Sorry for how long it took me to respond to the lure... :) I am completely swamped anymore. Just got back from a weeklong customer visit. Good visit, the tech people at that company are very good, still I dislike going on the road for anything. I agree with what the folks said and Hunter's logic below. Not going to be doing this with a single simple command line. Adfind combined with a tool that generates a unique list _could_ cover the first couple of items. Check out this post http://www.mail-archive.com/activedir@mail.activedir.org/msg31542.html That unique.exe tool is still out on my website and Guido's request is still in the list of requests for AdFind. Still be troublesome though using that to get both the Section and Dept in an efficient way. All that being said, that wouldn't be the way I would likely go myself as it would require multiple queries. The way to tackle this efficiently is with a good data structure. VBScript would likely be challenging to do this in. Note though if you have a massive domain (hundreds of thousands of users) and running the script on an underpowered machine this may have to be reworked for scale. Most likely I would query all of the objects with dept and section populated and then build a nice data structure that represented that layout... Something like Dept24 Sect242 Member1 Member2 Member3 Sect243 Member1 Member2 Dept69 Sect691 Member1 Member2 Member3 Member4 Sect692 Member1 etc. Then it would be a simple loop through the data structure to do the work. Perl would be my choice for this. I would use a multilevel hash like $hash{dept#}{sect#}{members} which will "unique" the data while building the structure. Again, the key to do this efficiently is the data structure. This is often the case in programming, the data structures used can make or break the entire solution. I have seen seemingly impossible problems that have been made possible with great ideas about how to structure the data and I have seen simple problems made nearly impossible because of bad data structures. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Tuesday, January 23, 2007 12:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adfind + Admod help I agree with Al in that I don't see an obvious way to do this from a single command line. The key, as he mentioned, is going to be getting a list of unique department numbers and section numbers. I'd probably separate those out into two distinct lists, one for departments and one for sections. Once you have those lists, you could pipe them to admod or any other tool of your choice to create the groups. However, since you're probably going to need some script to generate the lists, you might as well keep the group creation within the script as well. The problem with trying to use adfind is that you are not going to be able to construct an LDAP query that returns only unique instances of apsgDepartment and apsgSection. No knock on adfind, you'll run into the same thing with ldp or dsquery. You can query for and return any object that has those attributes populated, but the returned set of those attributes will have duplicates. That's where your script will throw the attributes into a hash (or scripting dictionary) to eliminate the duplicates. The outline of your script would look something like this: -query AD for all user objects that have apsgDepartment and/or apsgSection populated -loop through the returned set to build unique lists of Department numbers and Section numbers -loop through the Department number list and create a group for each one -loop through the Section number list and create a group for each one, and nest it in the corresponding Department group None of that is heinously difficult to script. I'd probably lean towards powershell or perl, since they handle hashes better than VBScript. But it's certainly feasible in VBScript as well. Holler if you want some help going down this road. Hunter _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, January 23, 2007 8:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adfind + Admod help Thank you for the response Al. To answer your ultimate question, which was "Does that help, or ??", then I would have to lean more towards ?? in my case. Not to say you didn't give some excellent options, but unfortunately it all boils down to me simply not being any sort of a programmer and so I currently wouldn't know how to do any of the options you suggest. (I'm studying the ways of VBScripting right now). To answer an earlier question, "Do you already have the department names in a list? Or is that something that you have to gather first?", the department and section information is already contained within Active Directory through Schema Extensions. The actual names of the departments/sections are not important at this level, all I need to be concerned with is the department and section numbers. As an example. dn:CN=Ben Watson,OU=UserAccounts,DC=appsig,DC=com >apsgDepartment: 24 >apsgSection: 242 I am a part of Department 24, section 242. Thus, my user account should be a member of the (not created yet) Sec242 security group, and then the Sec242 security group would be a member of the (not created yet) Dep24 security group. I too was hoping I could lure Joe out to respond and see if Adfind + Admod could meet this challenge. I'm certainly hoping so. J Thanks, ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, January 22, 2007 5:38 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adfind + Admod help Do you already have the department names in a list? Or is that something that you have to gather first? If you have to gather, then I assume you'll have to iterate each user object and determine the department value. Then, you'll create a group for every single unique instance of department value. After those are created, you'd then create the section sg's and make them members of the relevant department sg. Is there a clean way? I don't think it's something that you can do on a single command line, although I throw that out there mostly as a challenge to joe. He likes that kind of challenge I suspect ;) Couple of options come to mind: You could build a table and based on that table you can create/populate. ADMOD and ADFIND could be useful to you there. You could build a script that uses dictionary objects and creates the unique instances for you and correlates that information to the sections and then creates/populates. It's slightly complex, but... Building the tables, you could then execute manually. Depends on the scope of course. Of course, .NET is an option as well. Same logic depending on language though. And you will want to do this in passes most likely so you can ensure that the department group is created when it comes time to add an object to it. It's helpful to do it that way... Does that help, or ?? Al On 1/22/07, WATSON, BEN <[EMAIL PROTECTED]> wrote: Hey guys, I'm trying to wrap my brain around how best to accomplish this and need a little help. I need to create a security group for each department in our company, and then a security group for each section. At our company sections fall underneath departments. So we may have a department #24, and then sections #241, #242, #243, etc. Right now, we have made some schema extensions to allow Active Directory to contain relevant user data, such as what Department and Section the user is a part of. So the data is already in our Active Directory. I imagine there should be a relatively easy way to take each unique value of Department and Section and turn that into the security groups I need. So if it were to find Departments 24 and 25. It would turn that into two security groups named Dept24 and Dept25. Furthermore, if it found sections 241, 242, 251, 252, it would create four security groups named Sec241, Sec242, Sec251, and Sec252. It would also be "nice" if I could create the Department security groups first, and then not only create the proper Section security groups, but make them a member of the appropriate Department security groups as well. Any ideas on how best to accomplish this in a relatively pain-free fashion? Or if there is an alternative way to do this rather than Admod, then please suggest it. I just figured that Admod would probably be my best choice. Thanks, ~Ben
