And here is a powershell script using the AD cmdlets that will search all
users in an OU, add them to a group named "testgrp1", set it as the primary
group and remove from "Domain Users"
Import-Module ActiveDirectory
$group = get-adgroup "Testgrp1"
$groupSid = $group.sid
[int]$GroupID =
$groupSid.Value.Substring($groupSid.Value.LastIndexOf("-")+1)
Foreach ($user in (Get-ADUser -SearchBase
"OU=User_Accounts,DC=Devlab,DC=Local" -Filter *)) {
Add-ADGroupMember $group $User
Set-ADUser $User -Replace @{primaryGroupID="$GroupID"}
Remove-ADGroupMember "Domain Users" $user -Confirm:$False
}
On Fri, Nov 18, 2011 at 6:13 PM, KenM <[email protected]> wrote:
> You would need to add the user to another group and set that to the
> primary group. Then remove them from "Domain Users". Here is powershell
> example to set the primary group, and you could use remove-adgroupmember to
> remove "Domain Users".
>
>
>
> http://social.technet.microsoft.com/Forums/en/winserverpowershell/thread/5f1728cb-20ce-42a7-9b51-1e723bfba031
>
>
>
> On Fri, Nov 18, 2011 at 5:29 PM, Graeme Carstairs <[email protected]>wrote:
>
>> We have a project in hand that the client is looking for someway to do
>> either of the following 2 optons for authenticating 3rd party contractors
>> who need access to the system.
>>
>> 1. An authenticaiton database and system that doesnt store the user
>> accounts in AD and uses an alternative user account system but still has
>> the capability to allow access as if it was a main AD account to file
>> shares, applications and even Exchange if requried.
>> 2. A second domain for the 3rd party contractos with a trust.
>> 3. Locked down OU, with the accounts not having domain users and was
>> mentioned but not decided as absolutely must have "authenticated user"
>> rights.
>>
>> I think 3 will be the easiest to manage on going, but the client has
>> expressed that they would like it to be systematically controlled by the
>> software and not just left to the people creating accounts in case
>> something is missed.
>>
>> Does that help :)
>>
>> Graeme
>>
>>
>> On 18 November 2011 21:51, Rankin, James R <[email protected]> wrote:
>>
>>> **
>>> I'd love to hear what you need to do that for
>>> Sent from my SR-71 Blackbird
>>> ------------------------------
>>> *From: * Graeme Carstairs <[email protected]>
>>> *Date: *Fri, 18 Nov 2011 21:28:04 +0000
>>> *To: *NT System Admin Issues<[email protected]>
>>> *ReplyTo: * "NT System Admin Issues" <
>>> [email protected]>
>>> *Subject: *Can you have all members of and OU automatically not be
>>> members of Domain users
>>>
>>> Hi There,
>>>
>>> The subject line says it all
>>>
>>> We are looking for away to systematically make and OU that if you create
>>> a user in it, it will have a group say "SecGroup1" as its primary group,
>>> and not have membership of Domain Users.
>>>
>>> The idea is for a specific OU that users created in it, will never be
>>> members of Domain Users, and even if the membership is added to the user
>>> once created will be removed, or be unable to be added.
>>>
>>> Thanks
>>>
>>> Graeme
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Good news everyone, you have just received an e-mail from me!
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>>>
>>> ---
>>> To manage subscriptions click here:
>>> http://lyris.sunbelt-software.com/read/my_forums/
>>> or send an email to [email protected]
>>> with the body: unsubscribe ntsysadmin
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>>>
>>> ---
>>> To manage subscriptions click here:
>>> http://lyris.sunbelt-software.com/read/my_forums/
>>> or send an email to [email protected]
>>> with the body: unsubscribe ntsysadmin
>>>
>>
>>
>>
>> --
>> Good news everyone, you have just received an e-mail from me!
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>>
>> ---
>> To manage subscriptions click here:
>> http://lyris.sunbelt-software.com/read/my_forums/
>> or send an email to [email protected]
>> with the body: unsubscribe ntsysadmin
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to [email protected]
> with the body: unsubscribe ntsysadmin
>
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin
