PowerShell: Add All Members of an OU to a Security Group

KB ID 0001589

Problem

I’ve written in the past about ‘Bulk Adding Users from CSV files, into Groups‘. But what if you want to add ALL users in a particular OU into a security group?

Solution

The syntax is;

[box]

Get-ADUser -SearchBase ‘OU=Source-OU,OU=PNL,DC=pnl,DC=com’ -Filter * | ForEach-Object {Add-ADGroupMember -Identity ‘SG-Test-Group’ -Members $_ }

[/box]

Here I’ve got 20 users that need adding to a group, in this example the group’s in the same OU, but it does not have to be;

You will need to close and reopen the group properties for it to refresh its membership.

Related Articles, References, Credits, or External Links

NA

Windows Server ‘Can’t Delete an OU’

KB ID 0000105 

Problem

Error

“You do not have sufficient privileges to delete {OU Name}, or this object is protected from accidental deletion”

Cause

In Windows domains you have the option to prevent an OU from accidental deletion so that even a Domain/Enterprise admin cannot delete it. That’s fine until you need to delete one.

Solution

To delete a protected OU

1. On the the Server (with administrative privileges).

2. Start > Run > dsa.msc {enter}

3. View > Advanced Features.

4. Right Click the OU > Properties > Object Tab.

5. Un-tick “Protect this object from accidental deletion”.

Related Articles, References, Credits, or External Links

NA

Exchange – Creating Dynamic Distribution Groups Based on Organizational Units

KB ID 0000820 

Problem

A Dynamic Distribution list, (as the name implies), maintains its membership for you. Unlike a normal static distribution list that you need to add/remove mailboxes manually.

Solution

Use PowerShell/Exchange Management Shell

1. I’m assuming you already have an OU populated with mail enabled users, in this example called Engineering.

2. Launch the Exchange Management Shell, Execute the following command, (change the values in red to match your own);

[box]New-DynamicDistributionGroup -IncludeRecipients MailboxUsers -Name “Engineering Dept” -OrganizationalUnit Engineering[/box]

Note: In this example the ‘Alias’ can’t be created with a space in it, so it would be EngineeringDept@domainc.com.

Exchange 2013 Use the Exchange Admin Center

1. I’m assuming you already have an OU populated with mail enabled users, in this example called Sales.

2. Launch the Exchange Admin Center > recipients > Groups > Add > Specify a Name and Alias > Browse to the OU > Save.

 

Exchange 2007 / 2010 Use the Exchange Management Console

1. I’m assuming you already have an OU populated with mail enabled users, in this example called Sales.

2. From within the Exchange Management Console > Recipient Configuration > New Dynamic Distribution Group > Browse > Select your OU > Specify a Name and Alias > Next.

3. Specify the recipient types or click next to select All.

4. Specify any conditions > or leave blank to select none > Next > New.

5. Finish.

 

Related Articles, References, Credits, or External Links

NA

 

Windows – Reset all User Passwords in an OU

KB ID 0000497 

Problem

I did some bulk user imports for a client this week, and then needed to set all the passwords on these accounts. Seeing as it was a school, and each year group was in its own OU in Active Directory, I needed a way to “Bulk Reset” the passwords.

Note: Passwords can NOT be set with a CSV / CSVDE import.

Solution

1. We are going to perform this procedure while logged onto a domain controller with appropriate administrative rights.

2. Start > In the Search/run box type cmd {enter}

3. At command line issue the following command:

[box]dsquery user {LDAP path to the OU} | dsmod user -pwd the-new-password[/box]

Examples,

dsquery user OU=Intake2011,OU=Students,DC=petenetlive,DC=com | dsmod user -pwd P@ssword123

dsquery user “OU=Intake 2011,DC=petenetlive,DC=com” | dsmod user -pwd P@ssword123

Note: In the second example there is a space in the path (In the OU name Intake 2011) that’s why the path has been surrounded by quotes/speech marks. If you forget you will see an error like the one below:

Note 2: The display will only show 100 results by default (that does NOT mean anything has failed!) you will see the following though:

To see more results simply add “-limit {number}” after the LDAP path and before the pipe symbol e.g.

[box]dsquery user {LDAP path to the OU} -limit 300 | dsmod user -pwd the-new-password[/box]

Examples,

dsquery user OU=Intake2011,OU=Students,DC=petenetlive,DC=com -limit 300 | dsmod user -pwd P@ssword123

dsquery user “OU=Intake 2011,DC=petenetlive,DC=com” -limit 1500 | dsmod user -pwd P@ssword123

Related Articles, References, Credits, or External Links

NA

Bulk Importing Users with CSVDE

KB ID 0000498 

Problem

This is not a task I’ve had to do for ages, so when I had to do it this week, I thought I’d just do a quick Google search as a refresher. What I can remember was a simple task took me far too long to work out. So heres a quick solution for everybody else.

