Hello fellow Scripters,

To start, VBScript or Powershell will do. I am looking at the Qwest
cmdlets for AD but I have similar results as with Vbscript.



I need to change the "Member of" tab group memberships on a couple
thousand servers, not necassarily all at once, but you see the need
for an automated solution. Every solution I have found is to work with
the group and add/delete the server from there. I do not prefer this
method as there could be thousands of other servers in that group and
to edit its membership, well worries me, to say the least. I know with
a solid solution it would work just fine in this manner, but making a
mistake of that caliber is a job delimiting decision.

Every attempt to script this task results in the following error in
both VBScript and PS:

The server is unwilling to process the request.

Using Qwests AD cmdlets, here is the syntax I have worked up:

Get-QADComputer server1| Set-QADObject -objectAttributes {@
{MemberOf="CN=blah blah,OU=blah,OU=blah,OU=blah,OU=blah,OU=blah,DC=
blah,DC= blah,DC= blah,DC= blah "}}

In VBScript:

objComputer.PutEx ADS_PROPERTY_APPEND, "memberof", Array("CN=blah
blah,OU=blah,OU=blah,OU=blah,OU=blah,OU=blah,DC= blah,DC= blah,DC=
blah,DC= blah ")

Any thoughts?

"Nick" <nick.hunyady@newsgroup> wrote in message
news:70eee61e-9278-4e8b-b05a-e5843da0eba9@newsgroup

> Hello fellow Scripters,
>
> To start, VBScript or Powershell will do. I am looking at the Qwest
> cmdlets for AD but I have similar results as with Vbscript.
>
> I need to change the "Member of" tab group memberships on a couple
> thousand servers, not necassarily all at once, but you see the need
> for an automated solution. Every solution I have found is to work with
> the group and add/delete the server from there. I do not prefer this
> method as there could be thousands of other servers in that group and
> to edit its membership, well worries me, to say the least. I know with
> a solid solution it would work just fine in this manner, but making a
> mistake of that caliber is a job delimiting decision.
>
> Every attempt to script this task results in the following error in
> both VBScript and PS:
>
> The server is unwilling to process the request.
>
> Using Qwests AD cmdlets, here is the syntax I have worked up:
>
> Get-QADComputer server1| Set-QADObject -objectAttributes {@
> {MemberOf="CN=blah blah,OU=blah,OU=blah,OU=blah,OU=blah,OU=blah,DC=
> blah,DC= blah,DC= blah,DC= blah "}}
>
> In VBScript:
>
> objComputer.PutEx ADS_PROPERTY_APPEND, "memberof", Array("CN=blah
> blah,OU=blah,OU=blah,OU=blah,OU=blah,OU=blah,DC= blah,DC= blah,DC=
> blah,DC= blah ")
>
> Any thoughts?

The member attribute of group objects and the memberOf attribute of user
objects are linked. Member is the forward link attribute and memberOf is the
back link attribute. You cannot modify back link attributes directly. The
value of back link attributes are not actually saved with the object, but
instead refer to the forward link attribute. See this link:

http://msdn.microsoft.com/en-us/libr...70(VS.85).aspx

Also, quoting from this link:
http://technet.microsoft.com/en-us/l...09(WS.10).aspx
-----------
As an option, a back link can be defined on a target object (for example,
the memberOf attribute on the user object). A back-link attribute should be
created as a multi-valued attribute, and it cannot exist without a
corresponding forward link. The back-link attribute cannot be updated
directly. Instead, it is automatically calculated when it is queried, based
on the corresponding forward link. A back-link value on any instance of an
object consists of the distinguished names of all source objects that have
the target object's distinguished name in their corresponding forward link.
------------
I don't understand your concern with modifying the member attribute of the
group.

In VBScript I would bind to the group object, then use the IsMember method
to check if the prospective member is already a member, then if not use the
Add method to add the new member. I don't like dealing with the
member/memberOf attributes directly when modifying membership, but instead
rely on the methods of the group object designed for this purpose. I like to
bind to the prospective member object to make sure it exists, then use the
ADsPath property of the object in the IsMember and Add methods. For example:
=============
Option Explicit
Dim objGroup, objMember, strMemberDN

' Bind to group object.
Set objGroup = GetObject("LDAP://cn=My Group,ou=West,dc=MyDomain,dc=com")

' Specify Distinguishd Name of prospective member.
strMemberDN = "cn=MyObject,ou=East,dc=MyDomain,dc=com"

' Bind to prospective member object. Trap error if it does not exist.
On Error Resume Next
Set objMember = GetObject("LDAP://" & strMemberDN)
If (Err.Number <> 0) Then
Wscript.Echo "Error #: " & Err.Number
Wscript.Echo "Description: " & Err.Description
Wscript.Quit
End If
On Error GoTo 0

' Check for membership.
If (objGroup.IsMember(objMember.ADsPath) = False) Then
' Add new member.
objGroup.Add(objMember.ADsPath)
Wscript.Echo objMember.Name & " added to group " & objGroup.Name
Else
Wscript.Echo objMember.Name & " already a member of group " &
objGroup.Name
End If
========
Code can be designed to do this in bulk, perhaps reading prospective member
names from a text file or spreadsheet. You can also read NetBIOS names of
servers from the text file or spreadsheet, and use the NameTranslate object
to convert to the Distinguished Name.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

Richard, you are the man I have been wanting to hear from the entire
time that I have been researching this. If I ever need anything
related to scripting and Active Directory I look to your wisdom. So,
on that note, thank you!

My concern is pretty pointless in some senses because a solid solution
would negate those same concerns all together. We just have several
people who are a little iffy about modifying our group memberships
automagically. The main concern we have is attaching to a group with
thousands of members and removing only specific ones while leaving the
group in tact. Without getting to much into detail we use group
memberships as the "link"/security filtering to a GPO then attach this
to a server.

So, in your opinion, this is going to be my best option? I can do the
other portions you describe with making it able to take bulk member
names and most likely implement the name translation (love that
feature!) you mentioned. I have about 1000 servers left that I need to
change their group memberships. While several other groups will be
doing the same thing to a few thousand other servers leaving probably
several hundred to another thousand servers in the groups to be
modified (yes, we have that many servers as a member of at least one
of these groups). I am on the hook for creating a solid solution to
this effort.

I have used your code in the past to do this type of work on various
objects and have learned greatly from your experience and knowledge.
Again, I really appreciate you taking the time to look at this post.

Nick H.








On Oct 28, 8:57*am, "Richard Mueller [MVP]" <rlmueller-
nos...@newsgroup> wrote:

> "Nick" <nick.huny...@newsgroup> wrote in message
>
> news:70eee61e-9278-4e8b-b05a-e5843da0eba9@newsgroup
>
>
>
>
>

> > Hello fellow Scripters,

>

> > To start, VBScript or Powershell will do. I am looking at the Qwest
> > cmdlets for AD but I have similar results as with Vbscript.

>

> > I need to change the "Member of" tab group memberships on a couple
> > thousand servers, not necassarily all at once, but you see the need
> > for an automated solution. Every solution I have found is to work with
> > the group and add/delete the server from there. I do not prefer this
> > method as there could be thousands of other servers in that group and
> > to edit its membership, well worries me, to say the least. I know with
> > a solid solution it would work just fine in this manner, but making a
> > mistake of that caliber is a job delimiting decision.

>

> > Every attempt to script this task results in the following error in
> > both VBScript and PS:

>

> > The server is unwilling to process the request.

>

> > Using Qwests AD cmdlets, here is the syntax I have worked up:

>

> > Get-QADComputer server1| Set-QADObject -objectAttributes {@
> > {MemberOf="CN=blah blah,OU=blah,OU=blah,OU=blah,OU=blah,OU=blah,DC=
> > blah,DC= blah,DC= blah,DC= blah "}}

>

> > In VBScript:

>

> > objComputer.PutEx ADS_PROPERTY_APPEND, "memberof", Array("CN=blah
> > blah,OU=blah,OU=blah,OU=blah,OU=blah,OU=blah,DC= blah,DC=blah,DC=
> > blah,DC= blah ")

>

> > Any thoughts?

>
> The member attribute of group objects and the memberOf attribute of user
> objects are linked. Member is the forward link attribute and memberOf is the
> back link attribute. You cannot modify back link attributes directly. The
> value of back link attributes are not actually saved with the object, but
> instead refer to the forward link attribute. See this link:
>
> http://msdn.microsoft.com/en-us/libr...70(VS.85).aspx
>
> Also, quoting from this link:http://technet.microsoft.com/en-us/l...09(WS.10).aspx
> -----------
> As an option, a back link can be defined on a target object (for example,
> the memberOf attribute on the user object). A back-link attribute should be
> created as a multi-valued attribute, and it cannot exist without a
> corresponding forward link. The back-link attribute cannot be updated
> directly. Instead, it is automatically calculated when it is queried, based
> on the corresponding forward link. A back-link value on any instance of an
> object consists of the distinguished names of all source objects that have
> the target object's distinguished name in their corresponding forward link.
> ------------
> I don't understand your concern with modifying the member attribute of the
> group.
>
> In VBScript I would bind to the group object, then use the IsMember method
> to check if the prospective member is already a member, then if not use the
> Add method to add the new member. I don't like dealing with the
> member/memberOf attributes directly when modifying membership, but instead
> rely on the methods of the group object designed for this purpose. I liketo
> bind to the prospective member object to make sure it exists, then use the
> ADsPath property of the object in the IsMember and Add methods. For example:
> =============
> Option Explicit
> Dim objGroup, objMember, strMemberDN
>
> ' Bind to group object.
> Set objGroup = GetObject("LDAP://cn=My Group,ou=West,dc=MyDomain,dc=com")
>
> ' Specify Distinguishd Name of prospective member.
> strMemberDN = "cn=MyObject,ou=East,dc=MyDomain,dc=com"
>
> ' Bind to prospective member object. Trap error if it does not exist.
> On Error Resume Next
> Set objMember = GetObject("LDAP://" & strMemberDN)
> If (Err.Number <> 0) Then
> * * Wscript.Echo "Error #: " & Err.Number
> * * Wscript.Echo "Description: " & Err.Description
> * * Wscript.Quit
> End If
> On Error GoTo 0
>
> ' Check for membership.
> If (objGroup.IsMember(objMember.ADsPath) = False) Then
> * * ' Add new member.
> * * objGroup.Add(objMember.ADsPath)
> * * Wscript.Echo objMember.Name & " added to group " & objGroup.Name
> Else
> * * Wscript.Echo objMember.Name & " already a member of group " &
> objGroup.Name
> End If
> ========
> Code can be designed to do this in bulk, perhaps reading prospective member
> names from a text file or spreadsheet. You can also read NetBIOS names of
> servers from the text file or spreadsheet, and use the NameTranslate object
> to convert to the Distinguished Name.
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab -http://www.rlmueller.net
> --