{"id":68123,"date":"2006-01-23T16:48:00","date_gmt":"2006-01-23T16:48:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2006\/01\/23\/how-can-i-add-a-user-to-a-group-but-only-if-that-user-is-a-member-of-the-it-department\/"},"modified":"2006-01-23T16:48:00","modified_gmt":"2006-01-23T16:48:00","slug":"how-can-i-add-a-user-to-a-group-but-only-if-that-user-is-a-member-of-the-it-department","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/how-can-i-add-a-user-to-a-group-but-only-if-that-user-is-a-member-of-the-it-department\/","title":{"rendered":"How Can I Add a User to a Group, but Only if that User is a Member of the IT Department?"},"content":{"rendered":"

\"Hey, \n

Hey, Scripting Guy! How can I add a user to a group, but only if that user is a member of the IT department?

— JV<\/P>\"Spacer\"\"Hey,\"Script<\/A> \n

Hey, JV. You know, this is your lucky day: not only are we going to show you how you can add a specified user to a group (assuming, of course, that this user is a member of the IT department), but we\u2019re also going to show you a way to automatically add all<\/I> members of the IT department to a group. Talk about a deal, huh?<\/P>\n

And, no, your thanks are enough for us. Well, that is, your thanks and our standard consulting fee of $12,343.50. We\u2019ll send you a bill.<\/P>\n

So what do you get in return for that $12,343.50? (And no, you don\u2019t have<\/I> to send us $12,343.50. Not unless you want<\/I> to \u2026.) Well, for starters, you get a script like this one, which adds the user Jack Richins to the group IT Staff \u2026 provided, of course, that Jack is a member of the IT department:<\/P>

Set objUser = GetObject(“LDAP:\/\/cn=Jack Richins,ou=canada,dc=fabrikam,dc=com”)<\/p>\n
If objUser.Department = “IT” Then\n    Set objGroup = GetObject _\n        (“LDAP:\/\/cn=IT Staff,ou=support,dc=fabrikam,dc=com”)\n    objGroup.Add(objUser.ADsPath)\nEnd If\n<\/PRE>\n
As you can see, this is a simple little script. We begin by using this line of code to bind directly to Jack Richins\u2019 user account in Active Directory:<\/P>
Set objUser = GetObject(“LDAP:\/\/cn=Jack Richins,ou=canada,dc=fabrikam,dc=com”)\n<\/PRE>\n
We then check to see whether or not Jack\u2019s Department<\/B> attribute is equal to IT:<\/P>
If objUser.Department = “IT” Then\n<\/PRE>\n
Let\u2019s assume that it is. In that case, we then create a second object reference, one that connects us to the IT Staff group account:<\/P>
Set objGroup = GetObject _\n    (“LDAP:\/\/cn=IT Staff,ou=support,dc=fabrikam,dc=com”)\n<\/PRE>\n
Once we\u2019ve made that connection we can then call the Add<\/B> method (passing the value of Jack\u2019s ADsPath<\/B> attribute as the sole parameter) and add Jack to the group. If Jack isn\u2019t<\/I> part of the IT department then we don\u2019t do anything at all.<\/P>\n
Not bad, huh? Now here\u2019s the bonus script. This script searches Active Directory and returns a list of all the users (objectCategory=’user’<\/B>) who happen to be members of the IT department (Department<\/B>=\u2019IT\u2019<\/B>). For each user meeting those criteria (that is, each user in the IT department), the script adds the user to the IT Staff group:<\/P>
On Error Resume Next<\/p>\n
Const ADS_SCOPE_SUBTREE = 2<\/p>\n
Set objConnection = CreateObject(“ADODB.Connection”)\nSet objCommand =   CreateObject(“ADODB.Command”)\nobjConnection.Provider = “ADsDSOObject”\nobjConnection.Open “Active Directory Provider”\nSet objCommand.ActiveConnection = objConnection<\/p>\n
objCommand.Properties(“Page Size”) = 1000\nobjCommand.Properties(“Searchscope”) = ADS_SCOPE_SUBTREE <\/p>\n
objCommand.CommandText = _\n    “SELECT ADsPath FROM ‘LDAP:\/\/dc=fabrikam,dc=com’ WHERE objectCategory=’user’ ” & _\n         “AND Department=’IT'”\nSet objRecordSet = objCommand.Execute<\/p>\n
objRecordSet.MoveFirst<\/p>\n
Set objGroup = GetObject _\n    (“LDAP:\/\/cn=IT Staff,ou=support,dc=fabrikam,dc=com”)<\/p>\n
Do Until objRecordSet.EOF\n    objGroup.Add(objRecordSet.Fields(“ADsPath”).Value)\n    objRecordSet.MoveNext\nLoop\n<\/PRE>\n
We\u2019re not going to talk about the bonus script in any detail; if you aren\u2019t sure how Active Directory scripts work we recommend you take a peek at the two-part Tales from the Script<\/I> series Dude, Where\u2019s My Printer?<\/B><\/A> About all we will<\/I> do is mention that the On Error Resume Next<\/B> statement is very important in this particular script. Why? Well, suppose Jack Richins is already a member of the IT Staff group and you try adding him (again) to the group. That\u2019s going to generate an error and the script will blow up. If you add the On Error Resume Next statement, however, the script won\u2019t blow up; instead, it will simply skip Jack and instead try adding the next user in the IT department.<\/P>\n\n<\/THEAD>\n\n\n
\n
Note<\/B>. If you\u2019re wondering how the Scripting Guys came up with a standard consulting fee of $12,343.50, well, it\u2019s purely coincidental that one of the Scripting Guys (with great reluctance) recently purchased a car for his son and the total bill came to $12,343.50. Like we said, purely coincidental \u2026.<\/P><\/TD><\/TR><\/TBODY><\/TABLE><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! How can I add a user to a group, but only if that user is a member of the IT department?— JV Hey, JV. You know, this is your lucky day: not only are we going to show you how you can add a specified user to a group (assuming, of course, […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7,19,3,8,5],"class_list":["post-68123","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-active-directory","tag-activex-data-objects-ado","tag-scripting-guy","tag-searching-active-directory","tag-vbscript"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! How can I add a user to a group, but only if that user is a member of the IT department?— JV Hey, JV. You know, this is your lucky day: not only are we going to show you how you can add a specified user to a group (assuming, of course, […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/68123","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=68123"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/68123\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=68123"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=68123"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=68123"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}