We have a software developer in our group who has developed a Corporate Directory application that acts as our internal employee directory on our intranet. It also includes an administrative side which gives certain individuals (mostly HR) the ability to create and disable user accounts when people are hired or let go. The need for Active Directory to house information such as department, section, as well as other information unique to our company was mostly done to accommodate this application.
It was this administrative portion of our Corporate Directory application that allowed Human Resources to literally go in and do some data entry and make the proper entries for each employee as to their correct department and section. So that answers the question of how the data got in there in the first place. As for how I’ll go about this, it looks like I’ll unfortunately have to go back and bug our software dev for help on this. I hate doing it, because when it comes to things like this I feel like I should be able to do it but unfortunately I just don’t know how to yet apparently. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, January 23, 2007 9:05 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adfind + Admod help What are you comfortable with for administration? How'd the attributes get populated in the first place? joe's tool wouldn't be the tool of choice for this problem. To clarify that, I mean to say that it wouldn't be the only tool because there's logic that has to occur that is specific to your situation. The manual method (non-automated) would be to export the information into spreadsheets and use ldif or csv (comfort level again) to create and populate the group structures as needed. Al On 1/23/07, WATSON, BEN <[EMAIL PROTECTED]> wrote: Thank you for the response Al. To answer your ultimate question, which was "Does that help, or ??", then I would have to lean more towards ?? in my case. Not to say you didn't give some excellent options, but unfortunately it all boils down to me simply not being any sort of a programmer and so I currently wouldn't know how to do any of the options you suggest. (I'm studying the ways of VBScripting right now). To answer an earlier question, "Do you already have the department names in a list? Or is that something that you have to gather first?", the department and section information is already contained within Active Directory through Schema Extensions. The actual names of the departments/sections are not important at this level, all I need to be concerned with is the department and section numbers. As an example… dn:CN=Ben Watson,OU=UserAccounts,DC=appsig,DC=com >apsgDepartment: 24 >apsgSection: 242 I am a part of Department 24, section 242. Thus, my user account should be a member of the (not created yet) Sec242 security group, and then the Sec242 security group would be a member of the (not created yet) Dep24 security group. I too was hoping I could lure Joe out to respond and see if Adfind + Admod could meet this challenge. I'm certainly hoping so. J Thanks, ~Ben From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] On Behalf Of Al Mulnick Sent: Monday, January 22, 2007 5:38 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adfind + Admod help Do you already have the department names in a list? Or is that something that you have to gather first? If you have to gather, then I assume you'll have to iterate each user object and determine the department value. Then, you'll create a group for every single unique instance of department value. After those are created, you'd then create the section sg's and make them members of the relevant department sg. Is there a clean way? I don't think it's something that you can do on a single command line, although I throw that out there mostly as a challenge to joe. He likes that kind of challenge I suspect ;) Couple of options come to mind: You could build a table and based on that table you can create/populate. ADMOD and ADFIND could be useful to you there. You could build a script that uses dictionary objects and creates the unique instances for you and correlates that information to the sections and then creates/populates. It's slightly complex, but... Building the tables, you could then execute manually. Depends on the scope of course. Of course, .NET is an option as well. Same logic depending on language though. And you will want to do this in passes most likely so you can ensure that the department group is created when it comes time to add an object to it. It's helpful to do it that way... Does that help, or ?? Al On 1/22/07, WATSON, BEN <[EMAIL PROTECTED]> wrote: Hey guys, I'm trying to wrap my brain around how best to accomplish this and need a little help. I need to create a security group for each department in our company, and then a security group for each section. At our company sections fall underneath departments. So we may have a department #24, and then sections #241, #242, #243, etc… Right now, we have made some schema extensions to allow Active Directory to contain relevant user data, such as what Department and Section the user is a part of. So the data is already in our Active Directory. I imagine there should be a relatively easy way to take each unique value of Department and Section and turn that into the security groups I need. So if it were to find Departments 24 and 25. It would turn that into two security groups named Dept24 and Dept25. Furthermore, if it found sections 241, 242, 251, 252, it would create four security groups named Sec241, Sec242, Sec251, and Sec252. It would also be "nice" if I could create the Department security groups first, and then not only create the proper Section security groups, but make them a member of the appropriate Department security groups as well. Any ideas on how best to accomplish this in a relatively pain-free fashion? Or if there is an alternative way to do this rather than Admod, then please suggest it. I just figured that Admod would probably be my best choice. Thanks, ~Ben
