{"id":69943,"date":"2005-04-26T16:20:00","date_gmt":"2005-04-26T16:20:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2005\/04\/26\/how-can-i-add-all-the-users-from-an-existing-active-directory-group-to-a-new-group\/"},"modified":"2005-04-26T16:20:00","modified_gmt":"2005-04-26T16:20:00","slug":"how-can-i-add-all-the-users-from-an-existing-active-directory-group-to-a-new-group","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/how-can-i-add-all-the-users-from-an-existing-active-directory-group-to-a-new-group\/","title":{"rendered":"How Can I Add All the Users from an Existing Active Directory Group to a New Group?"},"content":{"rendered":"<p><IMG class=\"nearGraphic\" title=\"Hey, Scripting Guy! Question\" border=\"0\" alt=\"Hey, Scripting Guy! Question\" align=\"left\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/q-for-powertip.jpg\" width=\"34\" height=\"34\"> \n<P>Hey, Scripting Guy! How can I add all the users from an existing Active Directory group to a new group?<BR><BR>&#8212; TG<\/P><IMG border=\"0\" alt=\"Spacer\" src=\"https:\/\/devblogs.microsoft.com\/scripting\/wp-content\/uploads\/sites\/29\/2019\/05\/spacer.gif\" width=\"5\" height=\"5\"><IMG class=\"nearGraphic\" title=\"Hey, Scripting Guy! Answer\" border=\"0\" alt=\"Hey, Scripting Guy! Answer\" align=\"left\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/a-for-powertip.jpg\" width=\"34\" height=\"34\"><A href=\"http:\/\/go.microsoft.com\/fwlink\/?linkid=68779&amp;clcid=0x409\"><IMG class=\"farGraphic\" title=\"Script Center\" border=\"0\" alt=\"Script Center\" align=\"right\" src=\"http:\/\/img.microsoft.com\/library\/media\/1033\/technet\/images\/scriptcenter\/ad.jpg\" width=\"120\" height=\"288\"><\/A> \n<P>Hey, TG. So you have a group (we\u2019ll call it Group A) and you want to create an exact replica of that group (we\u2019ll call it Group B). If we were talking about Text File A and Text File B this would be an easy task: all you\u2019d have to do is make a copy of File A and name that copy File B. Unfortunately, that won\u2019t work with an Active Directory group. Although there <I>is<\/I> such a thing as a CopyHere method in ADSI, that method isn\u2019t supported by Active Directory; if you try using CopyHere, you\u2019ll just get back a \u201cNot implemented\u201d error message. Bummer.<\/P>\n<P>So if we can\u2019t just make a copy of Group A what <I>can<\/I> we do? Let\u2019s think about our text files for a moment. Suppose for some reason we couldn\u2019t use the file system to make a copy of File A; how else could we replicate that file? Well, one thing we could do would be to open that file, read in the contents, and then write those contents to our new file, File B. And that\u2019s pretty much the same approach we\u2019re going to use to add all the users from an existing Active Directory group to a new Active Directory group.<\/P>\n<P>Let\u2019s show you the script and then explain how it works. This script grabs a list of all the members of the Finance Managers group and then adds them to a brand-new group named Finance Department:<\/P><PRE class=\"codeSample\">Const ADS_GROUP_TYPE_GLOBAL_GROUP = &amp;H2<\/p>\n<p>Set objOU = GetObject(&#8220;LDAP:\/\/OU=Finance, dc=fabrikam, dc=com&#8221;)\nSet objOldGroup = GetObject(&#8220;LDAP:\/\/CN=Finance Managers, ou=Finance, dc=fabrikam, dc=com&#8221;)<\/p>\n<p>Set objNewGroup = objOU.Create(&#8220;Group&#8221;, &#8220;Finance Department&#8221;)\nobjNewGroup.sAMAccountName = &#8220;financedept&#8221;\nobjNewGroup.groupType = ADS_GROUP_TYPE_GLOBAL_GROUP\nobjNewGroup.Set Info<\/p>\n<p>For Each objUser in objOldGroup.Member\n    objNewGroup.Add &#8220;LDAP:\/\/&#8221; &amp; objUser\nNext\n<\/PRE>\n<P>So how does this work? Well, we start by defining a constant named ADS_GROUP_TYPE_GLOBAL_GROUP and setting the value to &amp;H2; we\u2019ll use this later on to make our new group a global security group.<\/P>\n<P>Next we create object references to two different objects. Object reference <B>objOU<\/B> binds to the Finance OU in Active Directory; this is the OU that will house our new security group. Meanwhile, <B>objOldGroup<\/B> binds to the Finance Managers group in Active Directory; as we already noted, this group has the list of users we want to add to the new group.