User account migration: Domain users primary group
After an AD domain migration, some user accounts migrated in the target domain were not membres of the domain users group. In order to identify those accounts we used the following ActiveRoles Management Shell command:
Get-QADUser -NotMemberof 'ldap389\domain users' | export-csv domusers.csv |
We removed on the output file some accounts like guest which do not belong to the domain users group. After that we added the remaining user accounts to the domain users group, and set up this group as the primary group for those accounts:
$csv = import-csv domusers.csv foreach ($line in $csv) { Add-QADMemberOf $line.UserPrincipalName -Group 'ldap389\domain users' ; Set-QADUser $line.UserPrincipalName -ObjectAttributes @{primaryGroupID=@(513)} } |
You can notice that primary group ID 513 means domain users, if you want an exhaustive list of well known primary group IDs you can have a look at this KB article
This post is also available in: French