Sign in with
Sign up | Sign in
Your question

Adding users to a group

Tags:
  • Policy
  • Domain
  • Microsoft
  • Windows
Last response: in Windows 2000/NT
Share
Anonymous
April 15, 2004 12:50:03 AM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

Why there isn't any way to do such a simple thing via group policy?
I'd like to have a GPO setting to say "every user inside this OU should be
member of this domain group". But I don't have any way to do this. Why?
Nobody ever needed something like this?

Massimo

P.S.
I'm managing a full Windows 2003 domain.

More about : adding users group

Anonymous
April 15, 2004 12:50:04 AM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

Are you trying to add your domain users or a domain group to a local
computer group?

Philip Nunn

"Massimo" <barone@mclink.it> wrote in message
news:%23J2bNFlIEHA.3508@TK2MSFTNGP09.phx.gbl...
> Why there isn't any way to do such a simple thing via group policy?
> I'd like to have a GPO setting to say "every user inside this OU should be
> member of this domain group". But I don't have any way to do this. Why?
> Nobody ever needed something like this?
>
> Massimo
>
> P.S.
> I'm managing a full Windows 2003 domain.
>
Anonymous
April 15, 2004 12:50:04 AM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

In article <#J2bNFlIEHA.3508@TK2MSFTNGP09.phx.gbl>, barone@mclink.it
says...
> Why there isn't any way to do such a simple thing via group policy?
> I'd like to have a GPO setting to say "every user inside this OU should be
> member of this domain group". But I don't have any way to do this. Why?
> Nobody ever needed something like this?
>
> Massimo
>
> P.S.
> I'm managing a full Windows 2003 domain.
Maybe because it's an extremely rare case that you would need this :)  OU
design and group strategies don't overlap much. I see that there are
cases that you would need this (e.g.,location-based OUs and a group at
each location that's given permissions to a shared printer) but,
honestly, I haven't seen such a need at a single corporate client (no
offence,please). Many times a feature is not implemented because
Microsoft consider it not to be justified from a business (and/or logic)
perspective.

Anyway, to give you some ideas for your problem. I'd go for scripting:
1) Dsadd, you can even put it as a scheduled task to run every hour or
so and add users to the group.
2) ADSI - VBScript from ADSIScriptomatic or TechNet ScriptCenter that
does the same as above

Of course, you can always multiselect a bunch of users and add them to
the group but I'm sure you got tired of this ;) 

HTH, Massimo

--
Cheers,
Marin Marinov
MCT,MCSE 2003,MCSE:Security 2003
-
This posting is provided "AS IS" with no warranties, and confers no
rights.
Related resources
April 15, 2004 12:50:05 AM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

You could use GPOs to run a logon script that will add the user to the
group. I too wish it were a GPO item but until MSFT does this scripting
will be your best bet.

Create a script that adds current user to group X where X is defined by a
variable passed to the script.
Apply GPO to OU-RemoteUsers , which calls the logon script with the variable
of OU-RemoteUsers.


Richard



"Marin Marinov" <mlmarinov@askme.ca> wrote in message
news:MPG.1ae760dce98faafc989696@msnews.microsoft.com...
> In article <#J2bNFlIEHA.3508@TK2MSFTNGP09.phx.gbl>, barone@mclink.it
> says...
> > Why there isn't any way to do such a simple thing via group policy?
> > I'd like to have a GPO setting to say "every user inside this OU should
be
> > member of this domain group". But I don't have any way to do this. Why?
> > Nobody ever needed something like this?
> >
> > Massimo
> >
> > P.S.
> > I'm managing a full Windows 2003 domain.
> Maybe because it's an extremely rare case that you would need this :)  OU
> design and group strategies don't overlap much. I see that there are
> cases that you would need this (e.g.,location-based OUs and a group at
> each location that's given permissions to a shared printer) but,
> honestly, I haven't seen such a need at a single corporate client (no
> offence,please). Many times a feature is not implemented because
> Microsoft consider it not to be justified from a business (and/or logic)
> perspective.
>
> Anyway, to give you some ideas for your problem. I'd go for scripting:
> 1) Dsadd, you can even put it as a scheduled task to run every hour or
> so and add users to the group.
> 2) ADSI - VBScript from ADSIScriptomatic or TechNet ScriptCenter that
> does the same as above
>
> Of course, you can always multiselect a bunch of users and add them to
> the group but I'm sure you got tired of this ;) 
>
> HTH, Massimo
>
> --
> Cheers,
> Marin Marinov
> MCT,MCSE 2003,MCSE:Security 2003
> -
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
Anonymous
April 15, 2004 5:13:10 AM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

