Yeah, I agree. I see the logic in how to get to the solution, but I just
don't have the programmatic tool knowledge yet. I may not have the time to
hold off this project until I can figure it out myself programmatically, but
I am going to set aside my evenings at home until I learn how to do this
sort of thing myself.
Hmm, I'm almost a little scared to ask what the answer is to the bonus
question. Does it make a difference that he is our sole software dev
employed by our IT department to do IT related work? J In any case,
let's hear the answer.
~Ben
*From:* [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] *On Behalf Of *Al Mulnick
*Sent:* Tuesday, January 23, 2007 10:21 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] Adfind + Admod help
I believe you know how, but may not have the programmatic tool knowledge
yet. I think this is a great oppty to learn though, if you can make the
time.
Since the HR department did this manually, it almost screams that you
could manually do this in same fashion. That's a lot of work most likely.
Using csv or ldif is still fairly within the realm of non-code solutions.
ADMOD would also be in that realm, but as was mentioned elsewhere in the
thread, it's not a question of the code, but the logic. Which you know
already.
Bonus question: Do you know what you call somebody who gets a dev to do
this kind of coding work? :)
-ajm
On 1/23/07, *WATSON, BEN* <[EMAIL PROTECTED]> wrote:
We have a software developer in our group who has developed a Corporate
Directory application that acts as our internal employee directory on our
intranet. It also includes an administrative side which gives certain
individuals (mostly HR) the ability to create and disable user accounts when
people are hired or let go. The need for Active Directory to house
information such as department, section, as well as other information unique
to our company was mostly done to accommodate this application.
It was this administrative portion of our Corporate Directory application
that allowed Human Resources to literally go in and do some data entry and
make the proper entries for each employee as to their correct department and
section. So that answers the question of how the data got in there in the
first place.
As for how I'll go about this, it looks like I'll unfortunately have to go
back and bug our software dev for help on this. I hate doing it, because
when it comes to things like this I feel like I should be able to do it but
unfortunately I just don't know how to yet apparently.
~Ben
*From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
*On Behalf Of *Al Mulnick
*Sent:* Tuesday, January 23, 2007 9:05 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] Adfind + Admod help
What are you comfortable with for administration?
How'd the attributes get populated in the first place?
joe's tool wouldn't be the tool of choice for this problem. To clarify
that, I mean to say that it wouldn't be the only tool because there's logic
that has to occur that is specific to your situation.
The manual method (non-automated) would be to export the information into
spreadsheets and use ldif or csv (comfort level again) to create and
populate the group structures as needed.
Al
On 1/23/07, *WATSON, BEN* <[EMAIL PROTECTED]> wrote:
Thank you for the response Al.
To answer your ultimate question, which was "Does that help, or ??", then
I would have to lean more towards ?? in my case. Not to say you didn't give
some excellent options, but unfortunately it all boils down to me simply not
being any sort of a programmer and so I currently wouldn't know how to do
any of the options you suggest. (I'm studying the ways of VBScripting right
now). To answer an earlier question, "Do you already have the department
names in a list? Or is that something that you have to gather first?", the
department and section information is already contained within Active
Directory through Schema Extensions. The actual names of the
departments/sections are not important at this level, all I need to be
concerned with is the department and section numbers.
As an example…
dn:CN=Ben Watson,OU=UserAccounts,DC=appsig,DC=com
>apsgDepartment: 24
>apsgSection: 242
I am a part of Department 24, section 242. Thus, my user account should
be a member of the (not created yet) Sec242 security group, and then the
Sec242 security group would be a member of the (not created yet) Dep24
security group.
I too was hoping I could lure Joe out to respond and see if Adfind + Admod
could meet this challenge. I'm certainly hoping so. J
Thanks,
~Ben
*From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
*On Behalf Of *Al Mulnick
*Sent:* Monday, January 22, 2007 5:38 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] Adfind + Admod help
Do you already have the department names in a list? Or is that something
that you have to gather first?
If you have to gather, then I assume you'll have to iterate each user
object and determine the department value. Then, you'll create a group for
every single unique instance of department value. After those are created,
you'd then create the section sg's and make them members of the relevant
department sg.
Is there a clean way? I don't think it's something that you can do on a
single command line, although I throw that out there mostly as a challenge
to joe. He likes that kind of challenge I suspect ;)
Couple of options come to mind:
You could build a table and based on that table you can create/populate.
ADMOD and ADFIND could be useful to you there.
You could build a script that uses dictionary objects and creates the
unique instances for you and correlates that information to the sections and
then creates/populates. It's slightly complex, but...
Building the tables, you could then execute manually. Depends on the
scope of course.
Of course, .NET is an option as well. Same logic depending on language
though. And you will want to do this in passes most likely so you can ensure
that the department group is created when it comes time to add an object to
it. It's helpful to do it that way...
Does that help, or ??
Al
On 1/22/07, *WATSON, BEN* <[EMAIL PROTECTED]> wrote:
Hey guys,
I'm trying to wrap my brain around how best to accomplish this and need a
little help.
I need to create a security group for each department in our company, and
then a security group for each section. At our company sections fall
underneath departments. So we may have a department #24, and then sections
#241, #242, #243, etc…
Right now, we have made some schema extensions to allow Active Directory
to contain relevant user data, such as what Department and Section the user
is a part of. So the data is already in our Active Directory. I imagine
there should be a relatively easy way to take each unique value of
Department and Section and turn that into the security groups I need.
So if it were to find Departments 24 and 25. It would turn that into two
security groups named Dept24 and Dept25. Furthermore, if it found sections
241, 242, 251, 252, it would create four security groups named Sec241,
Sec242, Sec251, and Sec252.
It would also be "nice" if I could create the Department security groups
first, and then not only create the proper Section security groups, but make
them a member of the appropriate Department security groups as well.
Any ideas on how best to accomplish this in a relatively pain-free
fashion? Or if there is an alternative way to do this rather than Admod,
then please suggest it. I just figured that Admod would probably be my best
choice.
Thanks,
~Ben
