Recipe 6.16 Transferring a User's Group Membership to Another User

6.16.1 Problem

You want to transfer the group membership for one user to another.

6.16.2 Solution

6.16.2.1 Using a graphical user interface
  1. Open the Active Directory Users and Computers snap-in.

  2. In the left pane, right-click on the domain and select Find.

  3. Select the appropriate domain beside In.

  4. Beside Name, type the name of the user you want to transfer groups from and click Find Now.

  5. In the Search Results, double-click on the user.

  6. Click the Member Of tab.

  7. For each group you want to add another user in, do the following:

    1. Double-click on the group.

    2. Click the Members tab.

    3. Click the Add button.

    4. Find the user you want to add in the object picker and click OK.

    5. Click OK.

6.16.2.2 Using a command-line interface

The following command line will add <NewUserDN> to all of the groups that <CurrentUserDN> is a member of:

> for /F "usebackq delims=""" %i in (`dsget user "<CurrentUserDN>" -memberof`) do[RETURN] 
dsmod group %i -addmbr "<NewUserDN>"

If you want to get fancy and remove <CurrentUserDN> from each of the groups in the same operation, simply add an -rmmbr option on the end:

> for /F "usebackq delims=""" %i in (`dsget user "<CurrentUserDN>" -memberof`) do[RETURN] 
dsmod group %i -addmbr "<NewUserDN>" -rmmbr "<CurrentUserDN>"
6.16.2.3 Using VBScript
' This code adds the "new" user to the groups the "current" 
' user is a member of
' ------ SCRIPT CONFIGURATION ------
strCurrentUserDN = "<CurrentUserDN>"  ' e.g. cn=jsmith,ou=Sales,dc=rallencorp,dc=com
strNewUserDN     = "<NewUserDN>"      ' e.g. cn=rallen,ou=Sales,dc=rallencorp,dc=com"
' ------ SCRIPT CONFIGURATION ------

Const ADS_PROPERTY_APPEND = 3

set objCurrentUser = GetObject("LDAP://" & strCurrentUserDN )
set objNewUser = GetObject("LDAP://" & strNewUserDN )

on error resume next
WScript.Echo "Transfering groups from " & strCurrentUserDN & " to " & strNewUserDN
for each strGroupDN in objCurrentUser.GetEx("memberOf")
   set objGroup = GetObject("LDAP://" & strGroupDN)
   objGroup.PutEx ADS_PROPERTY_APPEND, "member", Array( strNewUserDN )
   objGroup.SetInfo
   if Err then
      WScript.Echo "Error adding user to group: " & strGroupDN
   else 
      WScript.Echo "Added user to group: " & strGroupDN
   end if
next

6.16.3 Discussion

Employees come and go; people take on new responsibilities and move on to new jobs. It is common to have movement within an organization. When this happens, typically someone is replacing the person that is moving on. The new person needs to get up to speed as quickly as possible, including getting accounts set up and access to any necessary resources. A big part of this includes getting added to the correct groups. You can help facilitate this by using one of the processes outlined in the Solution section to help the user gain access to the exact same groups that the former employee was a member of.

One important issue to point out is that the memberOf attribute, which was used in the Solution section to determine a user's group membership, contains only the groups in the same domain as the user. Any groups the user is a member of outside of the user's domain, will not be transferred. To transfer group membership outside of a domain, you will need to perform a query against the global catalog for all group objects that have a member attribute that contains the DN of the user.

6.16.4 See Also

Recipe 7.4 for adding and removing members of a group



    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List