"Philip Nunn" <bigphil@newsgroups.nospam> ha scritto nel messaggio
news:uEoW8glIEHA.3440@TK2MSFTNGP09.phx.gbl

> Are you trying to add your domain users or a domain group to a local
> computer group?

A domain group.
I already used restricted groups to add them to local groups (f.e. Power
Users), but this still isn't what I need: I don't need to say "every
computer of this OU should have these users in these groups", but "every
user of this OU should be member of these groups".

Massimo
Anonymous
April 15, 2004 5:17:43 AM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

"Richard" <NoSpam@NoSpam.net> ha scritto nel messaggio
news:%23r8mHtlIEHA.1944@TK2MSFTNGP11.phx.gbl

> You could use GPOs to run a logon script that will add the user to the
> group. I too wish it were a GPO item but until MSFT does this scripting
> will be your best bet.
>
> Create a script that adds current user to group X where X is defined by a
> variable passed to the script.
> Apply GPO to OU-RemoteUsers , which calls the logon script with the
> variable of OU-RemoteUsers.

Thanks for the suggestions, I already thought about scripting, but I'd
really prefer a simpler way. Unfortunately, there isn't any... :-/

Massimo
Anonymous
April 15, 2004 1:09:15 PM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

In article <#r8mHtlIEHA.1944@TK2MSFTNGP11.phx.gbl>, NoSpam@NoSpam.net
says...
> You could use GPOs to run a logon script that will add the user to the
> group. I too wish it were a GPO item but until MSFT does this scripting
> will be your best bet.
>
> Create a script that adds current user to group X where X is defined by a
> variable passed to the script.
> Apply GPO to OU-RemoteUsers , which calls the logon script with the variable
> of OU-RemoteUsers.
>
>
> Richard
<snip>
Just to add: you'll have to logoff the user in order for the membership
to take effect. You could check in the script if the user is a member
and if not add him and log him off (and at this point the user is
stumped at what happened and calls the admin ;) ). All are clumsy
solutions, though.

--
Cheers,
Marin Marinov
MCT,MCSE 2003,MCSE:Security 2003
-
This posting is provided "AS IS" with no warranties, and confers no
rights.
Anonymous
April 19, 2004 7:12:54 PM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

I think Philip is on the right track here. This isn't something you would
do in a GPO. Adding domain users to domain groups is purely a function of
performing some configuration while sitting on one of your servers. There
isn't any point in running this through Group Policy. Sometimes the name
"*Group* Policy" throws people off, but this isn't what GP is for.

Regards,

Eric Voskuil
Policy Maker
http://www.autoprof.com/policy


"Massimo" <barone@mclink.it> wrote in message
news:o KHjOYnIEHA.1220@tk2msftngp13.phx.gbl...
> "Philip Nunn" <bigphil@newsgroups.nospam> ha scritto nel messaggio
> news:uEoW8glIEHA.3440@TK2MSFTNGP09.phx.gbl
>
> > Are you trying to add your domain users or a domain group to a local
> > computer group?
>
> A domain group.
> I already used restricted groups to add them to local groups (f.e. Power
> Users), but this still isn't what I need: I don't need to say "every
> computer of this OU should have these users in these groups", but "every
> user of this OU should be member of these groups".
>
> Massimo
>
Anonymous
April 20, 2004 2:30:52 PM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

"Eric Voskuil" <voskuilATautoprof.com> ha scritto nel messaggio
news:uW%23rFIkJEHA.3380@TK2MSFTNGP09.phx.gbl

> I think Philip is on the right track here. This isn't something you would
> do in a GPO. Adding domain users to domain groups is purely a function of
> performing some configuration while sitting on one of your servers. There
> isn't any point in running this through Group Policy. Sometimes the name
> "*Group* Policy" throws people off, but this isn't what GP is for.

