Identity Manager: How to switch the Primary Group of an Active Directory User.
When a new User object is created in Active Directory, by default they are made a member of the Domain Users (cn=Domain Users,CN=Users,dc=Domain,dc=Corp,dc=Com) group. This default group is akin to the NetWare 3.x "Everyone" group, and normally has memberships for all Users that are in the Domain. Why? And what is it for?
A User in Active Directory is required to have a "Primary Group Id" assigned. A User without a Primary Group assigned is invalid, and the normal utilities like the MMC Users and Computers console will not allow you to create one without, nor allow you to remove the Domain Users group membership.
By default, this group is given some rights in the Domain. It is, for example, allowed to log on. This then is inherited by members of the group, allowing them log on privileges for any computer joined to the Domain. It may also be given privileges to use common shared resources like printers, or could be given rights to use files stored on a common "share". In some ways, this is analogous to the way an eDirectory / OES administrator might grant access to shared printers using the [Root] object.
I needed to create some Users in Active Directory that did not have these default rights. I quickly found that removing the user from the "Domain Users" Group was not allowed. But some research indicated that a user's Primary Group could be changed. The procedure is to add them to a different group, then switch the "Primary Group Id" to point to this new group, after which they can be removed from Domain Users.
In order to solve this problem, there are three steps to implement, and a little bit of setup work.
First, create a Group that will be used as the Primary Group for your Users that will not be members of Domain Users. In this example, I am using a group named "Domain Not Users". I created it in Active Directory in the ou=Outside,dc=Domain,dc=Corp,dc=com container. You could put it almost anywhere in the domain, but you will need to know where to find it. The "Domain Users" group lives in the CN=Users container, but I dislike putting anything in there.
Next, the DirXML script to add user to this "Domain Not Users" group:
<do-set-local-variable name="PrimaryGroupToken" scope="policy">
<token-dest-attr class-name="Group" name="primaryGroupToken">
<token-text xml:space="preserve">CN=Domain Not Users,ou=Outside,dc=Domain,dc=Corp,dc=Com</token-text>
<do-add-dest-attr-value class-name="Group" name="member" when="after">
<token-text xml:space="preserve">cn=Domain Not Users,ou=Outside,dc=Domain,dc=Corp,dc=Com</token-text>
<do-set-dest-attr-value class-name="User" name="primaryGroupID" when="after">
<do-remove-dest-attr-value class-name="Group" name="member" when="after">
<token-text xml:space="preserve">cn=Domain Users,CN=Users,dc=Domain,dc=Corp,dc=Com</token-text>
I am skipping the Conditions code here, as they would be whatever you need for your environment. They might be something like "if department equals Internet Users" or "if location equals Provo". The actions are intended to act on a User as it is being created, but similar actions could be built to work on modify events. If you are especially ambitious, you could tie this in with Entitlements, and switch users in and out of membership in "Domain Users" that way.
First, an Active Directory internal attribute named "primaryGroupToken" is needed. This is an attribute of the Group object. To get it, a query is built and sent to the Domain to retrieve the value and store it in a local variable (PrimaryGroupToken).
Next, the User object currently being processed ("@dest-dn") is added to the "Domain Not Users" Group. By using "when='after'" in the policy, the current <add> event will be completed before a second event will be sent to add the newly created User to this Group. The <add> event will, as a side effect, add the User to the "Domain Users" group, and will have set the primaryGroupId to "Domain Users".
This step uses the Local Variable from the first action to change the primaryGroupId of the newly created user. Again, using "when='after'" in the policy to submit this as a separate command to Active Directory so that it happens after the user has been created and added to the "Domain Not Users" group.
Last, the user is removed from the "Domain Users" group. Now that the user has been added to "Domain Not Users" and has had its primaryGroupId switched to point there, this command will succeed.
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.