{"id":69053,"date":"2005-08-31T13:03:00","date_gmt":"2005-08-31T13:03:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2005\/08\/31\/how-can-i-change-a-users-primary-group\/"},"modified":"2005-08-31T13:03:00","modified_gmt":"2005-08-31T13:03:00","slug":"how-can-i-change-a-users-primary-group","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/how-can-i-change-a-users-primary-group\/","title":{"rendered":"How Can I Change a User\u2019s Primary Group?"},"content":{"rendered":"

\"Hey, \n

Hey, Scripting Guy! How can I change a user\u2019s primary group?

— AS<\/P>\"Spacer\"\"Hey,\"Script<\/A> \n

Hey, AS. You know, one of the Scripting Guys knows how to make an incredibly rich rocky road brownie, a brownie that\u2019s topped with melted marshmallows and walnuts and chunks of dark chocolate and all sorts of other good stuff. Now, some people might ask whether or not, in the interests of promoting a healthy lifestyle, this Scripting Guy should<\/I> make such a decadent dessert. But you know what? The Scripting Guys are doers, not thinkers: we\u2019ll continue making brownies, and we\u2019ll let others debate whether or not that\u2019s really what we should be doing.<\/P>\n

Hold on a second: we need to cut ourselves another brownie. Just a small one this time \u2026.<\/P>\n

The same thing is true of changing a user\u2019s primary group: we know how<\/I> to do it, but we don\u2019t know whether or not you should<\/I> do it. According to what little we know about Active Directory, the primary group is used only if you have to deal with Macintosh clients or POSIX-compliant applications; otherwise, you can just leave the primary group alone. (By default, the primary group for each user is Domain Users.) That means, for most people, you can probably file today\u2019s column under Things I Don\u2019t Need to Worry About, At Least Not Today<\/I>. Most of you will be able to lead long and happy lives without ever changing a user\u2019s primary group. (Yes, hard to believe. But true.)<\/P>\n

But suppose you do<\/I> need to change a user\u2019s primary group. In that case, here\u2019s a script that will take care of everything for you:<\/P>

Set objUser = GetObject _\n    (“LDAP:\/\/cn=Ken Myer,ou=Finance,dc=fabrikam,dc=com”)<\/p>\n
Set objGroup = GetObject _\n    (“LDAP:\/\/cn=Finance Managers,ou=Finance,dc=fabrikam,dc=com”)<\/p>\n
objGroup.GetInfoEx Array(“primaryGroupToken”), 0<\/p>\n
objUser.primaryGroupID = objGroup.primaryGroupToken\nobjUser.SetInfo\n<\/PRE>\n
The script begins by binding to the user account you want to modify; in this sample script, we bind to the Ken Myer account in the Finance OU of fabrikam.com. We then create a second object reference, this one to the group that will become the user\u2019s new primary group (Finance Managers). Note that this script assumes that the user is already a member of the group Finance Managers. If that\u2019s not<\/I> the case then you will need to add the user to the group before Finance Managers can be reassigned as the primary group.<\/P>\n
Next we use the GetInfoEx<\/B> method to explicitly retrieve the value of the primaryGroupToken<\/B> attribute for Finance Managers. The primaryGroupToken is a computed attribute used when retrieving the membership list for certain groups. Because this is a computed attribute – that is, the value is generated on-the-fly rather than being stored as-is – we use GetInfoEx to force this computation and return the value. The GetInfoEx code looks like this:<\/P>
objGroup.GetInfoEx Array(“primaryGroupToken”), 0\n<\/PRE>\n
While we\u2019re on the subject, we should point out a few quirks regarding GetInfoEx. First, GetInfoEx always retrieves data as though it was stored as an array; hence the need to specify an array consisting of a single item (primaryGroupToken). The 0 tacked on the end of the call is meaningless but required: if you leave it off or if you substitute a different value, the script will fail. <\/P>\n
To be honest, we don\u2019t know why; that\u2019s just the way it works.<\/P>\n
The rest is easy. We set the value of the primaryGroupID<\/B> to the primaryGroupTaken value we just retrieved, and then call the SetInfo<\/B> method to write those changes to the user account in Active Directory:<\/P>
objUser.primaryGroupID = objGroup.primaryGroupToken\nobjUser.SetInfo\n<\/PRE>\n
That should do the trick. As we noted, by default all users are assigned Domain Users as their primary group. If you ever want to switch Ken Myer back to this default then simply run this script, which changes the primary group back to Domain Users:<\/P>
Set objUser = GetObject _\n    (“LDAP:\/\/cn=Ken Myer,ou=Finance,dc=fabrikam,dc=com”)<\/p>\n
Set objGroup = GetObject _\n    (“LDAP:\/\/cn=Domain Users,cn=Users,dc=fabrikam,dc=com”)<\/p>\n
objGroup.GetInfoEx Array(“primaryGroupToken”), 0<\/p>\n
objUser.primaryGroupID = objGroup.primaryGroupToken\nobjUser.SetInfo\n<\/PRE>\n
That\u2019s all you need to do. As for us, we\u2019re going to cut ourselves another brownie. Just a small one this time \u2026.<\/P><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! How can I change a user\u2019s primary group?— AS Hey, AS. You know, one of the Scripting Guys knows how to make an incredibly rich rocky road brownie, a brownie that\u2019s topped with melted marshmallows and walnuts and chunks of dark chocolate and all sorts of other good stuff. Now, some people […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7,3,20,5],"class_list":["post-69053","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-active-directory","tag-scripting-guy","tag-user-accounts","tag-vbscript"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! How can I change a user\u2019s primary group?— AS Hey, AS. You know, one of the Scripting Guys knows how to make an incredibly rich rocky road brownie, a brownie that\u2019s topped with melted marshmallows and walnuts and chunks of dark chocolate and all sorts of other good stuff. Now, some people […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/69053","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=69053"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/69053\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=69053"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=69053"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=69053"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}