Active Directory: Using DSQuery/DSMod to add Service Account to Multiple Groups Based on Description

Due to a regulatory change in our organization, we had to slim down the Domain Admins groups to almost no one, and we were required to remove all service accounts from Domain Admins as well.

Fortunately for us, we had, for quite some time, been creating a specific domain security group for each server and then adding “administrative” user accounts to those groups to assign access to the right people (as not everyone needs to administrate every server).

Unfortunately we didn’t necessarily do the same for service accounts.

One service account, our ePOAgent account for McAfee Anti-Virus, needed to be assigned to all of the server-specific security groups but, for compliance reasons, not be assigned to any other groups.

As we had all of our security groups in one OU, this was a little problematic, but fortunately DSQuery gives us a switch to handle this since we use accurate and consistent descriptions when we create accounts/groups.  Writing a quick command completed the task.

The following DSQuery/DSMod command will do the following:

  • Search a specific OU for security groups that have “Server Administrators:” as the first part of their Description (-desc)
  • Search greater than the default 100 objects (-limit)
  • Continue processing even if one of the groups already has our ePOAgent account in it (-c)
  • Add the ePOAgent account to each group (-addmbr)

Here’s the command:


dsquery group "OU=Security Groups,DC=ad,DC=harness,DC=net" -desc "Server Administrators:*" -limit 1000 | dsmod group -addmbr "CN=ePOAgent,OU=Service Accounts,DC=ad,DC=harness,DC=net" -c

The DS commands in Windows 2008 make life  whole lot easier when working with large collections of objects, particularly if they’re all jumbled together in one OU.  In my case, I had 500+ objects to identify, sort through, and add an account to.  One simple command later I’m done and can move on to something more interesting. : )

Advertisements

No comments yet... Be the first to leave a reply!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s