Labels

dsmod bug when using the –c option?

UPDATE: thanks to some anonymous commenters, i have corrected my example in this post. it seems i left off the trailing %a in the for loop! oops. fixed now.

i was visiting up in roanoke extolling about the boundless possibilities with command shells, scripting, etc to a near liability.  in other words, i bored them nearly to death.  :)

to my surprise, it stuck.  i’ve been exchanging conversation with one of the site admins and ran across this bug while running through a sample scenario on listing members from one group and adding them to another.  typically, you could do this quite easily with the dsquery tool set.

it looks something like this:

dsquery group -name "myGroup" | dsget group -members | dsmod group "cn=myNewGroup,ou=etc,dc=etc,dc=etc" -addmbr –c
 
so what are we doing here?
  1. dsquery group –name “myGroup” – retrieves the dn of the group
  2. dsget group –members – retrieves the membership list (dn) of the group passed through the pipe
  3. dsmod group “cn=mynewgroup…” –addmbr –c – adds the members of the previous group into specified group.

this works fine as long as there are no conflicts.  if you run into conflicts, the process bombs out with this error:

dsmod failed:CN=myNewGroup...:The specified account name is already a member of the local group.
 
the –c option specifed above should go right past this condition and keep trying other members.  it doesn’t work no matter what position you place it, however.  to get around this, you can use for looping.  :)
 
for /f "delims=" %a in ('dsquery group -name "myGroup" ^| dsget group -members') do dsmod group "cn=myNewGroup..." –addmbr %a
 
so how is this different?
  1. for /f “delims” %a in (‘dsquery…’) – retrieves the membership list of the group and assigns them as a token value of %a
  2. dsmod group “cn=myNewGroup…” –addmbr – for each member, we’re adding them individually to the group.

in this case, even if we run into failures, it doesn’t matter since we’re kicking off dsmod as separate commands each time.

and of course, to do this in powershell, you’d execute a command like this:

Get-QADGroupMember "myGroupName" | foreach {Add-QADGroupMember -identity "CN=myNewGroup..." -member $_}
marcusoh.blogspot.com
Labels:

Comments

  1. Anonymous1/30/09, 5:22 AM

    hanks for the article... it helped me a lot!
    Is that ^ realy needed before the | character?

    ReplyDelete
  2. Marcus Oh1/30/09, 8:24 AM

    in the example above, yes. the reason being, anytime you have something going through a pipe, a carat is required to indicate to the FOR dos command that you are not trying to pass everything to the left of it into that pipe. this will cause the portion in parenthesis to execute w/ pipe intact. :)

    ReplyDelete
  3. Anonymous3/23/11, 8:24 AM

    Is this possible to do with active domain OU user export?
    Example:
    dsquery user ou=Marketing,dc=microsoft,dc=com | dsmod group "cn=Marketing Staff,ou=Marketing,dc=microsoft,dc=com" -addmbr -c
    (as you stated -c option is no good and if user already exist in given group command just stops)

    When I add this to your for /f example

    for /f "delims=" %a in ('dsquery user ou=Marketing,dc=microsoft,dc=com') do dsmod group "cn=Marketing Staff,ou=Marketing,dc=microsoft,dc=com" -addmbr

    Nothing happens :( -> what am I doing wrong here?

    Thanks

    ReplyDelete
  4. Anonymous10/26/11, 2:35 AM

    re: comment on 3/23/11 - I had that problem too and found I needed to add the %a to the end of the statement: ... -addmbr %a
    so that it knows what to "do" against.

    ReplyDelete
  5. Marcus Oh10/26/11, 7:10 AM

    sorry about that guys. i think you're absolutely right. i forgot to add the %a in my example above. i'll get it corrected.

    ReplyDelete

Post a Comment