Solution

Before I begin, the spreadsheet below, was the hard work of John Haddock, I have only made some minor tweaks and adjustments.

1. You will need the names of the users you want to import in a spreadsheet, preferably with their first name and last names in different columns.

2. Download the CSVDE-Template spreadsheet.

3. On the first tab of the spreadsheet (Setup) enter your domain details, and the other cells as required.

4. Select the second tab (Auto-Generated-Version), and paste your users first-names into column G (Labelled gn for Given Name), and their surnames into column D (Labelled sn).

5. The rest of the fields should now “Auto fill”. To make sure all the user names are unique, look down column V (Duplicate check), and make sure all the entries say “False” if any say “true” you will need to alter the values for that user manually.

6. Once you are happy, select all the columns (Except U and V, {the yellow ones}) and copy them to the clipboard.

7. Select the third Tab (Paste-Your-CSV-Data-Here), Select the entire spreadsheet and Paste Special > Paste Values. (So the formulas DONT get pasted into the spreadsheet).

8. File > Save As > Change the “Save as type” to CSV >Save > OK > Yes.

9. Then at command line issue the following command:

10. All being well it should say “The command has completed successfully” If it does fail it handily tells you what line of the spreadsheet it failed on so you can investigate.

11. By default all the user accounts will be disabled, but you can select them all and enable them.

12. If you would like to reset all the passwords on mass, see the following article:

Windows – Reset all User Passwords in an OU

 

Related Articles, References, Credits, or External Links

NA

Granting Users Password Change Ability (Password Administration)

KB ID 0000503

Problem

This is a two part operation, firstly you need to give the user(s) the rights to change passwords, then give them the tools to do so.

Solution

Step 1: Grant the rights (Delegation of Control)

1. Whilst logged into a domain controller with administrative access, open “Active Directory Users and Computers” and create a group that you are going to allow password reset rights to. Note: In this example I’ve created it in the same OU, in practice you would probably create the group elsewhere in AD.

2. We are going to need to create a security group, give it a sensible name.

3. At this point I’m also going to create a test user – (you will see why later), in the same OU that I’m going to grant password reset rights to.

4. Right click the OU containing the users you want to grant password reset rights to (Or like in this example, the parent OU). Then select “Delegate Control”.

5. At the welcome screen > Next.

6. Add > Locate the group you created earlier > OK > Next.

7. Grant the “Reset user passwords and force password change at next logon” > Next.

8. Finish.

9. Finally add the user(s) you want to grant reset rights to to the group you created earlier.

Step 2 Give the user the tools – Option 1 (Create a Task Pad)

1. While still on your domain controller (or a machine with the RSAT tools Installed), Start > In the search/run box type mmc {enter}.

2. File > Add/Remove snap-in > Locate and add the “Active Directory Users and Computers” snap-in > Add > OK.

3. Right click the OU you are granting rights to > “New Taskpad View” (Note: you may need to turn on advanced view {view > Advanced options}).

5. Next.

6. Set as required > Next.

7. Leave on defaults > Next.

8. Add a name and description > Next.

9. Make sure the “Add new tasks…” is selected > Finish.

10. Next.

11. Menu command > Next

12. Select the test user you created above > Select “Reset Password” > Next.

13. This is what the user will see in their taskpad as an option > Next.

14. Select an icon > Next.

15. If you want to add anything else, leave the box ticked to re-run > Otherwise > Finish. Lets remove all the bits we don’t need > View > Customise > Untick everything > OK.

16. File > Options > Give the console a name > Select “User mode – limited access single window” > Untick “Allow the user to customise views” > Note: You might want to tick “Do not save changes to the console” > Apply > OK.

17. File > Save > Put the file somewhere you can find it.

18. Now your password admins can run this taskpad and have the “Reset password option”.

Note: For them to be able to run this on their client machines they need the following installing on their machines:

XP Clients and 2003 Server: adminpack.msi (you will find it in the system32 folder on your (2003)domain controllers.

Vista Clients and 2008 Server: Install the Vista RSAT Tools (download).

Windows 7 Clients and Server 2008 R2: Install the Windows 7 RSAT Tools (download).

Step 2 Give the user the tools – Option 2 (Use NTAdmin)

1. Yes its an old tool but it’s simple and it works! Good for help desk staff and technophobes! Download NTAdmin > When you run it, browse > select the user in question > OK.

2. Click ResetPW > take the default of “welcome”, or choose a new one > Yes > OK.

 

Related Articles, References, Credits, or External Links

NA