To start, VBScript or Powershell will do. I am looking at the Qwest cmdlets for AD but I have similar results as with Vbscript.
I need to change the "Member of" tab group memberships on a couple thousand servers, not necassarily all at once, but you see the need for an automated solution. Every solution I have found is to work with the group and add/delete the server from there. I do not prefer this method as there could be thousands of other servers in that group and to edit its membership, well worries me, to say the least. I know with a solid solution it would work just fine in this manner, but making a mistake of that caliber is a job delimiting decision.
Every attempt to script this task results in the following error in both VBScript and PS:
The server is unwilling to process the request.
Using Qwests AD cmdlets, here is the syntax I have worked up:
> To start, VBScript or Powershell will do. I am looking at the Qwest > cmdlets for AD but I have similar results as with Vbscript.
> I need to change the "Member of" tab group memberships on a couple > thousand servers, not necassarily all at once, but you see the need > for an automated solution. Every solution I have found is to work with > the group and add/delete the server from there. I do not prefer this > method as there could be thousands of other servers in that group and > to edit its membership, well worries me, to say the least. I know with > a solid solution it would work just fine in this manner, but making a > mistake of that caliber is a job delimiting decision.
> Every attempt to script this task results in the following error in > both VBScript and PS:
> The server is unwilling to process the request.
> Using Qwests AD cmdlets, here is the syntax I have worked up:
The member attribute of group objects and the memberOf attribute of user objects are linked. Member is the forward link attribute and memberOf is the back link attribute. You cannot modify back link attributes directly. The value of back link attributes are not actually saved with the object, but instead refer to the forward link attribute. See this link:
Also, quoting from this link: http://technet.microsoft.com/en-us/library/cc773309(WS.10).aspx ----------- As an option, a back link can be defined on a target object (for example, the memberOf attribute on the user object). A back-link attribute should be created as a multi-valued attribute, and it cannot exist without a corresponding forward link. The back-link attribute cannot be updated directly. Instead, it is automatically calculated when it is queried, based on the corresponding forward link. A back-link value on any instance of an object consists of the distinguished names of all source objects that have the target object's distinguished name in their corresponding forward link. ------------ I don't understand your concern with modifying the member attribute of the group.
In VBScript I would bind to the group object, then use the IsMember method to check if the prospective member is already a member, then if not use the Add method to add the new member. I don't like dealing with the member/memberOf attributes directly when modifying membership, but instead rely on the methods of the group object designed for this purpose. I like to bind to the prospective member object to make sure it exists, then use the ADsPath property of the object in the IsMember and Add methods. For example: ============= Option Explicit Dim objGroup, objMember, strMemberDN
' Bind to group object. Set objGroup = GetObject("LDAP://cn=My Group,ou=West,dc=MyDomain,dc=com")
' Specify Distinguishd Name of prospective member. strMemberDN = "cn=MyObject,ou=East,dc=MyDomain,dc=com"
' Bind to prospective member object. Trap error if it does not exist. On Error Resume Next Set objMember = GetObject("LDAP://" & strMemberDN) If (Err.Number <> 0) Then Wscript.Echo "Error #: " & Err.Number Wscript.Echo "Description: " & Err.Description Wscript.Quit End If On Error GoTo 0
' Check for membership. If (objGroup.IsMember(objMember.ADsPath) = False) Then ' Add new member. objGroup.Add(objMember.ADsPath) Wscript.Echo objMember.Name & " added to group " & objGroup.Name Else Wscript.Echo objMember.Name & " already a member of group " & objGroup.Name End If ======== Code can be designed to do this in bulk, perhaps reading prospective member names from a text file or spreadsheet. You can also read NetBIOS names of servers from the text file or spreadsheet, and use the NameTranslate object to convert to the Distinguished Name.
Richard, you are the man I have been wanting to hear from the entire time that I have been researching this. If I ever need anything related to scripting and Active Directory I look to your wisdom. So, on that note, thank you!
My concern is pretty pointless in some senses because a solid solution would negate those same concerns all together. We just have several people who are a little iffy about modifying our group memberships automagically. The main concern we have is attaching to a group with thousands of members and removing only specific ones while leaving the group in tact. Without getting to much into detail we use group memberships as the "link"/security filtering to a GPO then attach this to a server.
