After an AD domain migration, some user accounts migrated in the target domain were not membres of the domain users group. In order to identify those accounts we used the following ActiveRoles Management Shell command:

Get-QADUser -NotMemberof 'ldap389\domain users' | export-csv domusers.csv

We removed on the output file some accounts like guest which do not belong to the domain users group. After that we added the remaining user accounts to the domain users group, and set up this group as the primary group for those accounts:

$csv = import-csv domusers.csv
 
foreach ($line in $csv) { Add-QADMemberOf $line.UserPrincipalName -Group 'ldap389\domain users' ; Set-QADUser $line.UserPrincipalName  -ObjectAttributes @{primaryGroupID=@(513)} }

You can notice that primary group ID 513 means domain users, if you want an exhaustive list of well known primary group IDs you can have a look at this KB article

This post is also available in: French

No Comments

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a comment

*Name

*Email (not published)

Website

Notify me of followup comments via e-mail

CAPTCHA Code *