dsadd/dsmod help

[segfault]

Hello, I'm very new to command line scripting and I need some major help with some Active Directories stuff. Basically our app has users who can be assigned one or more roles, and two of those roles allow access to different reports (i.e. when a user is assigned one of those roles he/she needs to be put in a specific OU). Also when the user has the role removed, they must be removed from the OU. I have created a dsadd script that will add a user for one of the roles, and a dsmod script that will add the user to another group, but I'm having trouble coming up with a way to verify that the user is already in a group and run one line or the other based on that. So basically the algorithm should be:if user exists //<-- the part i need help on dsmod group CN -addmbr uname ...else dsadd user CN ...To remove users/members will just be the reverse of this, so it's really just the conditional part that I can't figure out. If anyone can help me with this or can point me to a good .bat scripting tutorial that will help it would be much appreciated. Thanks!

[jhicks]

Here's on approach you might consider:dsget group "CN=sales managers,ou=sales,ou=employees,DC=company,DC=local" -members | dsget user -samid | find /i "jhicks"The expression calls DSGET Group for the specified group and uses -members to list the members. That output is piped to dsget user and I decided to use -samid to keep things simple. Finally, the output is piped to the find command which sees if jhicks is in the list. If this one line expression is true, ie jhicks is a member of the group, then the %errorlevel% will equal 0. So you could add something like this after the above expression:if errorlevel 1 GOTO :NOTFoundif errorlevel 0 GOTO :Found:NotFoundrem insert code if you want goto :EOF:Foundrem insert code to run if user existsgoto :eof

[segfault]

Thanks for the reply jhicks. I'm having trouble getting the 'dsget user -samid' part to work, it's telling me that it's getting information in the wrong format. It's no biggie though, because I need to send in the user's first and last name anyway, so I'm just doing:dsget group "CN=sales managers,ou=sales,dc=company,dc=local" -members | find /i "%1 %2"The problem now is that I don't always know what group/OU to look in for the user. Is there a way to just search from the top (i.e. list the users in all groups in all OUs. I also have one other issue that will arise once I get this part figured out. I would like to have one batch file for this process, so I will have to pass the batch file the group name and OU to add the user to. Unfortunately some of our groups and OUs are two or more space delimited strings (for example 'Company District Administrator' or 'Company Provider'). I've looked online for a way to pass in a multi-part string as one variable but can't see anything. What I want is to be able to call:adduser.bat jsmith John Smith jspwd1 Prov Company Providerwhere 'Company Provider' would be read as one parameter. I tried surrounding it with single and double quotes, as well as a variety of other punctuation, with no luck. Ideally the batch file will have:dsadd user "CN=%2 %3, OU=%6,DC=company,DC=com" -samid %1 -fn %2 -ln %3 -pwd %4 -pwdneverexpires yes -memberof "CN=%5,OU=%6,DC=company,DC=com"Maybe I'm trying to ask too much of these batch files, but I'd rather not have a different batch file for every group that I'll potentially be adding to.segfault2007-08-06 13:25:25