<\/P>\n<P>We then take a brief detour to create a new group named Finance Department; that\u2019s what this block of code does:<\/P><PRE class=\"codeSample\">Set objNewGroup = objOU.Create(&#8220;Group&#8221;, &#8220;Finance Department&#8221;)\nobjNewGroup.sAMAccountName = &#8220;financedept&#8221;\nobjNewGroup.groupType = ADS_GROUP_TYPE_GLOBAL_GROUP\nobjNewGroup.SetInfo\n<\/PRE>\n<P>We won\u2019t go into the details of what we\u2019re doing here and why; for more information, see <A href=\"http:\/\/null\/technet\/scriptcenter\/guide\/sas_ads_fhnx.mspx\" target=\"_blank\"><B>this section<\/B><\/A> of the Microsoft Windows 2000 Scripting Guide.<\/P>\n<P>We now have an existing group &#8211; Finance Managers &#8211; that has lots of members, and a new group &#8211; Finance Department &#8211; that doesn\u2019t have any members. But we can change that: all we have to do is grab the membership from Finance Managers and copy it to Finance Department. Believe it or not, that only takes three lines of code:<\/P><PRE class=\"codeSample\">For Each objUser in objOldGroup.Member\n    objNewGroup.Add &#8220;LDAP:\/\/&#8221; &amp; objUser\nNext\n<\/PRE>\n<P>As it turns out, the <B>Member<\/B> attribute of a group contains a collection of all the members of that group. We can use a simple For Each loop to loop through the value of the Member attribute and return the distinguishedName (DN) attribute for each group member. <\/P>\n<P><B>Note<\/B>. The distinguishedName attribute will look similar to this:<\/P><PRE class=\"codeSample\">CN=Ken Myer, ou=Finance, dc=fabrikam, dc=com\n<\/PRE>\n<P>Fortuitously enough, the only information we need in order to add a user to a group is the ADsPath for that user. The ADsPath is a combination of the ADSI provider (in this case, <B>LDAP:\/\/<\/B>) plus the user\u2019s DN. We now have both these pieces: the ADSI provider (which has to be <B>LDAP:\/\/<\/B> seeing as how we\u2019re working with Active Directory) and the user DN. In this line of code, we add the user to the new group, passing as the sole parameter to the <B>Add<\/B> method a combination of the ADSI provider and the user DN:<\/P><PRE class=\"codeSample\">objNewGroup.Add &#8220;LDAP:\/\/&#8221; &amp; objUser\n<\/PRE>\n<P>We then continue on our merry way, looping through all the members of the Finance Managers group, grabbing the value of their distinguishedName attribute, and using that value to add the user (or computer or group or whatever) to the Finance Department group. The net result: despite the fact that we have no Copy command we\u2019ve managed to duplicate the membership list from one group to another. Can human cloning via VBScript be far behind? (Let\u2019s put it this way: originally there was only <I>one<\/I> Scripting Guy\u2026.)<\/P><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hey, Scripting Guy! How can I add all the users from an existing Active Directory group to a new group?&#8212; TG Hey, TG. So you have a group (we\u2019ll call it Group A) and you want to create an exact replica of that group (we\u2019ll call it Group B). If we were talking about Text [&hellip;]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7,44,3,20,5],"class_list":["post-69943","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-active-directory","tag-groups","tag-scripting-guy","tag-user-accounts","tag-vbscript"],"acf":[],"blog_post_summary":"<p>Hey, Scripting Guy! How can I add all the users from an existing Active Directory group to a new group?&#8212; TG Hey, TG. So you have a group (we\u2019ll call it Group A) and you want to create an exact replica of that group (we\u2019ll call it Group B). If we were talking about Text [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/69943","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=69943"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/69943\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=69943"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=69943"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=69943"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}