How Can I Temporarily Add a Group to Another Active Directory Group?
Hey, Scripting Guy! I’d like to add an Active Directory group to a second group, but only for an hour; after an hour, I’d like remove that group from the second group. Can I do that with a script?
— JW
Hey, JW. Well, this is definitely one of the more interesting questions we’ve received. As far as we know, there’s no way to put a time limit on group membership; in other words, there’s no Active Directory property that says, “Yes, you can be a member of this group, but only for so long.” Consequently, we had to look for a workaround.
This is what we came up with. The following script will add a group (Accountants) to a second group (Finance Managers). The script will pause for one hour and then remove the Accountants group from the Finance Managers group. Here’s what the code looks like:
Set objGroup = GetObject(“LDAP://cn=Finance Managers, ou=Finance, dc=fabrikam, dc=com”) Set objTempGroup = GetObject(“LDAP://cn=Accountants, ou=Finance, dc=fabrikam, dc=com”)objGroup.Add(objTempGroup.ADsPath)
Wscript.Sleep 3600000
objGroup.Remove(objTempGroup.ADsPath)
And here’s how the thing works. We begin by binding to the Finance Managers group in Active Directory and assigning that group to an object reference named objGroup. We then create a second object reference (objTempGroup) and bind to the Accountants group. After we’ve made these two connections we can then add the Accountants group to the Finance Managers group using this line of code:
objGroup.Add(objTempGroup.ADsPath)
Got all that? We just call the Add method and pass that method the ADsPath of the member being added (in this case, the Accountants group).
At this point the Accountants group is now a member of the Finance Managers group. Now all we have to do is wait an hour and then remove the group.
That, of course, is the tricky part. What we decided to do was simply pause the script for an hour; we can do that using this line of code, which calls the Wscript.Sleep method and instructs the script to wait 3,600,000 milliseconds before resuming:
Wscript.Sleep 3600000
If you’re wondering, “Why 3,600,000 milliseconds?” well, Wscript.Sleep accepts values in millisecond increments. One second equals 1,000 milliseconds. One minute thus equals 60,000 milliseconds (60 x 1,000), and one hour equals 3,600,000 milliseconds (60 x 60,000).
After the hour has passed, the script resumes with the next line of code, a line which removes the Accountants group from the Finance Managers group:
objGroup.Remove(objTempGroup.ADsPath)
This script works just fine; the only problem is that the script has to run – without interruption – for an hour. Should the script end prematurely (because someone terminates the process, or someone closes the command window the script is running in, or someone reboots the computer, or …) the Accountants group will never be removed from the Finance Managers group. Because of that, a better approach might be to use two scripts – one that adds the group and another that removes the group – and run them both as scheduled tasks. That way you have more assurance that everything will go off as planned.
In case you’re wondering, a script that’s paused like this uses no CPU time; it just sits there patiently and waits for the alarm to ring and tell it to get back to work. And you don’t have to worry about the script “forgetting” to wake up. Just for the heck of it, we ran a script that included a 15-hour pause. Fifteen hours later the script resumed as expected. In other words, this approach works just fine, provided, of course, that there’s no interference from outside factors (such as the computer rebooting).
Light
Dark
0 comments