tool to move users from one group to another?

"Richard Mueller [MVP]" <rlmueller-nospam DeleteThis @ameritech.nospam.net> wrote in
message news:ubI3SXtAJHA.1016@TK2MSFTNGP03.phx.gbl...
> In general a command line tool or VBScript program can do this, but there
> are complications if the group has more than 1500 members (1000 in Windows
> 2000 AD). Most scripting methods can only retrieve or document 1500
> members. I don't know about csvde or net group, but they may have the same
> limitation.
>
> In VBScript the solution is to use ADO range limits, where you essentially
> retrieve 1000 members at a time. I have an example that enumerates all
> members of a large group linked here:
>
> http://www.rlmueller.net/DocumentLargeGroup.htm
>
> However, this program also reveals membership due to group nesting, which
> you do not want here. The program could be revised to remove the recursive
> feature and have it only enumerate direct members of the group. It could
> then be easily modified to add each member to another specified group.
>
> If making one group a member of the other does not meet your needs, and
> you want a scripting solution, reply and I'll modify the example and post
> here.
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net
> --
>
>

Richard, FWIW, I've used LDIFDE and CSVDE to pump in over 4000 accounts
without problems. However, the most I've tested with using a VB test script
is 1000 users without problems, but never higher, so I can't comment on
that.

Ace

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Infinite Diversities in Infinite Combinations

On Aug 21, 2:29 am, <dramhol... DeleteThis @yahoo.com> wrote:
> Hi All,
>
> Does anyone know of a tool that will move thousands of users from one Active
> Directory group to another?

I have a program which can copy all members of one group to another.
Contact me direct if interested.

John

'Richard Mueller [MVP Wrote:
> ;3931859']Dram wrote:
>
> >
> > Does anyone know of a tool that will move thousands of users from
> one
> > Active Directory group to another?
>
> In general a command line tool or VBScript program can do this, but
> there
> are complications if the group has more than 1500 members (1000 in
> Windows
> 2000 AD). Most scripting methods can only retrieve or document 1500
> members.
> I don't know about csvde or net group, but they may have the same
> limitation.
>
> In VBScript the solution is to use ADO range limits, where you
> essentially
> retrieve 1000 members at a time. I have an example that enumerates all
> members of a large group linked here:
>
> http://www.rlmueller.net/DocumentLargeGroup.htm
>
> However, this program also reveals membership due to group nesting,
> which
> you do not want here. The program could be revised to remove the
> recursive
> feature and have it only enumerate direct members of the group. It
> could
> then be easily modified to add each member to another specified group.
>
> If making one group a member of the other does not meet your needs, and
> you
> want a scripting solution, reply and I'll modify the example and post
> here.
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net
> --


Hi, I need this urgently. Please could you send me your modified code
to move members of group tho another one.


--
h.tavakkoli
------------------------------------------------------------------------
h.tavakkoli's Profile: http://forums.techarena.in/members/104621.htm
View this thread: http://forums.techarena.in/windows-2000-active-directory/1023906.htm

