![\"Hey,](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/q-for-powertip.jpg\" "\\"Hey,")
\n \n
Hey, Scripting Guy! How can I check to see if a user is in both group A and group B and, if so, add that user to Group C? Hey, DH. Good heavens, how are we supposed to know that<\/I>?!? Sheesh.<\/P>\n Sorry; we just always wanted to say that. Now that we have that out of our system, here\u2019s a sample script that checks to see if Ken Myer belongs to both the Finance Users and the Fabrikam Managers groups in Active Directory. If he does<\/I> belong to both groups, then the script adds him to a third group, Finance Managers (if A and B, then C):<\/P> Set objUser = GetObject(“LDAP:\/\/cn=Ken Myer,ou=Finance,dc=fabrikam,dc=com”)<\/p>\n i = 0<\/p>\n For Each strGroup in objUser.memberOf\n Set objGroup = GetObject(“LDAP:\/\/” & strGroup)\n If objGroup.CN = “Finance Users” Then\n i = i + 1\n End If\n If objGroup.CN = “Fabrikam Managers” Then\n i = i + 1\n End If\nNext<\/p>\n If i = 2 Then\n Set objGroup = GetObject(“LDAP:\/\/cn=Finance Managers,ou=Finance,dc=fabrikam,dc=com”)\n objGroup.Add(objUser.ADsPath)\nEnd If\n<\/PRE>\n The script begins by creating an object reference to the Ken Myer user account in Active Directory. We then assign the value 0 to a counter variable named i<\/I>; we\u2019ll use this variable to keep track of how many of our two target groups Ken belongs to.<\/P>\n As it turns out, group membership in Active Directory is stored in a multi-valued attribute named memberOf<\/B>. With that in mind, we use this line of code to walk through the collection of groups that Ken Myer is a member of:<\/P> As it further<\/I> turns out, the memberOf attribute returns the distinguished name of each group Ken Myer belongs to. That\u2019s nice, but the distinguished name looks something like this:<\/P> Needless to say, we\u2019re used to dealing with groups by name (e.g., Finance Users); most likely we have no idea where the group account is stored in Active Directory. Therefore, we don\u2019t even bother checking the distinguished name; instead, we use that value to connect to the group account itself. That\u2019s what we do here:<\/P> Once we connect to the group account we can then use code like this to check the name (CN) of the group, something a bit easier and a bit more intuitive:<\/P> As we loop through the groups, we\u2019re checking to see if any of those groups have a CN equal to Finance Users<\/I> (one of our two target groups). What if one of those groups does<\/I> have a CN equal to Finance Users<\/I>? Well, in that case we increment the value of i<\/I> by 1:<\/P> Pretty fancy coding, huh?<\/P>\n Meanwhile, we have a similar block of code that checks to see if the group has a CN equal to Fabrikam Managers<\/I>. If it does, then we again increment the value of our counter variable by 1:<\/P> We then loop around and check the next group in the collection.<\/P>\n Why do we increment the value of our counter variable? Well, if Ken doesn\u2019t belong to either of our target groups then i will never be changed and will thus equal 0. If Ken belongs to one group, but not the other, then i will be changed one time, and thus be equal to 1. So what does it mean if i is equal to 2? You got it: Ken must be a member of both Finance Users and Fabrikam Managers (because the value if i was incremented twice). Consequently, we want to add Ken to our third group, Finance Managers:<\/P> Nothing too fancy here: we create an object reference to the Finance Managers group, then use the Add<\/B> method to add Ken Myer. Note that when calling the Add method we pass the value objUser.ADsPath<\/B>: that\u2019s the ADsPath to the Ken Myer user account in Active Directory.<\/P>\n Two quick notes regarding this script. First, it\u2019s possible that you could have multiple groups with the same CN; if that\u2019s the case, then examining the value of the CN attribute won\u2019t do you much good. Instead, you\u2019ll need to look at the sAMAccountName<\/B> attribute, which must be unique within the domain. (Of course, the sAMAccountName is going to be something along the lines of fabmgrs<\/I>, another value you typically don\u2019t know off the top of your head.)<\/P>\n Second, this script doesn\u2019t deal with nested groups: if Ken is a member of a group which is a member of a group which is a member of Fabrikam Managers, well, then Ken is also a member of Fabrikam Managers. However, this script doesn\u2019t deal with situations like that. Why? Because nested groups can get a bit messy, and they require a level of explanation that lies outside the scope of this column. However, you can find a sample script (and an accompanying explanation) for dealing with nested groups in this Scripting Guys Webcast<\/B><\/A>.<\/P><\/p>\n","protected":false},"excerpt":{"rendered":" Hey, Scripting Guy! How can I check to see if a user is in both group A and group B and, if so, add that user to Group C?— DH Hey, DH. Good heavens, how are we supposed to know that?!? Sheesh. Sorry; we just always wanted to say that. Now that we have that […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7,9,44,3,20,198,5],"class_list":["post-68743","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-active-directory","tag-adsi","tag-groups","tag-scripting-guy","tag-user-accounts","tag-users","tag-vbscript"],"acf":[],"blog_post_summary":" Hey, Scripting Guy! How can I check to see if a user is in both group A and group B and, if so, add that user to Group C?— DH Hey, DH. Good heavens, how are we supposed to know that?!? Sheesh. Sorry; we just always wanted to say that. Now that we have that […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/68743","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=68743"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/68743\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=68743"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=68743"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=68743"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
— DH<\/P>![\"Spacer\"](\"https:\/\/devblogs.microsoft.com\/scripting\/wp-content\/uploads\/sites\/29\/2019\/05\/spacer.gif\")
![\"Hey,](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/a-for-powertip.jpg\" "\\"Hey,")
![\"Script](\"http:\/\/img.microsoft.com\/library\/media\/1033\/technet\/images\/scriptcenter\/ad.jpg\" "\\"Script")
<\/A> \nOn Error Resume Next<\/p>\n
For Each strGroup in objUser.memberOf\n<\/PRE>\n
cn=Finance Users,ou=Finance,dc=fabrikam,dc=com\n<\/PRE>\n
Set objGroup = GetObject(“LDAP:\/\/” & strGroup)\n<\/PRE>\n
If objGroup.CN = “Finance Users” Then\n<\/PRE>\n
i = i + 1\n<\/PRE>\n
If objGroup.CN = “Fabrikam Managers” Then\n i = i + 1\nEnd If\n<\/PRE>\n
If i = 2 Then\n Set objGroup = GetObject(“LDAP:\/\/cn=Finance Managers,ou=Finance,dc=fabrikam,dc=com”)\n objGroup.Add(objUser.ADsPath)\nEnd If\n<\/PRE>\n