Adding users to a group

[Massimo]

Why there isn't any way to do such a simple thing via group policy?
I'd like to have a GPO setting to say "every user inside this OU should be
member of this domain group". But I don't have any way to do this. Why?
Nobody ever needed something like this?

Massimo

P.S.
I'm managing a full Windows 2003 domain.

 

[Philip Nunn]

Are you trying to add your domain users or a domain group to a local
computer group?

Philip Nunn

 

[Marin Marinov]

Why there isn't any way to do such a simple thing via group policy?
I'd like to have a GPO setting to say "every user inside this OU should be
member of this domain group". But I don't have any way to do this. Why?
Nobody ever needed something like this?

Massimo

P.S.
I'm managing a full Windows 2003 domain.

Maybe because it's an extremely rare case that you would need this OU
design and group strategies don't overlap much. I see that there are
cases that you would need this (e.g.,location-based OUs and a group at
each location that's given permissions to a shared printer) but,
honestly, I haven't seen such a need at a single corporate client (no
offence,please). Many times a feature is not implemented because
Microsoft consider it not to be justified from a business (and/or logic)
perspective.

Anyway, to give you some ideas for your problem. I'd go for scripting:
1) Dsadd, you can even put it as a scheduled task to run every hour or
so and add users to the group.
2) ADSI - VBScript from ADSIScriptomatic or TechNet ScriptCenter that
does the same as above

Of course, you can always multiselect a bunch of users and add them to
the group but I'm sure you got tired of this

HTH, Massimo

--
Cheers,
Marin Marinov
MCT,MCSE 2003,MCSE:Security 2003
-
This posting is provided "AS IS" with no warranties, and confers no
rights.

 

[Richard]

You could use GPOs to run a logon script that will add the user to the
group. I too wish it were a GPO item but until MSFT does this scripting
will be your best bet.

Create a script that adds current user to group X where X is defined by a
variable passed to the script.
Apply GPO to OU-RemoteUsers , which calls the logon script with the variable
of OU-RemoteUsers.


Richard

 

[Massimo]

Are you trying to add your domain users or a domain group to a local
computer group?

A domain group.
I already used restricted groups to add them to local groups (f.e. Power
Users), but this still isn't what I need: I don't need to say "every
computer of this OU should have these users in these groups", but "every
user of this OU should be member of these groups".

Massimo

 

[Massimo]

You could use GPOs to run a logon script that will add the user to the
group. I too wish it were a GPO item but until MSFT does this scripting
will be your best bet.

Create a script that adds current user to group X where X is defined by a
variable passed to the script.
Apply GPO to OU-RemoteUsers , which calls the logon script with the
variable of OU-RemoteUsers.

Thanks for the suggestions, I already thought about scripting, but I'd
really prefer a simpler way. Unfortunately, there isn't any... :-/

Massimo

 

[Marin Marinov]

You could use GPOs to run a logon script that will add the user to the
group. I too wish it were a GPO item but until MSFT does this scripting
will be your best bet.

Create a script that adds current user to group X where X is defined by a
variable passed to the script.
Apply GPO to OU-RemoteUsers , which calls the logon script with the variable
of OU-RemoteUsers.


Richard

<snip>
Just to add: you'll have to logoff the user in order for the membership
to take effect. You could check in the script if the user is a member
and if not add him and log him off (and at this point the user is
stumped at what happened and calls the admin ). All are clumsy
solutions, though.

--
Cheers,
Marin Marinov
MCT,MCSE 2003,MCSE:Security 2003
-
This posting is provided "AS IS" with no warranties, and confers no
rights.

 

[Eric Voskuil]

I think Philip is on the right track here. This isn't something you would
do in a GPO. Adding domain users to domain groups is purely a function of
performing some configuration while sitting on one of your servers. There
isn't any point in running this through Group Policy. Sometimes the name
"*Group* Policy" throws people off, but this isn't what GP is for.

Regards,

Eric Voskuil
Policy Maker
http://www.autoprof.com/policy

 

[Massimo]

I think Philip is on the right track here. This isn't something you would
do in a GPO. Adding domain users to domain groups is purely a function of
performing some configuration while sitting on one of your servers. There
isn't any point in running this through Group Policy. Sometimes the name
"*Group* Policy" throws people off, but this isn't what GP is for.

I understand your point, but in this case (role-based OUs) it would be of
great help if, when an user is created inside a specific OU, I could say
"this user should automatically be member of these groups". Without this, I
need to manually add any new user to the right groups, and this is
error-prone.

Massimo

 

[Andy Cadley]

I understand your point, but in this case (role-based OUs) it would be of
great help if, when an user is created inside a specific OU, I could say
"this user should automatically be member of these groups". Without this, I
need to manually add any new user to the right groups, and this is
error-prone.

That sounds like the sort of problem that's best suited to a custom
scripting solution. It should be fairly trivial to write a script that scans
an OU and configures the group membersip of any user accounts in there. You
could then have this run periodically on your DC and the process would be
almost as you want.

AndyC

 

[Eric Voskuil]

Massimo,

The question is really what is the appropriate model to initiate such an
automated process, not whether it would be useful. Group Policy only runs
in policy refresh on client computers (which of course could be servers).
Therefore - to which computers would you apply this policy. Would you apply
it to users (on any computer they logged onto)? And once you've answered
those questions, make sure you've considered that the client-side extension
has only the end-user's or the local computer's security context.

My thinking is that the only security context that would work would come
from applying policy to the domain controllers, but you would really only
want this to run on one DC. Seems like a waste to do this in GP, since it's
not a distributed management problem. There are products that manage
role-based AD configuration. ActiveRoles from Quest comes to mind, and
there are probably others.

Regards,

Eric Voskuil
Policy Maker
http://www.autoprof.com/policy