{"id":63353,"date":"2008-01-04T21:22:00","date_gmt":"2008-01-04T21:22:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2008\/01\/04\/hey-scripting-guy-how-can-i-add-a-domain-group-to-a-local-group\/"},"modified":"2008-01-04T21:22:00","modified_gmt":"2008-01-04T21:22:00","slug":"hey-scripting-guy-how-can-i-add-a-domain-group-to-a-local-group","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/hey-scripting-guy-how-can-i-add-a-domain-group-to-a-local-group\/","title":{"rendered":"Hey, Scripting Guy! How Can I Add a Domain Group to a Local Group?"},"content":{"rendered":"

 <\/p>\n

\"Hey, <\/p>\n

Hey, Scripting Guy! How can I add a domain group to a local group?<\/p>\n

— DR<\/p>\n

\"Spacer\"\"Hey,\"Script<\/a> <\/p>\n

Hey, DR. Before we begin today, any chance that we could borrow $5 billion, at least until the next payday? Admittedly, it\u2019s not our habit to go around asking for money, especially an amount of money as big as that. However, we just learned this morning that the Weather channel (and its companion Web site, weather.com<\/b><\/a>) are up for sale, and the asking price is expected to be around $5 billion. The Scripting Guys have already been burned once this year; when YouTube<\/b><\/a> went up for sale we failed to make a bid on it, assuming that the YouTube folks would come to Redmond and beg for us to buy them out. We don\u2019t want to make that<\/i> mistake again.<\/p>\n

Anyway, if you could spot us that $5 billion, DR, we would really appreciate it. And don\u2019t worry, we\u2019ll pay you back; after all, how long could it take for us to make $5 billion? Furthermore, as a gesture of good faith, we\u2019ll \u2013 What\u2019s that? Pay you interest? Give you Weather Channel shares? Well, sure, those are<\/i> interesting proposals. But we had something different in mind: we were going to offer to give you, absolutely free, a script that adds a domain group to a local group. You know, a script like this one:<\/p>\n

