Adding users to a group

Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

Why there isn't any way to do such a simple thing via group policy?
I'd like to have a GPO setting to say "every user inside this OU should be
member of this domain group". But I don't have any way to do this. Why?
Nobody ever needed something like this?

Massimo

P.S.
I'm managing a full Windows 2003 domain.
11 answers Last reply
More about adding users group
  1. Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

    Are you trying to add your domain users or a domain group to a local
    computer group?

    Philip Nunn

    "Massimo" <barone@mclink.it> wrote in message
    news:%23J2bNFlIEHA.3508@TK2MSFTNGP09.phx.gbl...
    > Why there isn't any way to do such a simple thing via group policy?
    > I'd like to have a GPO setting to say "every user inside this OU should be
    > member of this domain group". But I don't have any way to do this. Why?
    > Nobody ever needed something like this?
    >
    > Massimo
    >
    > P.S.
    > I'm managing a full Windows 2003 domain.
    >
  2. Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

    In article <#J2bNFlIEHA.3508@TK2MSFTNGP09.phx.gbl>, barone@mclink.it
    says...
    > Why there isn't any way to do such a simple thing via group policy?
    > I'd like to have a GPO setting to say "every user inside this OU should be
    > member of this domain group". But I don't have any way to do this. Why?
    > Nobody ever needed something like this?
    >
    > Massimo
    >
    > P.S.
    > I'm managing a full Windows 2003 domain.
    Maybe because it's an extremely rare case that you would need this :) OU
    design and group strategies don't overlap much. I see that there are
    cases that you would need this (e.g.,location-based OUs and a group at
    each location that's given permissions to a shared printer) but,
    honestly, I haven't seen such a need at a single corporate client (no
    offence,please). Many times a feature is not implemented because
    Microsoft consider it not to be justified from a business (and/or logic)
    perspective.

    Anyway, to give you some ideas for your problem. I'd go for scripting:
    1) Dsadd, you can even put it as a scheduled task to run every hour or
    so and add users to the group.
    2) ADSI - VBScript from ADSIScriptomatic or TechNet ScriptCenter that
    does the same as above

    Of course, you can always multiselect a bunch of users and add them to
    the group but I'm sure you got tired of this ;)

    HTH, Massimo

    --
    Cheers,
    Marin Marinov
    MCT,MCSE 2003,MCSE:Security 2003
    -
    This posting is provided "AS IS" with no warranties, and confers no
    rights.
  3. Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

    You could use GPOs to run a logon script that will add the user to the
    group. I too wish it were a GPO item but until MSFT does this scripting
    will be your best bet.

    Create a script that adds current user to group X where X is defined by a
    variable passed to the script.
    Apply GPO to OU-RemoteUsers , which calls the logon script with the variable
    of OU-RemoteUsers.


    Richard


    "Marin Marinov" <mlmarinov@askme.ca> wrote in message
    news:MPG.1ae760dce98faafc989696@msnews.microsoft.com...
    > In article <#J2bNFlIEHA.3508@TK2MSFTNGP09.phx.gbl>, barone@mclink.it
    > says...
    > > Why there isn't any way to do such a simple thing via group policy?
    > > I'd like to have a GPO setting to say "every user inside this OU should
    be
    > > member of this domain group". But I don't have any way to do this. Why?
    > > Nobody ever needed something like this?
    > >
    > > Massimo
    > >
    > > P.S.
    > > I'm managing a full Windows 2003 domain.
    > Maybe because it's an extremely rare case that you would need this :) OU
    > design and group strategies don't overlap much. I see that there are
    > cases that you would need this (e.g.,location-based OUs and a group at
    > each location that's given permissions to a shared printer) but,
    > honestly, I haven't seen such a need at a single corporate client (no
    > offence,please). Many times a feature is not implemented because
    > Microsoft consider it not to be justified from a business (and/or logic)
    > perspective.
    >
    > Anyway, to give you some ideas for your problem. I'd go for scripting:
    > 1) Dsadd, you can even put it as a scheduled task to run every hour or
    > so and add users to the group.
    > 2) ADSI - VBScript from ADSIScriptomatic or TechNet ScriptCenter that
    > does the same as above
    >
    > Of course, you can always multiselect a bunch of users and add them to
    > the group but I'm sure you got tired of this ;)
    >
    > HTH, Massimo
    >
    > --
    > Cheers,
    > Marin Marinov
    > MCT,MCSE 2003,MCSE:Security 2003
    > -
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights.
  4. Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