So, in your opinion, this is going to be my best option? I can do the other portions you describe with making it able to take bulk member names and most likely implement the name translation (love that feature!) you mentioned. I have about 1000 servers left that I need to change their group memberships. While several other groups will be doing the same thing to a few thousand other servers leaving probably several hundred to another thousand servers in the groups to be modified (yes, we have that many servers as a member of at least one of these groups). I am on the hook for creating a solid solution to this effort.
I have used your code in the past to do this type of work on various objects and have learned greatly from your experience and knowledge. Again, I really appreciate you taking the time to look at this post.
Nick H.
On Oct 28, 8:57 am, "Richard Mueller [MVP]" <rlmueller-
> > To start, VBScript or Powershell will do. I am looking at the Qwest > > cmdlets for AD but I have similar results as with Vbscript.
> > I need to change the "Member of" tab group memberships on a couple > > thousand servers, not necassarily all at once, but you see the need > > for an automated solution. Every solution I have found is to work with > > the group and add/delete the server from there. I do not prefer this > > method as there could be thousands of other servers in that group and > > to edit its membership, well worries me, to say the least. I know with > > a solid solution it would work just fine in this manner, but making a > > mistake of that caliber is a job delimiting decision.
> > Every attempt to script this task results in the following error in > > both VBScript and PS:
> > The server is unwilling to process the request.
> > Using Qwests AD cmdlets, here is the syntax I have worked up:
> The member attribute of group objects and the memberOf attribute of user > objects are linked. Member is the forward link attribute and memberOf is the > back link attribute. You cannot modify back link attributes directly. The > value of back link attributes are not actually saved with the object, but > instead refer to the forward link attribute. See this link:
> Also, quoting from this link:http://technet.microsoft.com/en-us/library/cc773309(WS.10).aspx > ----------- > As an option, a back link can be defined on a target object (for example, > the memberOf attribute on the user object). A back-link attribute should be > created as a multi-valued attribute, and it cannot exist without a > corresponding forward link. The back-link attribute cannot be updated > directly. Instead, it is automatically calculated when it is queried, based > on the corresponding forward link. A back-link value on any instance of an > object consists of the distinguished names of all source objects that have > the target object's distinguished name in their corresponding forward link. > ------------ > I don't understand your concern with modifying the member attribute of the > group.
> In VBScript I would bind to the group object, then use the IsMember method > to check if the prospective member is already a member, then if not use the > Add method to add the new member. I don't like dealing with the > member/memberOf attributes directly when modifying membership, but instead > rely on the methods of the group object designed for this purpose. I like to > bind to the prospective member object to make sure it exists, then use the > ADsPath property of the object in the IsMember and Add methods. For example: > ============= > Option Explicit > Dim objGroup, objMember, strMemberDN
> ' Bind to group object. > Set objGroup = GetObject("LDAP://cn=My Group,ou=West,dc=MyDomain,dc=com")
> ' Specify Distinguishd Name of prospective member. > strMemberDN = "cn=MyObject,ou=East,dc=MyDomain,dc=com"
> ' Bind to prospective member object. Trap error if it does not exist. > On Error Resume Next > Set objMember = GetObject("LDAP://" & strMemberDN) > If (Err.Number <> 0) Then > Wscript.Echo "Error #: " & Err.Number > Wscript.Echo "Description: " & Err.Description > Wscript.Quit > End If > On Error GoTo 0
> ' Check for membership. > If (objGroup.IsMember(objMember.ADsPath) = False) Then > ' Add new member. > objGroup.Add(objMember.ADsPath) > Wscript.Echo objMember.Name & " added to group " & objGroup.Name > Else > Wscript.Echo objMember.Name & " already a member of group " & > objGroup.Name > End If > ======== > Code can be designed to do this in bulk, perhaps reading prospective member > names from a text file or spreadsheet. You can also read NetBIOS names of > servers from the text file or spreadsheet, and use the NameTranslate object > to convert to the Distinguished Name.
|
