tool to move users from one group to another?

Hi All,

Does anyone know of a tool that will move thousands of users from one Active
Directory group to another?

Thank you!

Dram

Certainly, you can use csvde to export from AD to a CSV file. You can make
your edits in this CSV file and then reimport it back into active directory.

I have also used the dos commands net user and net group to do this in a
quick shell script.

net group <groupname> <username> /domain /delete

or

net group <groupname> <username> /domain /add

You can write a quick FOR loop to process the users from a file. Let's say
you have a file called, users.txt. The script would look something like
this:

**** batch file ****
@echo off
for /f "delims=|" %%i in (users.txt) do (
net group <groupnametoremove> %%i /domain /delete
net group <groupnametoadd> %%i /domain /delete)
**** end batch file ****

You need admin rights to do this in the domain.

Hope this helps

In general a command line tool or VBScript program can do this, but there
are complications if the group has more than 1500 members (1000 in Windows
2000 AD). Most scripting methods can only retrieve or document 1500 members.
I don't know about csvde or net group, but they may have the same
limitation.

In VBScript the solution is to use ADO range limits, where you essentially
retrieve 1000 members at a time. I have an example that enumerates all
members of a large group linked here:

However, this program also reveals membership due to group nesting, which
you do not want here. The program could be revised to remove the recursive
feature and have it only enumerate direct members of the group. It could
then be easily modified to add each member to another specified group.

If making one group a member of the other does not meet your needs, and you
want a scripting solution, reply and I'll modify the example and post here.

you could also use DSGET in combination with DSMOD

look at the options and you'll figure it out!

I've used LDIFDE and CSVDE to pump in over 4000 accounts
without problems. However, the most I've tested with using a VB test script
is 1000 users without problems, but never higher, so I can't comment on
that.

I have a program which can copy all members of one group to another.
Contact me direct if interested.

I need this urgently. Please could you send me your modified code to move members of group tho another one.

Example VBScript program to copy members from one large group to another:
===========
Option Explicit

Dim objRootDSE, strDNSDomain, adoCommand
Dim adoConnection, strBase, strAttributes
Dim strFilter, strQuery, adoRecordset
Dim strDN, intCount, blnLast, intLowRange
Dim intHighRange, intRangeStep, objField
Dim strSourceGroup, strTargetGroup, objTargetGroup

' Specify DN of "source" group, the group whose members are to
' be copied into another group.
strSourceGroup = "cn=Sales1,ou=West,dc=MyDomain,dc=com"

' Specify DN of "target" group, the group that will have
' members added.
strTargetGroup = "cn=Sales2,ou=East,dc=MyDomain,dc=com"

' Bind to the "target" group.
Set objTargetGroup = GetObject("LDAP://" & strTargetGroup)

' Determine DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")

' Use ADO to search Active Directory.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open = "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False

' Specify base of search.
strBase = "<LDAP://" & strDNSDomain & ">"
' Specify the attribute values to retrieve.
strAttributes = "member"
' Filter on objects of class "group" and specified DN of "source" group.
strFilter = "(&(ObjectCategory=group)" _
& "(distinguishedName=" & strSourceGroup & "))"

' Enumerate direct group members.
' Use range limits to handle more than 1000/1500 members.
' Setup to retrieve 1000 members at a time.
blnLast = False
intRangeStep = 999
intLowRange = 0
IntHighRange = intLowRange + intRangeStep