    "Philip Nunn" <bigphil@newsgroups.nospam> ha scritto nel messaggio
    news:uEoW8glIEHA.3440@TK2MSFTNGP09.phx.gbl

    > Are you trying to add your domain users or a domain group to a local
    > computer group?

    A domain group.
    I already used restricted groups to add them to local groups (f.e. Power
    Users), but this still isn't what I need: I don't need to say "every
    computer of this OU should have these users in these groups", but "every
    user of this OU should be member of these groups".

    Massimo
  5. Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

    "Richard" <NoSpam@NoSpam.net> ha scritto nel messaggio
    news:%23r8mHtlIEHA.1944@TK2MSFTNGP11.phx.gbl

    > You could use GPOs to run a logon script that will add the user to the
    > group. I too wish it were a GPO item but until MSFT does this scripting
    > will be your best bet.
    >
    > Create a script that adds current user to group X where X is defined by a
    > variable passed to the script.
    > Apply GPO to OU-RemoteUsers , which calls the logon script with the
    > variable of OU-RemoteUsers.

    Thanks for the suggestions, I already thought about scripting, but I'd
    really prefer a simpler way. Unfortunately, there isn't any... :-/

    Massimo
  6. Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

    In article <#r8mHtlIEHA.1944@TK2MSFTNGP11.phx.gbl>, NoSpam@NoSpam.net
    says...
    > You could use GPOs to run a logon script that will add the user to the
    > group. I too wish it were a GPO item but until MSFT does this scripting
    > will be your best bet.
    >
    > Create a script that adds current user to group X where X is defined by a
    > variable passed to the script.
    > Apply GPO to OU-RemoteUsers , which calls the logon script with the variable
    > of OU-RemoteUsers.
    >
    >
    > Richard
    <snip>
    Just to add: you'll have to logoff the user in order for the membership
    to take effect. You could check in the script if the user is a member
    and if not add him and log him off (and at this point the user is
    stumped at what happened and calls the admin ;)). All are clumsy
    solutions, though.

    --
    Cheers,
    Marin Marinov
    MCT,MCSE 2003,MCSE:Security 2003
    -
    This posting is provided "AS IS" with no warranties, and confers no
    rights.
  7. Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

    I think Philip is on the right track here. This isn't something you would
    do in a GPO. Adding domain users to domain groups is purely a function of
    performing some configuration while sitting on one of your servers. There
    isn't any point in running this through Group Policy. Sometimes the name
    "*Group* Policy" throws people off, but this isn't what GP is for.

    Regards,

    Eric Voskuil
    Policy Maker
    http://www.autoprof.com/policy


    "Massimo" <barone@mclink.it> wrote in message
    news:OKHjOYnIEHA.1220@tk2msftngp13.phx.gbl...
    > "Philip Nunn" <bigphil@newsgroups.nospam> ha scritto nel messaggio
    > news:uEoW8glIEHA.3440@TK2MSFTNGP09.phx.gbl
    >
    > > Are you trying to add your domain users or a domain group to a local
    > > computer group?
    >
    > A domain group.
    > I already used restricted groups to add them to local groups (f.e. Power
    > Users), but this still isn't what I need: I don't need to say "every
    > computer of this OU should have these users in these groups", but "every
    > user of this OU should be member of these groups".
    >
    > Massimo
    >
  8. Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

    "Eric Voskuil" <voskuilATautoprof.com> ha scritto nel messaggio
    news:uW%23rFIkJEHA.3380@TK2MSFTNGP09.phx.gbl

    > I think Philip is on the right track here. This isn't something you would
    > do in a GPO. Adding domain users to domain groups is purely a function of
    > performing some configuration while sitting on one of your servers. There
    > isn't any point in running this through Group Policy. Sometimes the name
    > "*Group* Policy" throws people off, but this isn't what GP is for.