http://forums.techarena.in

"h.tavakkoli" <h.tavakkoli.3tjxbb RemoveThis @DoNotSpam.com> wrote in message
news:h.tavakkoli.3tjxbb@DoNotSpam.com...
>
> 'Richard Mueller [MVP Wrote:
>> ;3931859']Dram wrote:
>>
>> >
>> > Does anyone know of a tool that will move thousands of users from
>> one
>> > Active Directory group to another?
>>
>> In general a command line tool or VBScript program can do this, but
>> there
>> are complications if the group has more than 1500 members (1000 in
>> Windows
>> 2000 AD). Most scripting methods can only retrieve or document 1500
>> members.
>> I don't know about csvde or net group, but they may have the same
>> limitation.
>>
>> In VBScript the solution is to use ADO range limits, where you
>> essentially
>> retrieve 1000 members at a time. I have an example that enumerates all
>> members of a large group linked here:
>>
>> http://www.rlmueller.net/DocumentLargeGroup.htm
>>
>> However, this program also reveals membership due to group nesting,
>> which
>> you do not want here. The program could be revised to remove the
>> recursive
>> feature and have it only enumerate direct members of the group. It
>> could
>> then be easily modified to add each member to another specified group.
>>
>> If making one group a member of the other does not meet your needs, and
>> you
>> want a scripting solution, reply and I'll modify the example and post
>> here.
>>
>> --
>> Richard Mueller
>> MVP Directory Services
>> Hilltop Lab - http://www.rlmueller.net
>> --
>
>
> Hi, I need this urgently. Please could you send me your modified code
> to move members of group tho another one.
>
>
> --
> h.tavakkoli
> ------------------------------------------------------------------------
> h.tavakkoli's Profile: http://forums.techarena.in/members/104621.htm
> View this thread:
> http://forums.techarena.in/windows-2000-active-directory/1023906.htm
>
> http://forums.techarena.in
>

Example VBScript program to copy members from one large group to another:
===========
Option Explicit

Dim objRootDSE, strDNSDomain, adoCommand
Dim adoConnection, strBase, strAttributes
Dim strFilter, strQuery, adoRecordset
Dim strDN, intCount, blnLast, intLowRange
Dim intHighRange, intRangeStep, objField
Dim strSourceGroup, strTargetGroup, objTargetGroup

' Specify DN of "source" group, the group whose members are to
' be copied into another group.
strSourceGroup = "cn=Sales1,ou=West,dc=MyDomain,dc=com"

' Specify DN of "target" group, the group that will have
' members added.
strTargetGroup = "cn=Sales2,ou=East,dc=MyDomain,dc=com"

' Bind to the "target" group.
Set objTargetGroup = GetObject("LDAP://" & strTargetGroup)

' Determine DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")

' Use ADO to search Active Directory.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open = "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False

' Specify base of search.
strBase = "<LDAP://" & strDNSDomain & ">"
' Specify the attribute values to retrieve.
strAttributes = "member"
' Filter on objects of class "group" and specified DN of "source" group.
strFilter = "(&(ObjectCategory=group)" _
& "(distinguishedName=" & strSourceGroup & "))"

' Enumerate direct group members.
' Use range limits to handle more than 1000/1500 members.
' Setup to retrieve 1000 members at a time.
blnLast = False
intRangeStep = 999
intLowRange = 0
IntHighRange = intLowRange + intRangeStep

Do While True

If (blnLast = True) Then
' If last query, retrieve remaining members.
strQuery = strBase & ";" & strFilter & ";" _
& strAttributes & ";range=" & intLowRange _
& "-*;subtree"
Else
' If not last query, retrieve 1000 members.
strQuery = strBase & ";" & strFilter & ";" _
& strAttributes & ";range=" & intLowRange & "-" _
& intHighRange & ";subtree"
End If
adoCommand.CommandText = strQuery
Set adoRecordset = adoCommand.Execute
intCount = 0
Do Until adoRecordset.EOF
For Each objField In adoRecordset.Fields
If (VarType(objField) = (vbArray + vbVariant)) _
Then
For Each strDN In objField.Value
' Escape any forward slash characters, "/", with the
backslash
' escape character. All other characters that should be
escaped are.
strDN = Replace(strDN, "/", "\/")
' Check if already a member of "target" group.
If (objTargetGroup.IsMember("LDAP://" & strDN) = False)
Then
' Add to "target" group.
objTargetGroup.Add("LDAP://" & strDN)
End If
intCount = intCount + 1
Next
End If
Next
adoRecordset.MoveNext
Loop
adoRecordset.Close
' If this is the last query, exit the Do While loop.
If (blnLast = True) Then
Exit Do
End If
' If the previous query returned no members, then the previous
' query for the next 1000 members failed. Perform one more
' query to retrieve remaining members (less than 1000).
If (intCount = 0) Then
blnLast = True
Else
' Setup to retrieve next 1000 members.
intLowRange = intHighRange + 1
intHighRange = intLowRange + intRangeStep
End If
Loop

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

Thank you so much, it's worked and very useful.
But there is a little error. when i ran this VBScript code, I got this
message:

Error: the Server is unwilling to process the request.
Code: 80072035
Source: (null)

The copy of users have done partially and some users did not copied and
I have to correct it manually.


--
h.tavakkoli
------------------------------------------------------------------------
h.tavakkoli's Profile: http://forums.techarena.in/members/104621.htm
View this thread: http://forums.techarena.in/windows-2000-active-directory/1023906.htm

http://forums.techarena.in

"h.tavakkoli" <h.tavakkoli.3tvnjc.DeleteThis@DoNotSpam.com> wrote in message
news:h.tavakkoli.3tvnjc@DoNotSpam.com...
>
> Thank you so much, it's worked and very useful.
> But there is a little error. when i ran this VBScript code, I got this
> message:
>
> Error: the Server is unwilling to process the request.
> Code: 80072035
> Source: (null)
>
> The copy of users have done partially and some users did not copied and
> I have to correct it manually.
>
>
> --
> h.tavakkoli
> ------------------------------------------------------------------------
> h.tavakkoli's Profile: http://forums.techarena.in/members/104621.htm
> View this thread:
> http://forums.techarena.in/windows-2000-active-directory/1023906.htm
>
> http://forums.techarena.in
>

You don't say which line raised the error, but most likely it was the
following:

objTargetGroup.Add("LDAP://" & strDN)

The program checks if the user (or other object) represented by strDN is
already a member before attempting to add the user to the group. However, it
is possible (but not likely) the user has the group designated as their
"primary" group. The IsMember method would not reveal that the user is a
member, and the Add method would raise an error. However, I think the error
message in that case is different, something like "the object already
exists".

If the groups (source and target) are of different types, or are in
different domains, perhaps a member of the source is not permitted to be a
member of the target. For example, if the source is a domain local group and
the target is a global group, one of the members of the source could be
another domain local group, which cannot be added to the target.

Also, you could have reached the limit on the number of members allowed in a
group. I think the limit is 5000 members.

Perhaps it is possible, as the error message seems to suggest, the DC
processing the membership changes got overloaded and rejected an Add
request. Since the script is designed to do nothing if a user is already a
member of the group, it should not hurt to run the script again (assuming
everyone in your domain has the group "Domains Users" designated as their
"primary" group, so that no one's "primary" group is either the source or
the target group). I like to use error trapping only where necessary, but in
this case it could help. If you still need to complete the process, I would
suggest running the script again, but with the following modification. In
place of:

objTargetGroup.Add("LDAP://" & strDN)

use the following:

On Error Resume Next
objTargetGroup.Add("LDAP://" & strDN)
If (Err.Number <> 0) Then
Wscript.Echo "Error attempting to add " & strDN
Wscript.Echo "Error Number: " & Err.Number
Wscript.Echo "Description: " & Err.Description
Wscript.Echo "Source: " & Err.Source
End If
On Error GoTo 0

Either the script will raise an error at the same point, and you can see if
there is anything strange about the object represented by strDN, or the
script will get further, perhaps adding another few hundred users before
overloading the DC.

Finally, I think I have seen cases where the Add method fails when you pass
a value that is believed to be the correct ADsPath of the object, but the
group and member were in different domains. In any case, the safest method
is to bind to the prospective member object and use the ADsPath property of
the object. In other words, there is a slight chance that instead of this:

objTargetGroup.Add("LDAP://" & strDN)

this would work more reliably:

Set objMember = GetObject("LDAP://" & strDN)
objTargetGroup.Add(objMember.ADsPath)

I didn't code that because it would slow the script down considerably
(binding to thousands of objects in AD). And the more I think about it, I
doubt it would help. I would just run the script again with the error
trapping statements.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--