How to change membership in groups based on attributes of users in AD automatically

by Rostislav Soukup [Published on 1 June 2006 / Last Updated on 1 June 2006]

If your company has a complicated structure, you may need to filter members of your security or distribution groups automatically based on changes to some attribute of users in Active Directory – let's say Department.

If your company has a complicated structure, you may need to filter members of your security or distribution groups automatically based on changes to some attribute of users in Active Directory – let's say Department.

There is a simple way how to do it: create a grp.txt file whose content would be names of departments, and second a changemembership.bat file in the same path, where inside would be:

FOR /F %%i in (grp.txt) do dsquery * domainroot -filter "(&(objectCategory=user)(department=%%i))" | dsmod group "CN=%%i,ou=Distribution Lists,dc=company,dc=com"

chmbr Prerequisities: your group name must be the same as name of your department (customize rest of CN path as you require), or you need to think another way to associate your users with groups. I want just to show you the capability of AD in right usage.

Featured Links