    I understand your point, but in this case (role-based OUs) it would be of
    great help if, when an user is created inside a specific OU, I could say
    "this user should automatically be member of these groups". Without this, I
    need to manually add any new user to the right groups, and this is
    error-prone.

    Massimo
  9. Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

    "Massimo" <barone@mclink.it> wrote in message
    news:Oa8eMHrJEHA.3596@tk2msftngp13.phx.gbl...

    > I understand your point, but in this case (role-based OUs) it would be of
    > great help if, when an user is created inside a specific OU, I could say
    > "this user should automatically be member of these groups". Without this,
    I
    > need to manually add any new user to the right groups, and this is
    > error-prone.

    That sounds like the sort of problem that's best suited to a custom
    scripting solution. It should be fairly trivial to write a script that scans
    an OU and configures the group membersip of any user accounts in there. You
    could then have this run periodically on your DC and the process would be
    almost as you want.

    AndyC
  10. Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

    Massimo,

    The question is really what is the appropriate model to initiate such an
    automated process, not whether it would be useful. Group Policy only runs
    in policy refresh on client computers (which of course could be servers).
    Therefore - to which computers would you apply this policy. Would you apply
    it to users (on any computer they logged onto)? And once you've answered
    those questions, make sure you've considered that the client-side extension
    has only the end-user's or the local computer's security context.

    My thinking is that the only security context that would work would come
    from applying policy to the domain controllers, but you would really only
    want this to run on one DC. Seems like a waste to do this in GP, since it's
    not a distributed management problem. There are products that manage
    role-based AD configuration. ActiveRoles from Quest comes to mind, and
    there are probably others.

    Regards,

    Eric Voskuil
    Policy Maker
    http://www.autoprof.com/policy


    "Massimo" <barone@mclink.it> wrote in message
    news:Oa8eMHrJEHA.3596@tk2msftngp13.phx.gbl...
    > "Eric Voskuil" <voskuilATautoprof.com> ha scritto nel messaggio
    > news:uW%23rFIkJEHA.3380@TK2MSFTNGP09.phx.gbl
    >
    > > I think Philip is on the right track here. This isn't something you
    would
    > > do in a GPO. Adding domain users to domain groups is purely a function
    of
    > > performing some configuration while sitting on one of your servers.
    There
    > > isn't any point in running this through Group Policy. Sometimes the
    name
    > > "*Group* Policy" throws people off, but this isn't what GP is for.
    >
    > I understand your point, but in this case (role-based OUs) it would be of
    > great help if, when an user is created inside a specific OU, I could say
    > "this user should automatically be member of these groups". Without this,
    I
    > need to manually add any new user to the right groups, and this is
    > error-prone.
    >
    > Massimo
    >
  11. Archived from groups: microsoft.public.win2000.group_policy,microsoft.public.windows.group_policy (More info?)

    "Andy Cadley" <ac@uea.ac.uk> ha scritto nel messaggio
    news:OgTwpvsJEHA.1132@TK2MSFTNGP12.phx.gbl

    >> I understand your point, but in this case (role-based OUs) it would be of
    >> great help if, when an user is created inside a specific OU, I could say
    >> "this user should automatically be member of these groups". Without
    >> this, I need to manually add any new user to the right groups, and this
    >> is error-prone.
    >
    > That sounds like the sort of problem that's best suited to a custom
    > scripting solution. It should be fairly trivial to write a script that
    > scans an OU and configures the group membersip of any user accounts in
    > there. You could then have this run periodically on your DC and the
    > process would be almost as you want.

    Of course, scripting (server-side or policy-based) was already suggested.
    But I think this kind of policy could definitely be very useful, in these
    kind of situations.

    Massimo
Ask a new question

Read More

Policy Domain Microsoft Windows