Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Error403
New Contributor

Add user in group by CLI

Hello ! I have to create a lot of users for VPN SSL portals. I want to script the creation of this users. No difficulty to create account. But, how can I add an account to a user-groups by CLI ? In advance, thank's for your help ! :) Thierry

7 REPLIES 7
ede_pfau
Esteemed Contributor III

A while ago I've posted a batch command file (Windows) for creating a command file from a list of IPs. Maybe this can help: [link]https://forum.fortinet.com/tm.aspx?m=102532[/link]

It shouldn't be too difficult to adapt this to creating local users and user groups. Note that there is a limit for the number of users per group (Maximum Values matrix).

 

To get the correct syntax, create a backup textfile and search for "usergrp".


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Error403

Thank you for your help ede_pfau. I already use python to generate all my commands line. Note : my request concerns local users only.

Error403

Hi ! Problem solved : # config user group # edit <group_name> # set member <member_name>

ede_pfau
Esteemed Contributor III

That's what I meant - syntax is documented in each backup file. I thought it was obvious (OK, "usergrp" <> "user group").


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
emnoc
Esteemed Contributor III

Becareful with the set command and adding users to a existing group. A better method if the group is already "created" is to use the append member option. This will add that new "user" to the existing member list.

 

I see scripter failure to notice this and drop various users when editing the group ;)

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Error403
New Contributor

Thank you Emnoc for the tip. This option can be use with all objects ?

emnoc
Esteemed Contributor III

It's useful for address groups , user groups, and fwpolicy  for source interfaces or address.

 

The opposite command for removing just "one" object is the  unselect member < membername(s)>

 

 

e.g

 

config user group

    edit  RWarriors

           unselect member  kenfelix

   end

 

 

or if you had a string of userss;

 

config user group

    edit  RWarriors

           unselect member  kenfelix user2 user3 user4 user5

   end

 

 

 

Hope that helps

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors