RE: [ActiveDir] Adfind + Admod help
Sorry for how long it took me to respond to the lure... :) I am completely
swamped anymore. Just got back from a weeklong customer visit. Good visit,
the tech people at that company are very good, still I dislike going on the
road for anything.
I agree with what the folks said and Hunter's logic below. Not going to be
doing this with a single simple command line.
Adfind combined with a tool that generates a unique list _could_ cover the
first couple of items. Check out this post
http://www.mail-archive.com/activedir@mail.activedir.org/msg31542.html
That unique.exe tool is still out on my website and Guido's request is still
in the list of requests for AdFind. Still be troublesome though using that
to get both the Section and Dept in an efficient way.
All that being said, that wouldn't be the way I would likely go myself as it
would require multiple queries. The way to tackle this efficiently is with a
good data structure. VBScript would likely be challenging to do this in.
Note though if you have a massive domain (hundreds of thousands of users)
and running the script on an underpowered machine this may have to be
reworked for scale.
Most likely I would query all of the objects with dept and section populated
and then build a nice data structure that represented that layout...
Something like
Dept24
Sect242
Member1
Member2
Member3
Sect243
Member1
Member2
Dept69
Sect691
Member1
Member2
Member3
Member4
Sect692
Member1
etc.
Then it would be a simple loop through the data structure to do the work.
Perl would be my choice for this. I would use a multilevel hash like
$hash{dept#}{sect#}{members} which will unique the data while building the
structure.
Again, the key to do this efficiently is the data structure. This is often
the case in programming, the data structures used can make or break the
entire solution. I have seen seemingly impossible problems that have been
made possible with great ideas about how to structure the data and I have
seen simple problems made nearly impossible because of bad data structures.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Tuesday, January 23, 2007 12:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Adfind + Admod help
I agree with Al in that I don't see an obvious way to do this from a single
command line. The key, as he mentioned, is going to be getting a list of
unique department numbers and section numbers. I'd probably separate those
out into two distinct lists, one for departments and one for sections. Once
you have those lists, you could pipe them to admod or any other tool of your
choice to create the groups. However, since you're probably going to need
some script to generate the lists, you might as well keep the group creation
within the script as well.
The problem with trying to use adfind is that you are not going to be able
to construct an LDAP query that returns only unique instances of
apsgDepartment and apsgSection. No knock on adfind, you'll run into the same
thing with ldp or dsquery. You can query for and return any object that has
those attributes populated, but the returned set of those attributes will
have duplicates. That's where your script will throw the attributes into a
hash (or scripting dictionary) to eliminate the duplicates.
The outline of your script would look something like this:
-query AD for all user objects that have apsgDepartment and/or apsgSection
populated
-loop through the returned set to build unique lists of Department numbers
and Section numbers
-loop through the Department number list and create a group for each one
-loop through the Section number list and create a group for each one, and
nest it in the corresponding Department group
None of that is heinously difficult to script. I'd probably lean towards
powershell or perl, since they handle hashes better than VBScript. But it's
certainly feasible in VBScript as well. Holler if you want some help going
down this road.
Hunter
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Tuesday, January 23, 2007 8:46 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Adfind + Admod help
Thank you for the response Al.
To answer your ultimate question, which was Does that help, or ??, then I
would have to lean more towards ?? in my case. Not to say you didn't give
some excellent options, but unfortunately it all boils down to me simply not
being any sort of a programmer and so I currently wouldn't know how to do
any of the options you suggest. (I'm
RE: [ActiveDir] Adfind + Admod help
Hi The way to do this with code is to enumerate all users, and their AD attributes and for each user update/check the information from your HR database. Running this daily nobody needs to update your AD manually with HR data. /morten From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: 23. januar 2007 18:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adfind + Admod help We have a software developer in our group who has developed a Corporate Directory application that acts as our internal employee directory on our intranet. It also includes an administrative side which gives certain individuals (mostly HR) the ability to create and disable user accounts when people are hired or let go. The need for Active Directory to house information such as department, section, as well as other information unique to our company was mostly done to accommodate this application. It was this administrative portion of our Corporate Directory application that allowed Human Resources to literally go in and do some data entry and make the proper entries for each employee as to their correct department and section. So that answers the question of how the data got in there in the first place. As for how I’ll go about this, it looks like I’ll unfortunately have to go back and bug our software dev for help on this. I hate doing it, because when it comes to things like this I feel like I should be able to do it but unfortunately I just don’t know how to yet apparently. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, January 23, 2007 9:05 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adfind + Admod help What are you comfortable with for administration? How'd the attributes get populated in the first place? joe's tool wouldn't be the tool of choice for this problem. To clarify that, I mean to say that it wouldn't be the only tool because there's logic that has to occur that is specific to your situation. The manual method (non-automated) would be to export the information into spreadsheets and use ldif or csv (comfort level again) to create and populate the group structures as needed. Al On 1/23/07, WATSON, BEN [EMAIL PROTECTED] wrote: Thank you for the response Al. To answer your ultimate question, which was Does that help, or ??, then I would have to lean more towards ?? in my case. Not to say you didn't give some excellent options, but unfortunately it all boils down to me simply not being any sort of a programmer and so I currently wouldn't know how to do any of the options you suggest. (I'm studying the ways of VBScripting right now). To answer an earlier question, Do you already have the department names in a list? Or is that something that you have to gather first?, the department and section information is already contained within Active Directory through Schema Extensions. The actual names of the departments/sections are not important at this level, all I need to be concerned with is the department and section numbers. As an example… dn:CN=Ben Watson,OU=UserAccounts,DC=appsig,DC=com apsgDepartment: 24 apsgSection: 242 I am a part of Department 24, section 242. Thus, my user account should be a member of the (not created yet) Sec242 security group, and then the Sec242 security group would be a member of the (not created yet) Dep24 security group. I too was hoping I could lure Joe out to respond and see if Adfind + Admod could meet this challenge. I'm certainly hoping so. J Thanks, ~Ben From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Al Mulnick Sent: Monday, January 22, 2007 5:38 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adfind + Admod help Do you already have the department names in a list? Or is that something that you have to gather first? If you have to gather, then I assume you'll have to iterate each user object and determine the department value. Then, you'll create a group for every single unique instance of department value. After those are created, you'd then create the section sg's and make them members of the relevant department sg. Is there a clean way? I don't think it's something that you can do on a single command line, although I throw that out there mostly as a challenge to joe. He likes that kind of challenge I suspect ;) Couple of options come to mind: You could build a table and based on that table you can create/populate. ADMOD and ADFIND could be useful to you there. You could build a script that uses dictionary objects and creates the unique instances for you and correlates that information to the sections and then creates/populates. It's slightly complex, but... Building the tables, you could then execute manually. Depends on the scope of course
RE: [ActiveDir] Adfind + Admod help
Thank you for the response Al. To answer your ultimate question, which was “Does that help, or ??”, then I would have to lean more towards ?? in my case. Not to say you didn’t give some excellent options, but unfortunately it all boils down to me simply not being any sort of a programmer and so I currently wouldn’t know how to do any of the options you suggest. (I’m studying the ways of VBScripting right now). To answer an earlier question, “Do you already have the department names in a list? Or is that something that you have to gather first?”, the department and section information is already contained within Active Directory through Schema Extensions. The actual names of the departments/sections are not important at this level, all I need to be concerned with is the department and section numbers. As an example… dn:CN=Ben Watson,OU=UserAccounts,DC=appsig,DC=com apsgDepartment: 24 apsgSection: 242 I am a part of Department 24, section 242. Thus, my user account should be a member of the (not created yet) Sec242 security group, and then the Sec242 security group would be a member of the (not created yet) Dep24 security group. I too was hoping I could lure Joe out to respond and see if Adfind + Admod could meet this challenge. I’m certainly hoping so. J Thanks, ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, January 22, 2007 5:38 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adfind + Admod help Do you already have the department names in a list? Or is that something that you have to gather first? If you have to gather, then I assume you'll have to iterate each user object and determine the department value. Then, you'll create a group for every single unique instance of department value. After those are created, you'd then create the section sg's and make them members of the relevant department sg. Is there a clean way? I don't think it's something that you can do on a single command line, although I throw that out there mostly as a challenge to joe. He likes that kind of challenge I suspect ;) Couple of options come to mind: You could build a table and based on that table you can create/populate. ADMOD and ADFIND could be useful to you there. You could build a script that uses dictionary objects and creates the unique instances for you and correlates that information to the sections and then creates/populates. It's slightly complex, but... Building the tables, you could then execute manually. Depends on the scope of course. Of course, .NET is an option as well. Same logic depending on language though. And you will want to do this in passes most likely so you can ensure that the department group is created when it comes time to add an object to it. It's helpful to do it that way... Does that help, or ?? Al On 1/22/07, WATSON, BEN [EMAIL PROTECTED] wrote: Hey guys, I'm trying to wrap my brain around how best to accomplish this and need a little help. I need to create a security group for each department in our company, and then a security group for each section. At our company sections fall underneath departments. So we may have a department #24, and then sections #241, #242, #243, etc… Right now, we have made some schema extensions to allow Active Directory to contain relevant user data, such as what Department and Section the user is a part of. So the data is already in our Active Directory. I imagine there should be a relatively easy way to take each unique value of Department and Section and turn that into the security groups I need. So if it were to find Departments 24 and 25. It would turn that into two security groups named Dept24 and Dept25. Furthermore, if it found sections 241, 242, 251, 252, it would create four security groups named Sec241, Sec242, Sec251, and Sec252. It would also be nice if I could create the Department security groups first, and then not only create the proper Section security groups, but make them a member of the appropriate Department security groups as well. Any ideas on how best to accomplish this in a relatively pain-free fashion? Or if there is an alternative way to do this rather than Admod, then please suggest it. I just figured that Admod would probably be my best choice. Thanks, ~Ben
Re: [ActiveDir] Adfind + Admod help
What are you comfortable with for administration? How'd the attributes get populated in the first place? joe's tool wouldn't be the tool of choice for this problem. To clarify that, I mean to say that it wouldn't be the only tool because there's logic that has to occur that is specific to your situation. The manual method (non-automated) would be to export the information into spreadsheets and use ldif or csv (comfort level again) to create and populate the group structures as needed. Al On 1/23/07, WATSON, BEN [EMAIL PROTECTED] wrote: Thank you for the response Al. To answer your ultimate question, which was Does that help, or ??, then I would have to lean more towards ?? in my case. Not to say you didn't give some excellent options, but unfortunately it all boils down to me simply not being any sort of a programmer and so I currently wouldn't know how to do any of the options you suggest. (I'm studying the ways of VBScripting right now). To answer an earlier question, Do you already have the department names in a list? Or is that something that you have to gather first?, the department and section information is already contained within Active Directory through Schema Extensions. The actual names of the departments/sections are not important at this level, all I need to be concerned with is the department and section numbers. As an example… dn:CN=Ben Watson,OU=UserAccounts,DC=appsig,DC=com apsgDepartment: 24 apsgSection: 242 I am a part of Department 24, section 242. Thus, my user account should be a member of the (not created yet) Sec242 security group, and then the Sec242 security group would be a member of the (not created yet) Dep24 security group. I too was hoping I could lure Joe out to respond and see if Adfind + Admod could meet this challenge. I'm certainly hoping so. J Thanks, ~Ben *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Monday, January 22, 2007 5:38 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Adfind + Admod help Do you already have the department names in a list? Or is that something that you have to gather first? If you have to gather, then I assume you'll have to iterate each user object and determine the department value. Then, you'll create a group for every single unique instance of department value. After those are created, you'd then create the section sg's and make them members of the relevant department sg. Is there a clean way? I don't think it's something that you can do on a single command line, although I throw that out there mostly as a challenge to joe. He likes that kind of challenge I suspect ;) Couple of options come to mind: You could build a table and based on that table you can create/populate. ADMOD and ADFIND could be useful to you there. You could build a script that uses dictionary objects and creates the unique instances for you and correlates that information to the sections and then creates/populates. It's slightly complex, but... Building the tables, you could then execute manually. Depends on the scope of course. Of course, .NET is an option as well. Same logic depending on language though. And you will want to do this in passes most likely so you can ensure that the department group is created when it comes time to add an object to it. It's helpful to do it that way... Does that help, or ?? Al On 1/22/07, *WATSON, BEN* [EMAIL PROTECTED] wrote: Hey guys, I'm trying to wrap my brain around how best to accomplish this and need a little help. I need to create a security group for each department in our company, and then a security group for each section. At our company sections fall underneath departments. So we may have a department #24, and then sections #241, #242, #243, etc… Right now, we have made some schema extensions to allow Active Directory to contain relevant user data, such as what Department and Section the user is a part of. So the data is already in our Active Directory. I imagine there should be a relatively easy way to take each unique value of Department and Section and turn that into the security groups I need. So if it were to find Departments 24 and 25. It would turn that into two security groups named Dept24 and Dept25. Furthermore, if it found sections 241, 242, 251, 252, it would create four security groups named Sec241, Sec242, Sec251, and Sec252. It would also be nice if I could create the Department security groups first, and then not only create the proper Section security groups, but make them a member of the appropriate Department security groups as well. Any ideas on how best to accomplish this in a relatively pain-free fashion? Or if there is an alternative way to do this rather than Admod, then please suggest it. I just figured that Admod would probably be my best choice. Thanks, ~Ben
RE: [ActiveDir] Adfind + Admod help
I agree with Al in that I don't see an obvious way to do this from a single command line. The key, as he mentioned, is going to be getting a list of unique department numbers and section numbers. I'd probably separate those out into two distinct lists, one for departments and one for sections. Once you have those lists, you could pipe them to admod or any other tool of your choice to create the groups. However, since you're probably going to need some script to generate the lists, you might as well keep the group creation within the script as well. The problem with trying to use adfind is that you are not going to be able to construct an LDAP query that returns only unique instances of apsgDepartment and apsgSection. No knock on adfind, you'll run into the same thing with ldp or dsquery. You can query for and return any object that has those attributes populated, but the returned set of those attributes will have duplicates. That's where your script will throw the attributes into a hash (or scripting dictionary) to eliminate the duplicates. The outline of your script would look something like this: -query AD for all user objects that have apsgDepartment and/or apsgSection populated -loop through the returned set to build unique lists of Department numbers and Section numbers -loop through the Department number list and create a group for each one -loop through the Section number list and create a group for each one, and nest it in the corresponding Department group None of that is heinously difficult to script. I'd probably lean towards powershell or perl, since they handle hashes better than VBScript. But it's certainly feasible in VBScript as well. Holler if you want some help going down this road. Hunter _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, January 23, 2007 8:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adfind + Admod help Thank you for the response Al. To answer your ultimate question, which was Does that help, or ??, then I would have to lean more towards ?? in my case. Not to say you didn't give some excellent options, but unfortunately it all boils down to me simply not being any sort of a programmer and so I currently wouldn't know how to do any of the options you suggest. (I'm studying the ways of VBScripting right now). To answer an earlier question, Do you already have the department names in a list? Or is that something that you have to gather first?, the department and section information is already contained within Active Directory through Schema Extensions. The actual names of the departments/sections are not important at this level, all I need to be concerned with is the department and section numbers. As an example... dn:CN=Ben Watson,OU=UserAccounts,DC=appsig,DC=com apsgDepartment: 24 apsgSection: 242 I am a part of Department 24, section 242. Thus, my user account should be a member of the (not created yet) Sec242 security group, and then the Sec242 security group would be a member of the (not created yet) Dep24 security group. I too was hoping I could lure Joe out to respond and see if Adfind + Admod could meet this challenge. I'm certainly hoping so. J Thanks, ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, January 22, 2007 5:38 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adfind + Admod help Do you already have the department names in a list? Or is that something that you have to gather first? If you have to gather, then I assume you'll have to iterate each user object and determine the department value. Then, you'll create a group for every single unique instance of department value. After those are created, you'd then create the section sg's and make them members of the relevant department sg. Is there a clean way? I don't think it's something that you can do on a single command line, although I throw that out there mostly as a challenge to joe. He likes that kind of challenge I suspect ;) Couple of options come to mind: You could build a table and based on that table you can create/populate. ADMOD and ADFIND could be useful to you there. You could build a script that uses dictionary objects and creates the unique instances for you and correlates that information to the sections and then creates/populates. It's slightly complex, but... Building the tables, you could then execute manually. Depends on the scope of course. Of course, .NET is an option as well. Same logic depending on language though. And you will want to do this in passes most likely so you can ensure that the department group is created when it comes time to add an object to it. It's helpful to do it that way... Does that help, or ?? Al On 1/22/07, WATSON, BEN [EMAIL PROTECTED] wrote: Hey guys, I'm trying to wrap my brain around how best to accomplish
RE: [ActiveDir] Adfind + Admod help
We have a software developer in our group who has developed a Corporate Directory application that acts as our internal employee directory on our intranet. It also includes an administrative side which gives certain individuals (mostly HR) the ability to create and disable user accounts when people are hired or let go. The need for Active Directory to house information such as department, section, as well as other information unique to our company was mostly done to accommodate this application. It was this administrative portion of our Corporate Directory application that allowed Human Resources to literally go in and do some data entry and make the proper entries for each employee as to their correct department and section. So that answers the question of how the data got in there in the first place. As for how I’ll go about this, it looks like I’ll unfortunately have to go back and bug our software dev for help on this. I hate doing it, because when it comes to things like this I feel like I should be able to do it but unfortunately I just don’t know how to yet apparently. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, January 23, 2007 9:05 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adfind + Admod help What are you comfortable with for administration? How'd the attributes get populated in the first place? joe's tool wouldn't be the tool of choice for this problem. To clarify that, I mean to say that it wouldn't be the only tool because there's logic that has to occur that is specific to your situation. The manual method (non-automated) would be to export the information into spreadsheets and use ldif or csv (comfort level again) to create and populate the group structures as needed. Al On 1/23/07, WATSON, BEN [EMAIL PROTECTED] wrote: Thank you for the response Al. To answer your ultimate question, which was Does that help, or ??, then I would have to lean more towards ?? in my case. Not to say you didn't give some excellent options, but unfortunately it all boils down to me simply not being any sort of a programmer and so I currently wouldn't know how to do any of the options you suggest. (I'm studying the ways of VBScripting right now). To answer an earlier question, Do you already have the department names in a list? Or is that something that you have to gather first?, the department and section information is already contained within Active Directory through Schema Extensions. The actual names of the departments/sections are not important at this level, all I need to be concerned with is the department and section numbers. As an example… dn:CN=Ben Watson,OU=UserAccounts,DC=appsig,DC=com apsgDepartment: 24 apsgSection: 242 I am a part of Department 24, section 242. Thus, my user account should be a member of the (not created yet) Sec242 security group, and then the Sec242 security group would be a member of the (not created yet) Dep24 security group. I too was hoping I could lure Joe out to respond and see if Adfind + Admod could meet this challenge. I'm certainly hoping so. J Thanks, ~Ben From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Al Mulnick Sent: Monday, January 22, 2007 5:38 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adfind + Admod help Do you already have the department names in a list? Or is that something that you have to gather first? If you have to gather, then I assume you'll have to iterate each user object and determine the department value. Then, you'll create a group for every single unique instance of department value. After those are created, you'd then create the section sg's and make them members of the relevant department sg. Is there a clean way? I don't think it's something that you can do on a single command line, although I throw that out there mostly as a challenge to joe. He likes that kind of challenge I suspect ;) Couple of options come to mind: You could build a table and based on that table you can create/populate. ADMOD and ADFIND could be useful to you there. You could build a script that uses dictionary objects and creates the unique instances for you and correlates that information to the sections and then creates/populates. It's slightly complex, but... Building the tables, you could then execute manually. Depends on the scope of course. Of course, .NET is an option as well. Same logic depending on language though. And you will want to do this in passes most likely so you can ensure that the department group is created when it comes time to add an object to it. It's helpful to do it that way... Does that help, or ?? Al On 1/22/07, WATSON, BEN [EMAIL PROTECTED] wrote: Hey guys, I'm trying to wrap my brain around how best to accomplish this and need
Re: [ActiveDir] Adfind + Admod help
I believe you know how, but may not have the programmatic tool knowledge yet. I think this is a great oppty to learn though, if you can make the time. Since the HR department did this manually, it almost screams that you could manually do this in same fashion. That's a lot of work most likely. Using csv or ldif is still fairly within the realm of non-code solutions. ADMOD would also be in that realm, but as was mentioned elsewhere in the thread, it's not a question of the code, but the logic. Which you know already. Bonus question: Do you know what you call somebody who gets a dev to do this kind of coding work? :) -ajm On 1/23/07, WATSON, BEN [EMAIL PROTECTED] wrote: We have a software developer in our group who has developed a Corporate Directory application that acts as our internal employee directory on our intranet. It also includes an administrative side which gives certain individuals (mostly HR) the ability to create and disable user accounts when people are hired or let go. The need for Active Directory to house information such as department, section, as well as other information unique to our company was mostly done to accommodate this application. It was this administrative portion of our Corporate Directory application that allowed Human Resources to literally go in and do some data entry and make the proper entries for each employee as to their correct department and section. So that answers the question of how the data got in there in the first place. As for how I'll go about this, it looks like I'll unfortunately have to go back and bug our software dev for help on this. I hate doing it, because when it comes to things like this I feel like I should be able to do it but unfortunately I just don't know how to yet apparently. ~Ben *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Tuesday, January 23, 2007 9:05 AM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Adfind + Admod help What are you comfortable with for administration? How'd the attributes get populated in the first place? joe's tool wouldn't be the tool of choice for this problem. To clarify that, I mean to say that it wouldn't be the only tool because there's logic that has to occur that is specific to your situation. The manual method (non-automated) would be to export the information into spreadsheets and use ldif or csv (comfort level again) to create and populate the group structures as needed. Al On 1/23/07, *WATSON, BEN* [EMAIL PROTECTED] wrote: Thank you for the response Al. To answer your ultimate question, which was Does that help, or ??, then I would have to lean more towards ?? in my case. Not to say you didn't give some excellent options, but unfortunately it all boils down to me simply not being any sort of a programmer and so I currently wouldn't know how to do any of the options you suggest. (I'm studying the ways of VBScripting right now). To answer an earlier question, Do you already have the department names in a list? Or is that something that you have to gather first?, the department and section information is already contained within Active Directory through Schema Extensions. The actual names of the departments/sections are not important at this level, all I need to be concerned with is the department and section numbers. As an example… dn:CN=Ben Watson,OU=UserAccounts,DC=appsig,DC=com apsgDepartment: 24 apsgSection: 242 I am a part of Department 24, section 242. Thus, my user account should be a member of the (not created yet) Sec242 security group, and then the Sec242 security group would be a member of the (not created yet) Dep24 security group. I too was hoping I could lure Joe out to respond and see if Adfind + Admod could meet this challenge. I'm certainly hoping so. J Thanks, ~Ben *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Monday, January 22, 2007 5:38 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Adfind + Admod help Do you already have the department names in a list? Or is that something that you have to gather first? If you have to gather, then I assume you'll have to iterate each user object and determine the department value. Then, you'll create a group for every single unique instance of department value. After those are created, you'd then create the section sg's and make them members of the relevant department sg. Is there a clean way? I don't think it's something that you can do on a single command line, although I throw that out there mostly as a challenge to joe. He likes that kind of challenge I suspect ;) Couple of options come to mind: You could build a table and based on that table you can create/populate. ADMOD and ADFIND could be useful to you there. You could build a script that uses dictionary objects and creates the unique instances for you and correlates that information
RE: [ActiveDir] Adfind + Admod help
Thanks for the response Hunter. Yeah, that's pretty much the logic that I had come down to. By the way, what is the real difference between Powershell and VBScript anyway? I've been hearing more and more about Powershell lately, and since I'm going to take the time to learn a scripting language, I will want to make sure I learn the one that will have the most value to me from an administration perspective. Let me go talk to my local software dev here in our department. I'm sure we'll be able to come to a solution no problem. It just bugs me that I don't know how to do scripting like this yet. And I'll certainly holler if I run out of options. Thanks again, ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Tuesday, January 23, 2007 9:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adfind + Admod help I agree with Al in that I don't see an obvious way to do this from a single command line. The key, as he mentioned, is going to be getting a list of unique department numbers and section numbers. I'd probably separate those out into two distinct lists, one for departments and one for sections. Once you have those lists, you could pipe them to admod or any other tool of your choice to create the groups. However, since you're probably going to need some script to generate the lists, you might as well keep the group creation within the script as well. The problem with trying to use adfind