Import users with "memberOf" set

[Fang]

Hi, all,

I would like to create > 1000 users into MSAD and put all of them into one
group. I had generated the LDIF file and set the attribute "memberOf" to
point to the group. The import with ldifde was failed with error "The server
side error is 'Access to the attribute is not permitted because the
attribute is owned by the Security Accounts Manager (SAM).'". Microsoft
support had an article Q276382 at
http://support.microsoft.com/default.aspx?scid=kb;[LN];276382
How can I do this membership assignment without manually changing all the
user entries after the import? Or is there anyway I can programmatically
assign
the attribute after the import?

Thanks

 

[Chriss3]

Hello

Yes there is a way to do it programmatically. but I in fact it´so easy to do
in Active Directory Users and Computers.

Right click the domain node, and click on Find. there you select the
location in the directory services there you have the accounts you want to
add. select object type and then click on find, now you have a list of all
users. Just select them all by select the first one press down shift key.
and select the last one. now right click and click add to group. that's how
easy it is.

if you prefer to do it programmatically, you can use the script below.


Const ADS_PROPERTY_APPEND = 3
Set objRootDSE = GetObject("LDAP://rootDSE")
Set objContainer = GetObject("LDAP://cn=Users," & _
objRootDSE.Get("defaultNamingContext"))
Set objGroup = objContainer.Create("Group", "cn=Group1")
objGroup.Put "sAMAccountName","Group1"
objGroup.SetInfo
For i = 1 To 1000
strDN = ",cn=Users," & objRootDSE.defaultNamingContext
objGroup.PutEx ADS_PROPERTY_APPEND, "member", _
Array("cn=UserNo" & i & strDN)
objGroup.SetInfo
Next
WScript.Echo "Group1 created and 1000 Users added to the group."
This script is a sample from TechNet Script Center. I will strongly
recommend TechNet Script Center if you works with script.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcenter/default.asp

 

[Guest]

Hi
Programmatically you can use ADSI to do this. Take a look at those pages

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/ScriptCenter/user/ScrUG158.as
http://www.microsoft.com/technet/tr...prodtechnol/windows2000serv/deploy/w2kadsi.as

Regards
Jan Gustavsso


----- Fang wrote: ----

Hi, all

I would like to create > 1000 users into MSAD and put all of them into on
group. I had generated the LDIF file and set the attribute "memberOf" t
point to the group. The import with ldifde was failed with error "The serve
side error is 'Access to the attribute is not permitted because th
attribute is owned by the Security Accounts Manager (SAM).'". Microsof
support had an article Q276382 a
http://support.microsoft.com/default.aspx?scid=kb;[LN];27638
How can I do this membership assignment without manually changing all th
user entries after the import? Or is there anyway I can programmaticall
assig
the attribute after the import

Thank

 

[Rick Magoon]

You may be attempting an import with all attributes, which won't work.
Some attributes (like password hashes) will be owned by the SAM
(separate from Active Directory and stored on the PDC emulator). Try
importing only required user object attributes. You can gather a list
of mandatory attributes from adsiedit and selecting properties on a
user object.

You may consider using csvde and modifying the memberOf column in
Excel to your new value. You can also export an existing user that is
a member of your new group then add additional users in Excel.

More information for csvde at:

http://www.microsoft.com/technet/tr...indowsserver2003/proddocs/entserver/CSVDE.asp

Rick Magoon

 

[Cary Shultz [A.D. MVP]]

Fang,

You are attempting this from the incorrect perspective. No worries! I
think that we all do this in the beginning of out attempts to make use of
LDIFDE. I really like this tool!!!!!! It is really wonderful.

You can not edit the 'memberOf:' attribute for the user account. What you
can do, however, is edit the 'member:' attribute of the group in question.
It does get a little hairy as you will need to add the DN of each and every
user that you would want to be a member of this group.

I might follow some of the other suggestions. Chriss has a good point in
that you can very easily use the Active Directory Users and Computers MMC
( ADUC ) to do this rather quickly. But, you have more than 1000 user
accounts? That might not be so 'rather quickly'! Depends on how many OUs
you have....

Also, please keep in mind that there is a tool called ADModify that two
Microsoft employees wrote. While it can not necessarily do what you are
trying to do it is a really great tool as well.

HTH,

Cary