652m2qod@4ax.com...

> On Thu, 21 Aug 2008 14:00:30 -0700, Starbuck

> <Starbuck@BogusDomain.com> wrote:

>

>>On Thu, 21 Aug 2008 16:17:09 -0400, "Greg Stigers"

>><gregstigers+msnews@spamcop.net> wrote:

>>

>>>I think you mean OU, not group. You can specify the OU when creating a

>>>user

>>>with dsadd:

>>>dsadd user "cn=gstigers, ou=BigCoUsers, dc=BigCo, dc=com"

>>>That is just a UserDN. There are quite a few other arguments you will

>>>want

>>>and need to provide when creating a new user. See "dsadd user" at

>>>http://technet.microsoft.com/en-us/library/cc731279.aspx.

>>>

>>>You can also use CSVDE or LDIFDE.

>>>______

>>>Greg Stigers, MCSE

>>>remember to vote for the answers you like

>>>

>>

>>No, I do mean groups.

>>

>>If I create a new user account, they are automatically added to the

>>"Domain Users" group by simply hitting the Add button.

>>

>>But I also want them added to *another* group at the same time.

>>Without having to manually add them.

>>

>>

>>*$

>>

>>aa#2290

>

> Maybe I should back up here and explain myself. My issue

> is actually more LDAP related and it sounds like you are

> brushed up on the subject. My apologies if this is a bit long.

>

> If you look at this article here:

> http://support.microsoft.com/kb/275523

>

> "When you view Active Directory with a Lightweight Directory Access

> Protocol (LDAP) utility such as Ldp.exe, the Members attribute is not

> populated with the Primary group."

>

> Further:

> "The memberof attribute of the user object is not populated with the

> group name. This can cause problems if programs do not query Active

> Directory for the PrimaryGroupID attribute, and only for the Members

> attribute of the group. "

>

>

> Now for reasons which have not been explained to me, our programmers

> are unable (or perhaps unwilling) to query the PrimaryGroupID. They

> expect to query the Members Attribute and determine if the user is

> an employee or not.

>

> So, my thought was to create a NEW group, call it something like

> "All Employees" and then add all employees to the group. (Basically,

> a copy of "domain users".) The advantage here is that this new group

> would appear in the members attribute when querying LDAP, so long

> as it isn't the primary group.

>

> But we've got a couple junior admins here who are going to forget to

> add new employees to the "All employees" group at the time the account

> is created. And its kind of a pain to have to remember...

>

> So wouldn't it be nice if I could create a new user account and have

> this new user automatically added to the "All employees" group at the

> time of creation?

>

> I hope this is a little more clear to you.

> And thanks very much for your input.

>

>

> *$

>

> aa#2290

 

You have the DN of a user, but don't know if the user is a member of Domain

Users. If every user is a member of Domain Users, then the fact that a user

has a DN implies they must be a member of the group. Or perhaps you have a

candidate DN and you aren't sure it is valid. Then attempt to bind to the

user object and trap the error if it fails. If the bind is successful, the

user is a member of Domain Users. If the bind fails, the user is not a

member. If you have a "pre-Windows 2000 logon name" (sAMAccountName) you can

use the NameTranslate object to convert to the DN. Again you trap the

possible error, because if there is no such user in the domain an error is

raised. If you retrieve a DN, then the user exists in the domain and is a

member of Domain Users. This assumes you never alter the primary group of

users (there is no reason to). For more on using NameTranslate see this

link:

 

http://www.rlmueller.net/NameTranslateFAQ.htm

 

Regarding the primaryGroupID. You can only determine this if you can bind to

the user object. If you bind to the user object, and find that the value of

primaryGroupID is 513, then you know the user is a member of Domain Users,

because that is always the value of the primaryGroupToken attribute of the

group Domain Users. There is no need to search for the group with this

value. There should be no problem retrieving primaryGroupID if you can bind

to the object, as it is single valued, indexed, replicated, not operational,

and in the GC. The primaryGroupToken attribute of groups is operational so

you need to know how to retrieve the value.

 

--

Richard Mueller

MVP Directory Services

Hilltop Lab - http://www.rlmueller.net

--

 Share
Go to topic listing
×
×
  • Create New...