is that you are not going to be able to construct an LDAP query that returns only unique instances of apsgDepartment and apsgSection. No knock on adfind, you'll run into the same thing with ldp or dsquery. You can query for and return any object that has those attributes populated, but the returned set of those attributes will have duplicates. That's where your script will throw the attributes into a hash (or scripting dictionary) to eliminate the duplicates. The outline of your script would look something like this: -query AD for all user objects that have apsgDepartment and/or apsgSection populated -loop through the returned set to build unique lists of Department numbers and Section numbers -loop through the Department number list and create a group for each one -loop through the Section number list and create a group for each one, and nest it in the corresponding Department group None of that is heinously difficult to script. I'd probably lean towards powershell or perl, since they handle hashes better than VBScript. But it's certainly feasible in VBScript as well. Holler if you want some help going down this road. Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, January 23, 2007 8:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adfind + Admod help Thank you for the response Al. To answer your ultimate question, which was Does that help, or ??, then I would have to lean more towards ?? in my case. Not to say you didn't give some excellent options, but unfortunately it all boils down to me simply not being any sort of a programmer and so I currently wouldn't know how to do any of the options you suggest. (I'm studying the ways of VBScripting right now). To answer an earlier question, Do you already have the department names in a list? Or is that something that you have to gather first?, the department and section information is already contained within Active Directory through Schema Extensions. The actual names of the departments/sections are not important at this level, all I need to be concerned with is the department and section numbers. As an example... dn:CN=Ben Watson,OU=UserAccounts,DC=appsig,DC=com apsgDepartment: 24 apsgSection: 242 I am a part of Department 24, section 242. Thus, my user account should be a member of the (not created yet) Sec242 security group, and then the Sec242 security group would be a member of the (not created yet) Dep24 security group. I too was hoping I could lure Joe out to respond and see if Adfind + Admod could meet this challenge. I'm certainly hoping so. J Thanks, ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, January 22, 2007 5:38 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adfind + Admod help Do you already have the department names in a list? Or is that something that you have to gather first? If you have to gather, then I assume you'll have to iterate each user object and determine the department value. Then, you'll create a group for every single unique instance of department value. After those are created, you'd then create the section sg's and make them members of the relevant department sg. Is there a clean way? I don't think it's something that you can do on a single command line, although I throw that out there mostly as a challenge to joe. He likes
RE: [ActiveDir] Adfind + Admod help
Yeah, I agree. I see the logic in how to get to the solution, but I just don’t have the programmatic tool knowledge yet. I may not have the time to hold off this project until I can figure it out myself programmatically, but I am going to set aside my evenings at home until I learn how to do this sort of thing myself. Hmm, I’m almost a little scared to ask what the answer is to the bonus question. Does it make a difference that he is our sole software dev employed by our IT department to do IT related work? J In any case, let’s hear the answer. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, January 23, 2007 10:21 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adfind + Admod help I believe you know how, but may not have the programmatic tool knowledge yet. I think this is a great oppty to learn though, if you can make the time. Since the HR department did this manually, it almost screams that you could manually do this in same fashion. That's a lot of work most likely. Using csv or ldif is still fairly within the realm of non-code solutions. ADMOD would also be in that realm, but as was mentioned elsewhere in the thread, it's not a question of the code, but the logic. Which you know already. Bonus question: Do you know what you call somebody who gets a dev to do this kind of coding work? :) -ajm On 1/23/07, WATSON, BEN [EMAIL PROTECTED] wrote: We have a software developer in our group who has developed a Corporate Directory application that acts as our internal employee directory on our intranet. It also includes an administrative side which gives certain individuals (mostly HR) the ability to create and disable user accounts when people are hired or let go. The need for Active Directory to house information such as department, section, as well as other information unique to our company was mostly done to accommodate this application. It was this administrative portion of our Corporate Directory application that allowed Human Resources to literally go in and do some data entry and make the proper entries for each employee as to their correct department and section. So that answers the question of how the data got in there in the first place. As for how I'll go about this, it looks like I'll unfortunately have to go back and bug our software dev for help on this. I hate doing it, because when it comes to things like this I feel like I should be able to do it but unfortunately I just don't know how to yet apparently. ~Ben From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Al Mulnick Sent: Tuesday, January 23, 2007 9:05 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adfind + Admod help What are you comfortable with for administration? How'd the attributes get populated in the first place? joe's tool wouldn't be the tool of choice for this problem. To clarify that, I mean to say that it wouldn't be the only tool because there's logic that has to occur that is specific to your situation. The manual method (non-automated) would be to export the information into spreadsheets and use ldif or csv (comfort level again) to create and populate the group structures as needed. Al On 1/23/07, WATSON, BEN [EMAIL PROTECTED] wrote: Thank you for the response Al. To answer your ultimate question, which was Does that help, or ??, then I would have to lean more towards ?? in my case. Not to say you didn't give some excellent options, but unfortunately it all boils down to me simply not being any sort of a programmer and so I