Recipe 6.16 Transferring a User's Group Membership to Another User
You want to transfer the group membership for one user to another.
126.96.36.199 Using a graphical user interface
188.8.131.52 Using a command-line interface
The following command line will add <NewUserDN> to all of the groups that <CurrentUserDN> is a member of:
> for /F "usebackq delims=""" %i in (`dsget user "<CurrentUserDN>" -memberof`) do[RETURN] dsmod group %i -addmbr "<NewUserDN>"
If you want to get fancy and remove <CurrentUserDN> from each of the groups in the same operation, simply add an -rmmbr option on the end:
> for /F "usebackq delims=""" %i in (`dsget user "<CurrentUserDN>" -memberof`) do[RETURN] dsmod group %i -addmbr "<NewUserDN>" -rmmbr "<CurrentUserDN>"
184.108.40.206 Using VBScript
' This code adds the "new" user to the groups the "current" ' user is a member of ' ------ SCRIPT CONFIGURATION ------ strCurrentUserDN = "<CurrentUserDN>" ' e.g. cn=jsmith,ou=Sales,dc=rallencorp,dc=com strNewUserDN = "<NewUserDN>" ' e.g. cn=rallen,ou=Sales,dc=rallencorp,dc=com" ' ------ SCRIPT CONFIGURATION ------ Const ADS_PROPERTY_APPEND = 3 set objCurrentUser = GetObject("LDAP://" & strCurrentUserDN ) set objNewUser = GetObject("LDAP://" & strNewUserDN ) on error resume next WScript.Echo "Transfering groups from " & strCurrentUserDN & " to " & strNewUserDN for each strGroupDN in objCurrentUser.GetEx("memberOf") set objGroup = GetObject("LDAP://" & strGroupDN) objGroup.PutEx ADS_PROPERTY_APPEND, "member", Array( strNewUserDN ) objGroup.SetInfo if Err then WScript.Echo "Error adding user to group: " & strGroupDN else WScript.Echo "Added user to group: " & strGroupDN end if next
Employees come and go; people take on new responsibilities and move on to new jobs. It is common to have movement within an organization. When this happens, typically someone is replacing the person that is moving on. The new person needs to get up to speed as quickly as possible, including getting accounts set up and access to any necessary resources. A big part of this includes getting added to the correct groups. You can help facilitate this by using one of the processes outlined in the Solution section to help the user gain access to the exact same groups that the former employee was a member of.
One important issue to point out is that the memberOf attribute, which was used in the Solution section to determine a user's group membership, contains only the groups in the same domain as the user. Any groups the user is a member of outside of the user's domain, will not be transferred. To transfer group membership outside of a domain, you will need to perform a query against the global catalog for all group objects that have a member attribute that contains the DN of the user.
6.16.4 See Also
Recipe 7.4 for adding and removing members of a group