I understand your point, but in this case (role-based OUs) it would be of
great help if, when an user is created inside a specific OU, I could say
"this user should automatically be member of these groups". Without this, I
need to manually add any new user to the right groups, and this is
error-prone.

Massimo
Anonymous
April 20, 2004 4:40:31 PM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

"Massimo" <barone@mclink.it> wrote in message
news:o a8eMHrJEHA.3596@tk2msftngp13.phx.gbl...

> I understand your point, but in this case (role-based OUs) it would be of
> great help if, when an user is created inside a specific OU, I could say
> "this user should automatically be member of these groups". Without this,
I
> need to manually add any new user to the right groups, and this is
> error-prone.

That sounds like the sort of problem that's best suited to a custom
scripting solution. It should be fairly trivial to write a script that scans
an OU and configures the group membersip of any user accounts in there. You
could then have this run periodically on your DC and the process would be
almost as you want.

AndyC
Anonymous
April 20, 2004 5:16:38 PM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

Massimo,

The question is really what is the appropriate model to initiate such an
automated process, not whether it would be useful. Group Policy only runs
in policy refresh on client computers (which of course could be servers).
Therefore - to which computers would you apply this policy. Would you apply
it to users (on any computer they logged onto)? And once you've answered
those questions, make sure you've considered that the client-side extension
has only the end-user's or the local computer's security context.

My thinking is that the only security context that would work would come
from applying policy to the domain controllers, but you would really only
want this to run on one DC. Seems like a waste to do this in GP, since it's
not a distributed management problem. There are products that manage
role-based AD configuration. ActiveRoles from Quest comes to mind, and
there are probably others.

Regards,

Eric Voskuil
Policy Maker
http://www.autoprof.com/policy


"Massimo" <barone@mclink.it> wrote in message
news:o a8eMHrJEHA.3596@tk2msftngp13.phx.gbl...
> "Eric Voskuil" <voskuilATautoprof.com> ha scritto nel messaggio
> news:uW%23rFIkJEHA.3380@TK2MSFTNGP09.phx.gbl
>
> > I think Philip is on the right track here. This isn't something you
would
> > do in a GPO. Adding domain users to domain groups is purely a function
of
> > performing some configuration while sitting on one of your servers.
There
> > isn't any point in running this through Group Policy. Sometimes the
name
> > "*Group* Policy" throws people off, but this isn't what GP is for.
>
> I understand your point, but in this case (role-based OUs) it would be of
> great help if, when an user is created inside a specific OU, I could say
> "this user should automatically be member of these groups". Without this,
I
> need to manually add any new user to the right groups, and this is
> error-prone.
>
> Massimo
>
Anonymous
April 20, 2004 11:57:26 PM

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

"Andy Cadley" <ac@uea.ac.uk> ha scritto nel messaggio
news:o gTwpvsJEHA.1132@TK2MSFTNGP12.phx.gbl

>> I understand your point, but in this case (role-based OUs) it would be of
>> great help if, when an user is created inside a specific OU, I could say
>> "this user should automatically be member of these groups". Without
>> this, I need to manually add any new user to the right groups, and this
>> is error-prone.
>
> That sounds like the sort of problem that's best suited to a custom
> scripting solution. It should be fairly trivial to write a script that
> scans an OU and configures the group membersip of any user accounts in
> there. You could then have this run periodically on your DC and the
> process would be almost as you want.

Of course, scripting (server-side or policy-based) was already suggested.
But I think this kind of policy could definitely be very useful, in these
kind of situations.

Massimo
!