currently wouldn't know how to do any of the options you suggest. (I'm studying the ways of VBScripting right now). To answer an earlier question, Do you already have the department names in a list? Or is that something that you have to gather first?, the department and section information is already contained within Active Directory through Schema Extensions. The actual names of the departments/sections are not important at this level, all I need to be concerned with is the department and section numbers. As an example… dn:CN=Ben Watson,OU=UserAccounts,DC=appsig,DC=com apsgDepartment: 24 apsgSection: 242 I am a part of Department 24, section 242. Thus, my user account should be a member of the (not created yet) Sec242 security group, and then the Sec242 security group would be a member of the (not created yet) Dep24 security group. I too was hoping I could lure Joe out to respond and see if Adfind + Admod could meet this challenge. I'm certainly hoping so. J Thanks, ~Ben From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Al Mulnick Sent: Monday, January 22, 2007 5:38 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adfind + Admod help Do you already have the department
Re: [ActiveDir] Adfind + Admod help
Bonus question: Do you know what you call somebody who gets a dev to do this kind of coding work? :) A: Boss. Of course, the same could be said about the person that told you to setup the groups like that. But it could be helpful to keep some perspective I suspect. On 1/23/07, WATSON, BEN [EMAIL PROTECTED] wrote: Yeah, I agree. I see the logic in how to get to the solution, but I just don't have the programmatic tool knowledge yet. I may not have the time to hold off this project until I can figure it out myself programmatically, but I am going to set aside my evenings at home until I learn how to do this sort of thing myself. Hmm, I'm almost a little scared to ask what the answer is to the bonus question. Does it make a difference that he is our sole software dev employed by our IT department to do IT related work? J In any case, let's hear the answer. ~Ben *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Tuesday, January 23, 2007 10:21 AM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Adfind + Admod help I believe you know how, but may not have the programmatic tool knowledge yet. I think this is a great oppty to learn though, if you can make the time. Since the HR department did this manually, it almost screams that you could manually do this in same fashion. That's a lot of work most likely. Using csv or ldif is still fairly within the realm of non-code solutions. ADMOD would also be in that realm, but as was mentioned elsewhere in the thread, it's not a question of the code, but the logic. Which you know already. Bonus question: Do you know what you call somebody who gets a dev to do this kind of coding work? :) -ajm On 1/23/07, *WATSON, BEN* [EMAIL PROTECTED] wrote: We have a software developer in our group who has developed a Corporate Directory application that acts as our internal employee directory on our intranet. It also includes an administrative side which gives certain individuals (mostly HR) the ability to create and disable user accounts when people are hired or let go. The need for Active Directory to house information such as department, section, as well as other information unique to our company was mostly done to accommodate this application. It was this administrative portion of our Corporate Directory application that allowed Human Resources to literally go in and do some data entry and make the proper entries for each employee as to their correct department and section. So that answers the question of how the data got in there in the first place. As for how I'll go about this, it looks like I'll unfortunately have to go back and bug our software dev for help on this. I hate doing it, because when it comes to things like this I feel like I should be able to do it but unfortunately I just don't know how to yet apparently. ~Ben *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Tuesday, January 23, 2007 9:05 AM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Adfind + Admod help What are you comfortable with for administration? How'd the attributes get populated in the first place? joe's tool wouldn't be the tool of choice for this problem. To clarify that, I mean to say that it wouldn't be the only tool because there's logic that has to occur that is specific to your situation. The manual method (non-automated) would be to export the information into spreadsheets and use ldif or csv (comfort level again) to create and populate the group structures as needed. Al On 1/23/07, *WATSON, BEN* [EMAIL PROTECTED] wrote: Thank you for the response Al. To answer your ultimate question, which was Does that help, or ??, then I would have to lean more towards ?? in my case. Not to say you didn't give some excellent options, but unfortunately it all boils down to me simply not being any sort of a programmer and so I currently wouldn't know how to do any of the options you suggest. (I'm studying the ways of VBScripting right now). To answer an earlier question, Do you already have the department names in a list? Or is that something that you have to gather first?, the department and section information is already contained within Active Directory through Schema Extensions. The actual names of the departments/sections are not important at this level, all I need to be concerned with is the department and section numbers. As an example… dn:CN=Ben Watson,OU=UserAccounts,DC=appsig,DC=com apsgDepartment: 24 apsgSection: 242 I am a part of Department 24, section 242. Thus, my user account should be a member of the (not created yet) Sec242 security group, and then the Sec242 security group would be a member of the (not created yet) Dep24 security group. I too was hoping I could lure Joe out to respond and see if Adfind + Admod could meet this challenge. I'm certainly hoping so. J Thanks, ~Ben *From:* [EMAIL
RE: [ActiveDir] Adfind + Admod help
