Home » Posts tagged 'admt'

Tag Archives: admt

Add Security Groups from Trusted Domain to Trusting Domain Local Groups

I needed a quick way to add domain global groups from a trusting domain to domain local groups in the trusting domain with the same name for a project I was undertaking. The trusting domain was Windows 2003 and we did not have access to any AD Powershell module in the trusting domain so the only way to do this is using DSMOD. Here is the powershell script I made and ran from the trusted domain side to quickly add the trusted groups to the domain local groups of the trusting domain. It produces a batch file you run on the trusting domain DC so that it gives you a chance to review the commands being executed.

$bat = New-Item -Path C:\legacygroupadd.bat -ItemType File -Force
Import-Module ActiveDirectory
$newgroups = Get-ADGroup -searchbase "ou=groups,ou=rs,dc=ad,dc=domain,dc=com" -Filter *
Foreach ($g in $newgroups){ 
 $legacyquery = cmd.exe /c dsquery group -name $g.Name -d legacydomain.local -u legacyndomain\mvale -p MyP@ssw0rd
 if ($legacyquery){
 $write = "dsmod group $($legacyquery) -addmbr $($g.DistinguishedName) -d legacydomain.local -u legacydomain\mvale -p MyP@ssw0rd" 
 Add-Content -Path $bat -Value $write
 }
}

 

Removing Foreign Security Principals from Groups

Today I had a requirement to migrate users and groups from a legacy domain to a new domain using ADMT. All legacy groups were domain local with members from other groups on other domains via existing trusts. Performing a migration of a Domain local groups using ADMT also migrates across members who have no user accounts in the new domain. These are called Foreign Security Principals.

I needed to convert these groups into Global groups in the new domain, but before I could do this I needed to remove these foreign security principals as members. I looked at Powershell and the Get-ADGroupMember Commandlet and this does not work with FSP’s as members producing an “Unspecified Error”. I looked at the old dsmod command and this could achieve what I was looking for. However DSMOD required the full LDAP canonical name of the group and member to remove. This is a real pain when you have to modify over 2000 values!

I looked at piping a dsquery command into a dsget and then into a dsmod command which would have worked, but there is no filter or where clause in these commands where I could remove the FSPs but leave migrated user accounts.

The solution I came up with took 5 minutes to build and 1 minute to execute. I realised I could use a mixture of powershell and DS commands to achieve what I wanted. The Powershell I would use for looping and writing out content and DS commands to do the work.

The PS script I came up with basically queries AD using DSQUERY collecting the results into a array variable. I then loop through the array and peform a DSGET command to grab the members of that group. Then there is an IF command that says if the member of the group is an FSP issue a DSMOD command to remove it. It also converts the group to Domain Global from Local. The other script is based on the same principal but produces a batch file to run separately. I chose this because I can double check the commands built.

Anyway here are both scripts, you will see the differences (albeit slight)

Script to Output to Batch File

$bat = New-Item -Path c:\groupmod.bat -ItemType File -Force
$group = cmd.exe /c dsquery group "ou=groups,ou=rs,dc=ad,dc=domain,dc=com"
foreach ($g in $group){ 
 $members = cmd.exe /c dsget group $g -members 
 Foreach ($m in $members){ 
 if ($m -like "*CN=ForeignSecurityPrincipals*"){ 
 $write = "dsmod group $($g) -rmmbr $($m)"
 Add-Content -Path $bat -Value $write
 }
 } 
 Add-Content -Path $bat -Value "dsmod group $($g) -scope u"
 Add-Content -Path $bat -Value "dsmod group $($g) -scope g"
}

Script to execute on the fly

$group = cmd.exe /c dsquery group "ou=groups,ou=rs,dc=ad,dc=domain,dc=com"
foreach ($g in $group){ 
 $members = cmd.exe /c dsget group $g -members 
 Foreach ($m in $members){ 
 if ($m -like "*CN=ForeignSecurityPrincipals*"){ 
 cmd.exe /c dsmod group $($g) -rmmbr $($m)
  }
 } 
cmd.exe /c dsmod group $($g) -scope u 
cmd.exe /c dsmod group $($g) -scope g
}

 

 

%d bloggers like this: