So today I found myself needing to create about 130 AD security groups, to map to a set of existing folders. The pattern was fairly straightforward…if the folder name was DataSet1, I wanted to create a group called DataSet1RO (for read-only.) Needing to do this quickly and efficiently (meaning with a minimum of effort) I decided to script it.
The only real boggle in this process was that the folders already existed with spaces, underscores, commas, and other characters in their names. Renaming was NOT an option. I wanted to create groups with HelsinkiCase names, so to normalise this, from a cmd prompt I did a “dir /ad /b >scratch.txt” and then used my favourite text editor to remove the unwanted characters. I then modified the txt file to be a three column, filled in columns for dn, sAMAccountName, and description, and separated them with semicolons. I tried to make it a CSV, but something in the command did not like the commas, so semicolons FTW. Oh, and since the OU path already existed, again with spaces, I had to quote enclose the dn.
Here is what my txt file looks like.
- “cn=DataSet1RO,ou=Security Groups,ou=groups,dc=example,dc=com";DataSet1RO;"RO access to DataSet1"
"cn=DataSet2RO,ou=Security Groups,ou=groups,dc=example,dc=com";DataSet2RO;"RO access to DataSet2"
<etc.>
Then, from the cmd-line, logged in with a domain account having rights to create groups, I executed this command. Remember if you are using Vista, 7, or 2008, do this using an administrative command line.
- for /f "tokens=* delims=;" %G in (list.txt) do dsadd group %G -secgrp yes -scope l -samid %H -desc %I
Remember, the semicolon is the delimiter since the command did not like commas, and since these groups are to assign rights in the file system, I made them domain local groups using “-scope l” in the command. Finally, the description is just a general best practice, so that others will know what you have done, and so you can remember six months from now!
keywords: dsadd script ad groups csv “automatically create”
You might also enjoy:
