Posted in
Hosting & IIS7,
Windows Powershell,
Windows Server |
1 Comment | 9,746 views | 02/03/2010 12:19
As you know, changing Primary Group of Active Directory users is a difficult job for system administrators.
You need to set a new one, then assign that as a primary, after all you can remove old group.
But that’s easy if you know Powershell.
1
2
3
4
5
6
7
8
9
10
11
12
| $User = [ADSI] "LDAP://CN=$Username,$CustomerOU,$FQDN"
$DomainNC = ([ADSI]"LDAP://RootDSE").DefaultNamingContext
$DomainUsers = [ADSI]"LDAP://CN=Domain Users,CN=Users,$DomainNC"
$DomainUsers.GetInfoEx(@("primaryGroupToken"), 0)
$OldGroupToken = $DomainUsers.Get("primaryGroupToken")
$DomainGuests = [ADSI]"LDAP://CN=IIS_USERS,CN=Users,$DomainNC"
$DomainGuests.GetInfoEx(@("primaryGroupToken"), 0)
$NewGroupToken = $DomainGuests.Get("primaryGroupToken")
$DomainGuests.Add([String]($User.AdsPath))
$User.Put("primaryGroupId", $NewGroupToken)
$User.SetInfo()
$DomainUsers.Remove([String]($User.AdsPath)) |
$User = [ADSI] "LDAP://CN=$Username,$CustomerOU,$FQDN"
$DomainNC = ([ADSI]"LDAP://RootDSE").DefaultNamingContext
$DomainUsers = [ADSI]"LDAP://CN=Domain Users,CN=Users,$DomainNC"
$DomainUsers.GetInfoEx(@("primaryGroupToken"), 0)
$OldGroupToken = $DomainUsers.Get("primaryGroupToken")
$DomainGuests = [ADSI]"LDAP://CN=IIS_USERS,CN=Users,$DomainNC"
$DomainGuests.GetInfoEx(@("primaryGroupToken"), 0)
$NewGroupToken = $DomainGuests.Get("primaryGroupToken")
$DomainGuests.Add([String]($User.AdsPath))
$User.Put("primaryGroupId", $NewGroupToken)
$User.SetInfo()
$DomainUsers.Remove([String]($User.AdsPath))
This script simply set IIS_USERS as a primary group of Active Directory users.