JSI Tip 8995. DSMOD fails when you add members from one forest to a group in another forest?

Even though an appropriate trust relationship exists, DSMOD fails when you attempt to add members from one forest to a group in another forest.

This behavior occurs because DSMOD was NOT designed to support trust relationships between forests.

To workaround this behavior, I have scripted DSAddMbrs.bat to add members to a group. DSAddMbrs.bat supports trust relationships.

The syntax for using DSAddMbrs.bat is:

DSAddMbrs groupDN userDN1 \[UserDN2 ... UserDNn\]


groupDN   is the distinguished name of the group you wish to add members to.

userDN(i) is the distinguished name of a user that you wish to add to groupDN.
DSAddMbrs.bat contains:
@echo off
if \{%2\}

\{\} @echo Syntax: DSAddMbrs groupDN userDN1 \[UserDN2 ... UserDNn\]&goto :EOF setlocal set groupDN=%1 if exist "%TEMP%\DSAddMbrs.VBS" goto loop @echo Set objArgument = Wscript.Arguments>"%TEMP%\DSAddMbrs.VBS" @echo groupDN = objArgument(0)>>"%TEMP%\DSAddMbrs.VBS" @echo userDN = objArgument(1)>>"%TEMP%\DSAddMbrs.VBS" @echo set oProv = GetObject("LDAP:")>>"%TEMP%\DSAddMbrs.VBS" @echo set oGroup = oProv.OpenDSObject("LDAP://" ^& groupDN, vbnullstring, vbnullstring, 1)>>"%TEMP%\DSAddMbrs.VBS" @echo set oUser = oProv.OpenDSobject("LDAP://" ^& userDN, vbnullstring, vbnullstring, 1)>>"%TEMP%\DSAddMbrs.VBS" @echo oValue = oUser.Get("objectSid")>>"%TEMP%\DSAddMbrs.VBS" @echo oString = OctetString2String(oValue)>>"%TEMP%\DSAddMbrs.VBS" @echo oGroup.PutEx 3, "member", Array("")>>"%TEMP%\DSAddMbrs.VBS" @echo oGroup.SetInfo>>"%TEMP%\DSAddMbrs.VBS" @echo.>>"%TEMP%\DSAddMbrs.VBS" @echo Function OctetString2String(byVal OctetStr)>>"%TEMP%\DSAddMbrs.VBS" @echo dim value>>"%TEMP%\DSAddMbrs.VBS" @echo dim g, lowByte, highByte>>"%TEMP%\DSAddMbrs.VBS" @echo. value = "">>"%TEMP%\DSAddMbrs.VBS" @echo. for g = lbound(OctetStr) to ubound(OctetStr)>>"%TEMP%\DSAddMbrs.VBS" @echo. highByte = ascb(midb(OctetStr,g+1,1))>>"%TEMP%\DSAddMbrs.VBS" @echo. lowByte = highByte mod 16>>"%TEMP%\DSAddMbrs.VBS" @echo. highByte = highByte \ 16>>"%TEMP%\DSAddMbrs.VBS" @echo. value = value ^& hex(highByte) ^& hex(lowByte)>>"%TEMP%\DSAddMbrs.VBS" @echo next>>"%TEMP%\DSAddMbrs.VBS" @echo. OctetString2String = value>>"%TEMP%\DSAddMbrs.VBS" @echo End Function>>"%TEMP%\DSAddMbrs.VBS" :loop cscript //nologo "%TEMP%\DSAddMbrs.VBS" %groupDN% %2>"%TEMP%\DSAddMbrs.ERR" 2>&1 set err= for /f "Tokens=2 Delims=(," %%e in ('type "%TEMP%\DSAddMbrs.ERR"') do ( set err=%%e ) del /q "%TEMP%\DSAddMbrs.ERR" if "%err%" EQU "10" @echo DSAddMBRS - %2 is already a member of %groupDN%&goto next if "%err%" EQU "5" @echo DSAddMBRS - Group %groupDN% NOT found.&goto next if "%err%" EQU "6" @echo DSAddMBRS - User %2 NOT found. :next shift if not \{%2\}

\{\} goto loop endlocal

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.