Do While True

If (blnLast = True) Then
' If last query, retrieve remaining members.
strQuery = strBase & ";" & strFilter & ";" _
& strAttributes & ";range=" & intLowRange _
& "-*;subtree"
Else
' If not last query, retrieve 1000 members.
strQuery = strBase & ";" & strFilter & ";" _
& strAttributes & ";range=" & intLowRange & "-" _
& intHighRange & ";subtree"
End If
adoCommand.CommandText = strQuery
Set adoRecordset = adoCommand.Execute
intCount = 0
Do Until adoRecordset.EOF
For Each objField In adoRecordset.Fields
If (VarType(objField) = (vbArray + vbVariant)) _
Then
For Each strDN In objField.Value
' Escape any forward slash characters, "/", with the
backslash
' escape character. All other characters that should be
escaped are.
strDN = Replace(strDN, "/", "\/")
' Check if already a member of "target" group.
If (objTargetGroup.IsMember("LDAP://" & strDN) = False)
Then
' Add to "target" group.
objTargetGroup.Add("LDAP://" & strDN)
End If
intCount = intCount + 1
Next
End If
Next
adoRecordset.MoveNext
Loop
adoRecordset.Close
' If this is the last query, exit the Do While loop.
If (blnLast = True) Then
Exit Do
End If
' If the previous query returned no members, then the previous
' query for the next 1000 members failed. Perform one more
' query to retrieve remaining members (less than 1000).
If (intCount = 0) Then
blnLast = True
Else
' Setup to retrieve next 1000 members.
intLowRange = intHighRange + 1
intHighRange = intLowRange + intRangeStep
End If
Loop

[h.tavakkoli]

Thank you so much, it's worked and very useful.
But there is a little error. when i ran this VBScript code, I got this message:

Error: the Server is unwilling to process the request.
Code: 80072035
Source: (null)

The copy of users have done partially and some users did not copied and I have to correct it manually.

You don't say which line raised the error, but most likely it was the
following:

objTargetGroup.Add("LDAP://" & strDN)

The program checks if the user (or other object) represented by strDN is
already a member before attempting to add the user to the group. However, it
is possible (but not likely) the user has the group designated as their
"primary" group. The IsMember method would not reveal that the user is a
member, and the Add method would raise an error. However, I think the error
message in that case is different, something like "the object already
exists".

If the groups (source and target) are of different types, or are in
different domains, perhaps a member of the source is not permitted to be a
member of the target. For example, if the source is a domain local group and
the target is a global group, one of the members of the source could be
another domain local group, which cannot be added to the target.

Also, you could have reached the limit on the number of members allowed in a
group. I think the limit is 5000 members.

Perhaps it is possible, as the error message seems to suggest, the DC
processing the membership changes got overloaded and rejected an Add
request. Since the script is designed to do nothing if a user is already a
member of the group, it should not hurt to run the script again (assuming
everyone in your domain has the group "Domains Users" designated as their
"primary" group, so that no one's "primary" group is either the source or
the target group). I like to use error trapping only where necessary, but in
this case it could help. If you still need to complete the process, I would
suggest running the script again, but with the following modification. In
place of:

objTargetGroup.Add("LDAP://" & strDN)

use the following:

On Error Resume Next
objTargetGroup.Add("LDAP://" & strDN)
If (Err.Number <> 0) Then
Wscript.Echo "Error attempting to add " & strDN
Wscript.Echo "Error Number: " & Err.Number
Wscript.Echo "Description: " & Err.Description
Wscript.Echo "Source: " & Err.Source
End If
On Error GoTo 0

Either the script will raise an error at the same point, and you can see if
there is anything strange about the object represented by strDN, or the
script will get further, perhaps adding another few hundred users before
overloading the DC.

Finally, I think I have seen cases where the Add method fails when you pass
a value that is believed to be the correct ADsPath of the object, but the
group and member were in different domains. In any case, the safest method
is to bind to the prospective member object and use the ADsPath property of
the object. In other words, there is a slight chance that instead of this:

objTargetGroup.Add("LDAP://" & strDN)

this would work more reliably:

Set objMember = GetObject("LDAP://" & strDN)
objTargetGroup.Add(objMember.ADsPath)

I didn't code that because it would slow the script down considerably
(binding to thousands of objects in AD). And the more I think about it, I
doubt it would help. I would just run the script again with the error
trapping statements.