{"id":70263,"date":"2005-03-10T13:12:00","date_gmt":"2005-03-10T13:12:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2005\/03\/10\/how-can-i-temporarily-add-a-group-to-another-active-directory-group\/"},"modified":"2005-03-10T13:12:00","modified_gmt":"2005-03-10T13:12:00","slug":"how-can-i-temporarily-add-a-group-to-another-active-directory-group","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/how-can-i-temporarily-add-a-group-to-another-active-directory-group\/","title":{"rendered":"How Can I Temporarily Add a Group to Another Active Directory Group?"},"content":{"rendered":"

\"Hey, \n

Hey, Scripting Guy! I\u2019d like to add an Active Directory group to a second group, but only for an hour; after an hour, I\u2019d like remove that group from the second group. Can I do that with a script?

— JW<\/P>\"Spacer\"\"Hey,\"Script<\/A> \n

Hey, JW. Well, this is definitely one of the more interesting questions we\u2019ve received. As far as we know, there\u2019s no way to put a time limit on group membership; in other words, there\u2019s no Active Directory property that says, \u201cYes, you can be a member of this group, but only for so long.\u201d Consequently, we had to look for a workaround.<\/P>\n

This is what we came up with. The following script will add a group (Accountants) to a second group (Finance Managers). The script will pause for one hour and then remove the Accountants group from the Finance Managers group. Here\u2019s what the code looks like:<\/P>

Set objGroup = GetObject(\u201cLDAP:\/\/cn=Finance Managers, ou=Finance, dc=fabrikam, dc=com\u201d)\nSet objTempGroup =  GetObject(\u201cLDAP:\/\/cn=Accountants, ou=Finance, dc=fabrikam, dc=com\u201d)<\/p>\n
objGroup.Add(objTempGroup.ADsPath)<\/p>\n
Wscript.Sleep 3600000<\/p>\n
objGroup.Remove(objTempGroup.ADsPath)\n<\/PRE>\n
And here\u2019s how the thing works. We begin by binding to the Finance Managers group in Active Directory and assigning that group to an object reference named objGroup. We then create a second object reference (objTempGroup) and bind to the Accountants group. After we\u2019ve made these two connections we can then add the Accountants group to the Finance Managers group using this line of code:<\/P>
objGroup.Add(objTempGroup.ADsPath)\n<\/PRE>\n
Got all that? We just call the Add<\/B> method and pass that method the ADsPath of the member being added (in this case, the Accountants group).<\/P>\n
At this point the Accountants group is now a member of the Finance Managers group. Now all we have to do is wait an hour and then remove the group.<\/P>\n
That, of course, is the tricky part. What we decided to do was simply pause the script for an hour; we can do that using this line of code, which calls the Wscript.Sleep method and instructs the script to wait 3,600,000 milliseconds before resuming:<\/P>
Wscript.Sleep 3600000\n<\/PRE>\n
If you\u2019re wondering, \u201cWhy 3,600,000 milliseconds?\u201d well, Wscript.Sleep accepts values in millisecond increments. One second equals 1,000 milliseconds. One minute thus equals 60,000 milliseconds (60 x 1,000), and one hour equals 3,600,000 milliseconds (60 x 60,000).<\/P>\n
After the hour has passed, the script resumes with the next line of code, a line which removes the Accountants group from the Finance Managers group:<\/P>
objGroup.Remove(objTempGroup.ADsPath)\n<\/PRE>\n
This script works just fine; the only problem is that the script has to run – without interruption – for an hour. Should the script end prematurely (because someone terminates the process, or someone closes the command window the script is running in, or someone reboots the computer, or \u2026) the Accountants group will never be removed from the Finance Managers group. Because of that, a better approach might be to use two scripts – one that adds the group and another that removes the group – and run them both as scheduled tasks. That way you have more assurance that everything will go off as planned.<\/P>\n
In case you\u2019re wondering, a script that\u2019s paused like this uses no CPU time; it just sits there patiently and waits for the alarm to ring and tell it to get back to work. And you don\u2019t have to worry about the script \u201cforgetting\u201d to wake up. Just for the heck of it, we ran a script that included a 15-hour pause. Fifteen hours later the script resumed as expected. In other words, this approach works just fine, provided, of course, that there\u2019s no interference from outside factors (such as the computer rebooting).<\/P><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! I\u2019d like to add an Active Directory group to a second group, but only for an hour; after an hour, I\u2019d like remove that group from the second group. Can I do that with a script?— JW Hey, JW. Well, this is definitely one of the more interesting questions we\u2019ve received. As […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7,9,44,3,4,5],"class_list":["post-70263","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-active-directory","tag-adsi","tag-groups","tag-scripting-guy","tag-scripting-techniques","tag-vbscript"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! I\u2019d like to add an Active Directory group to a second group, but only for an hour; after an hour, I\u2019d like remove that group from the second group. Can I do that with a script?— JW Hey, JW. Well, this is definitely one of the more interesting questions we\u2019ve received. As […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/70263","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=70263"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/70263\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=70263"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=70263"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=70263"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}