Powershell is the latest-greatest command shell for Windows. http://www.microsoft.com/technet/scriptcenter/webcasts/ps.mspx has some webcasts on it, and http://www.microsoft.com/windowsserver2003/technologies/management/power shell/faq.mspx is the FAQ. I don't see VBScript going away anytime soon, but I suspect that PS is going to be the way of the future in many respects, especially for sys admin types. The downside, for now, is that there isn't the depth and breadth of resources available yet for PS that exist for VBScript. That's slowly changing, but will take some time. The script center is a good spot to poke through sample code for either one: http://www.microsoft.com/technet/scriptcenter/default.mspx Hunter _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, January 23, 2007 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adfind + Admod help Thanks for the response Hunter. Yeah, that's pretty much the logic that I had come down to. By the way, what is the real difference between Powershell and VBScript anyway? I've been hearing more and more about Powershell lately, and since I'm going to take the time to learn a scripting language, I will want to make sure I learn the one that will have the most value to me from an administration perspective. Let me go talk to my local software dev here in our department. I'm sure we'll be able to come to a solution no problem. It just bugs me that I don't know how to do scripting like this yet. And I'll certainly holler if I run out of options. Thanks again, ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Tuesday, January 23, 2007 9:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adfind + Admod help I agree with Al in that I don't see an obvious way to do this from a single command line. The key, as he mentioned, is going to be getting a list of unique department numbers and section numbers. I'd probably separate those out into two distinct lists, one for departments and one for sections. Once you have those lists, you could pipe them to admod or any other tool of your choice to create the groups. However, since you're probably going to need some script to generate the lists, you might as well keep the group creation within the script as well. The problem with trying to use adfind is that you are not going to be able to construct an LDAP query that returns only unique instances of apsgDepartment and apsgSection. No knock on adfind, you'll run into the same thing with ldp or dsquery. You can query for and return any object that has those attributes populated, but the returned set of those attributes will have duplicates. That's where your script will throw the attributes into a hash (or scripting dictionary) to eliminate the duplicates. The outline of your script would look something like this: -query AD for all user objects that have apsgDepartment and/or apsgSection populated -loop through the returned set to build unique lists of Department numbers and Section numbers -loop through the Department number list and create a group for each one -loop through the Section number list and create a group for each one, and nest it in the corresponding Department group None of that is heinously difficult to script. I'd probably lean towards powershell or perl, since they handle hashes better than VBScript. But it's certainly feasible in VBScript as well. Holler if you want some help going down this road. Hunter _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, January 23, 2007 8:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adfind + Admod help Thank you for the response Al. To answer your ultimate question, which was Does that help, or ??, then I would have to lean more towards ?? in my case. Not to say you didn't give some excellent options, but unfortunately it all boils down to me simply not being any sort of a programmer and so I currently wouldn't know how to do any of the options you suggest. (I'm studying the ways of VBScripting right now). To answer an earlier question, Do you already have the department names in a list? Or is that something that you have to gather first?, the department and section information is already contained within Active Directory through Schema Extensions. The actual names of the departments/sections are not important at this level, all I need to be concerned with is the department and section numbers. As an example... dn:CN=Ben Watson,OU=UserAccounts,DC=appsig,DC=com apsgDepartment: 24 apsgSection: 242 I am a part of Department 24, section 242. Thus, my user account should be a member of the (not created yet) Sec242 security group, and then the Sec242 security group would be a member of the (not created yet) Dep24 security group. I too was hoping I could lure
Re: [ActiveDir] Adfind + Admod help
Do you already have the department names in a list? Or is that something that you have to gather first? If you have to gather, then I assume you'll have to iterate each user object and determine the department value. Then, you'll create a group for every single unique instance of department value. After those are created, you'd then create the section sg's and make them members of the relevant department sg. Is there a clean way? I don't think it's something that you can do on a single command line, although I throw that out there mostly as a challenge to joe. He likes that kind of challenge I suspect ;) Couple of options come to mind: You could build a table and based on that table you can create/populate. ADMOD and ADFIND could be useful to you there. You could build a script that uses dictionary objects and creates the unique instances for you and correlates that information to the sections and then creates/populates. It's slightly complex, but... Building the tables, you could then execute manually. Depends on the scope of course. Of course, .NET is an option as well. Same logic depending on language though. And you will want to do this in passes most likely so you can ensure that the department group is created when it comes time to add an object to it. It's helpful to do it that way... Does that help, or ?? Al On 1/22/07, WATSON, BEN [EMAIL PROTECTED] wrote: Hey guys, I'm trying to wrap my brain around how best to accomplish this and need a little help. I need to create a security group for each department in our company, and then a security group for each section. At our company sections fall underneath departments. So we may have a department #24, and then sections #241, #242, #243, etc… Right now, we have made some schema extensions to allow Active Directory to contain relevant user data, such as what Department and Section the user is a part of. So the data is already in our Active Directory. I imagine there should be a relatively easy way to take each unique value of Department and Section and turn that into the security groups I need. So if it were to find Departments 24 and 25. It would turn that into two security groups named Dept24 and Dept25. Furthermore, if it found sections 241, 242, 251, 252, it would create four security groups named Sec241, Sec242, Sec251, and Sec252. It would also be nice if I could create the Department security groups first, and then not only create the proper Section security groups, but make them a member of the appropriate Department security groups as well. Any ideas on how best to accomplish this in a relatively pain-free fashion? Or if there is an alternative way to do this rather than Admod, then please suggest it. I just figured that Admod would probably be my best choice. Thanks, ~Ben