strComputer = \"atl-ws-001\"\n\nSet objLocalGroup = GetObject(\"WinNT:\/\/\" & strComputer & \"\/TestGroup\")\nSet objADGroup = GetObject(\"WinNT:\/\/Fabrikam\/Finance\")\n\nobjLocalGroup.Add(objADGroup.ADsPath)\n<\/pre>\n
Before we begin we should note that this is a question we get asked quite a bit: How do I add a domain group to a local group? And usually we tell people, \u201cThat\u2019s easy: you use the exact same approach used to add a domain user to a local group<\/b><\/a>.\u201d For some reason, however, no one ever seems to take that advice; instead they just keep asking the same question over and over again.<\/p>\n\n<\/thead>\n\n\n
\n
Note<\/b>. Well, sure, we suppose that could<\/i> be due to the fact that it\u2019s next-to-impossible to find anything<\/i> in the Script Center these days. We\u2019d like to tell you that we are hard at work fixing that problem but let\u2019s put it this way: the two Scripting Guys have problems keeping their offices<\/i> neat and tidy; how do you expect people like that to get the entire Script Center cleaned up? Let\u2019s just say that we\u2019re aware of the problem, then pretend that that\u2019s a good enough answer for everyone.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
<\/div>\n
With that in mind, we decided to just go ahead and answer the question, without referring people anywhere else. How do you add a domain group to a local group? Well, to begin with, you assign the name of the computer where the local group resides to a variable named strComputer; in fact, that\u2019s what we do in the very first line of code:<\/p>\n
strComputer = \"atl-ws-001\"\n<\/pre>\n
Once that\u2019s taken care of we next use the GetObject<\/b> method and the WinNT<\/b> provider to connect to that local group. In this case, that\u2019s a group named TestGroup on the computer atl-ws-001:<\/p>\n
Set objLocalGroup = GetObject(\"WinNT:\/\/\" & strComputer & \"\/TestGroup\")\n<\/pre>\n
All of that is easy; it\u2019s the next part that fouls people up. In general, any time you connect to an Active Directory object (like a group) you use the LDAP provider; for example, this command binds you to the Finance Users group in the fabrikam.com domain:<\/p>\n
Set objGroup = GetObject(\"LDAP:\/\/CN=Finance Users,OU=Finance,dc=fabrikam,dc=com\")\n<\/pre>\n
Why do you do that? Because that way you have access to the scores<\/i> of Active Directory attributes that can be assigned to the object. If you use the WinNT provider to bind to an Active Directory object (assuming that you can<\/i> use the WinNT provider to bind to an Active Directory object; not all Active directory objects are accessible through the WinNT provider) you\u2019ll only have access to a handful of attributes. For example, local user accounts feature less than 20 attributes; by contrast, Active Directory user accounts typically include 200 or more attributes.<\/p>\n
That\u2019s all fine and dandy, except for one thing: when you try to add a domain object to a local group you can\u2019t use the LDAP provider to bind to the domain object. (We\u2019ll exlain why in a second.) That\u2019s why we said that in general<\/i> you use the LDAP provider when connecting to Active Directory objects: there are<\/i> exceptions.<\/p>\n
Instead, you have to use the WinNT provider to bind to the Active Directory group. That also means that your ADsPath values must reference the computer (or domain) name followed by the user or group name. In other words, you need to use code similar to this:<\/p>\n
Set objADGroup = GetObject(\"WinNT:\/\/Fabrikam\/Finance\")\n<\/pre>\n
Don\u2019t feel bad; many people get confused by this. After all, they make the connection to the local computer just fine and then, using the LDAP provider, they make a connection to the Active Directory group as well. It\u2019s only when they try to add the Active Directory group to the local group that the script fails. Why? Because when you bind to an Active Directory account using the LDAP provider you get back an ADsPath value similar to this:<\/p>\n
CN=Finance Users,OU=Finance,dc=fabrikam,dc=com\n<\/pre>\n
Does that really matter? Yes, it does; after all, you need the ADsPath attribute in order to add a group (or user) to another group. For better or worse, however, the Security Account Manager (SAM) on the local computer has no idea what an Active Directory-style path like this means. CN=Finance Users? OU=Finance? The SAM doesn\u2019t know what any of those things are, and so the SAM simply gives up without a fight.<\/p>\n
Fortunately the workaround to this problem is simple enough: when you bind to the Active Directory group, use the WinNT provider and a Windows NT 4.0-styled path: domain\/logon name<\/i>. (The logon name is equivalent to Active Directory\u2019s sAMAccountName attribute.) In other words, you need to connect to the domain group using this line of code, where Fabrikam<\/i> is the short name of the fabrikam.com domain and Finance<\/i> is the \u201clogon\u201d name of the Finance Users group:<\/p>\n
Set objADGroup = GetObject(\"WinNT:\/\/Fabrikam\/Finance\")\n<\/pre>\n
That should do the trick. And once that\u2019s done all you have to do is call the Add <\/b>method, passing the value of the domain group\u2019s ADsPath attribute as the sole method parameter:<\/p>\n
objLocalGroup.Add(objADGroup.ADsPath)\n<\/pre>\n
And there you have it. Will that really add the domain group to the local group? Hey, have the Scripting Guys ever steered you wrong before?<\/p>\n
We mean today: have the Scripting Guys ever steered you wrong today?<\/p>\n
Well, OK, how about in the last 15 minutes? Raise your hands if the Scripting Guys have steered you wrong in the last 15 minutes.<\/p>\n
Never mind.<\/p>\n
Anyway, we hope that helps you, DR, and we hope that helps everyone else who keeps asking how to add a domain group to a local group. And you know, if everyone who has<\/i> asked us that question would send in a dollar we\u2019d be well on our way to raising that $5 billion we need to buy the Weather Channel.<\/p>\n
Wait, check that; we forgot to carry the 1 when doing our division. Change that last statement to this: if everyone who has<\/i> asked us that question would send in $267 million we\u2019d be well on our way to raising that $5 billion we need to buy the Weather Channel. Act now, and we\u2019ll name the first hurricane of 2008 after you. Guaranteed!<\/p>\n","protected":false},"excerpt":{"rendered":"
  Hey, Scripting Guy! How can I add a domain group to a local group? — DR Hey, DR. Before we begin today, any chance that we could borrow $5 billion, at least until the next payday? Admittedly, it\u2019s not our habit to go around asking for money, especially an amount of money as big […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7,44,3,5],"class_list":["post-63353","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-active-directory","tag-groups","tag-scripting-guy","tag-vbscript"],"acf":[],"blog_post_summary":"
  Hey, Scripting Guy! How can I add a domain group to a local group? — DR Hey, DR. Before we begin today, any chance that we could borrow $5 billion, at least until the next payday? Admittedly, it\u2019s not our habit to go around asking for money, especially an amount of money as big […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/63353","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=63353"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/63353\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=63353"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=63353"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=63353"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}