O R G A N I C / F E R T I L I Z E R: dsmod bug when using the –c option?

Sep 30, 2008

dsmod bug when using the –c option?

UPDATE: thanks to some anonymous commenters, i have corrected my example in this post. it seems i left off the trailing %a in the for loop! oops. fixed now.

i was visiting up in roanoke extolling about the boundless possibilities with command shells, scripting, etc to a near liability.  in other words, i bored them nearly to death.  :)

to my surprise, it stuck.  i’ve been exchanging conversation with one of the site admins and ran across this bug while running through a sample scenario on listing members from one group and adding them to another.  typically, you could do this quite easily with the dsquery tool set.

it looks something like this:

dsquery group -name "myGroup" | dsget group -members | dsmod group "cn=myNewGroup,ou=etc,dc=etc,dc=etc" -addmbr –c
 
so what are we doing here?
  1. dsquery group –name “myGroup” – retrieves the dn of the group
  2. dsget group –members – retrieves the membership list (dn) of the group passed through the pipe
  3. dsmod group “cn=mynewgroup…” –addmbr –c – adds the members of the previous group into specified group.

this works fine as long as there are no conflicts.  if you run into conflicts, the process bombs out with this error:

dsmod failed:CN=myNewGroup...:The specified account name is already a member of the local group.
 
the –c option specifed above should go right past this condition and keep trying other members.  it doesn’t work no matter what position you place it, however.  to get around this, you can use for looping.  :)
 
for /f "delims=" %a in ('dsquery group -name "myGroup" ^| dsget group -members') do dsmod group "cn=myNewGroup..." –addmbr %a
 
so how is this different?
  1. for /f “delims” %a in (‘dsquery…’) – retrieves the membership list of the group and assigns them as a token value of %a
  2. dsmod group “cn=myNewGroup…” –addmbr – for each member, we’re adding them individually to the group.

in this case, even if we run into failures, it doesn’t matter since we’re kicking off dsmod as separate commands each time.

and of course, to do this in powershell, you’d execute a command like this:

Get-QADGroupMember "myGroupName" | foreach {Add-QADGroupMember -identity "CN=myNewGroup..." -member $_}