CODEWITHSUNDEEP
powershellactive-directory
riftha
riftha

Reputation: 107

Copy group membership from one user to another in AD

Im tyring to build a script which will copy group memberships from one user to another in AD. Im trying to use powershell to automate this task. However im stuck while creating a check for the user. In other words when i copy group membership from one user to another i want to be able to run a check to see if the user is already a member of the group before adding them, bu doing this i can avoid errors which such as " this user is already a member of the group and cannot be added again" Any help or advice would be appreciated. Im using the following to script at the moment. 

$copy = Read-host "Enter user to copy from"
$Sam  = Read-host " Enter user to copy to"
 Function Copymembership {

$members = Get-ADUser -Identity $copyp -Properties memberof
foreach ($groups in $members.memberof){
if ($members -notcontains $groups.sAMAccountname)
{Add-ADGroupMember -Identity $groups -Member $sam -ErrorAction SilentlyContinue
Write-Output $groups} 
}
}
copymembership

Upvotes: 7

Views: 105145

Answers (9)

Tudor Filip Alexandru
Tudor Filip Alexandru

Reputation: 1

What im currently doing is using the following script but only to copy Sg'S from one user to the other if the access required are the same

$CopyFromUser = Get-ADUser User1 -prop MemberOf
$CopyToUser = Get-ADUser User2 -prop MemberOf
$CopyFromUser.MemberOf | Where{$CopyToUser.MemberOf -notcontains $_} |  Add-ADGroupMember -Member $CopyToUser

Upvotes: 0

rubafix
rubafix

Reputation: 1

$CopyFromUser = Get-ADUser JSmith -prop MemberOf
$CopyToUser = Get-ADUser MAdams -prop MemberOf

$MissingGroups = Compare-Object $CopyFromUser $CopyToUser -Property MemberOf | ? SideIndicator -eq '<='
$GroupsObj = $MissingGroups.MemberOf | Get-ADGroup –prop Description | Select Name ,Description
$Group2cp = $GroupsObj | Out-GridView -PassThru -Title "Select Goup to copy"
$Group2cp | Select-Object -ExpandProperty Name | Add-ADGroupMember -Members $CopyToUser

Upvotes: 0

Serge V.
Serge V.

Reputation: 3623

Your code is too complicated for this idea. Not sure if it can be done without the Active Directory module

It is much easier to do that when you import the ActiveDirectory tool and use the built-in cmdlet. Check my code:

# import the Active Directory module in order to be able to use Get-ADUser and Add-ADGroupMember cmdlet
import-Module ActiveDirectory

# enter login name of the first user
$copy = Read-host "Enter username to copy from: "

# enter login name of the second user
$paste  = Read-host "Enter username to copy to: "

# copy-paste process. Get-ADuser membership     | then selecting membership                       | and add it to the second user
get-ADuser -identity $copy -properties memberof | select-object memberof -expandproperty memberof | Add-AdGroupMember -Members $paste

Upvotes: 4

Ali
Ali

Reputation: 1

am trying build script to Copy group membership from one user to another in AD i have one domain and 3 different subdomains, can you please check if there is anything in the script must be changed, because it doesn't work thanks

$From = Read-Host -Prompt "From User"
$to = Read-Host -Prompt "To User"
$CopyFromUser = Get-ADUser -Server "de.isringhausen.net" -Identity $From -Properties MemberOf
$Group = $CopyFromUser.MemberOf
$confirmation = Read-Host "Do you want to Copy Group Membership from $From to $to ? Press 'y' to Proceed or any key to Cancel"
if ($confirmation -eq 'y') {
    $Group | Add-ADGroupMember -Members $to
    clear
    echo "($From) User's Group Memership  has been Copied to User  ($to)"
Pause
}
else {
Write-Host 'Task Cancelled'
}

Upvotes: 0

Mahmoud A. ATALLAH
Mahmoud A. ATALLAH

Reputation: 156

One line to get what the user member of. 

Get-ADUser -Identity alan0 -Properties memberof | Select-Object -ExpandProperty memberof

One line to copy the membership from one user to another. 

Get-ADUser -Identity <UserID> -Properties memberof | Select-Object -ExpandProperty memberof |  Add-ADGroupMember -Members <New UserID>

Upvotes: 11

Igor
Igor

Reputation: 1445

In case you want to have manual control on what groups are added, then this is perfect example for Out-GridView. Procedure is the same as explained by TheMadTechnician above, just before passing it to Add-ADGroupMember, you insert Out-GridView. You can even include group descriptions or other parameters.

$CopyFromUser = Get-ADUser JSmith -prop MemberOf
$CopyToUser = Get-ADUser MAdams -prop MemberOf

$MissingGroups = Compare-Object $CopyFromUser $CopyToUser -Property MemberOf | ? SideIndicator -eq '<='

$GroupsObj = $MissingGroups.MemberOf | Get-ADGroup –prop Description | Select Name,Description

$GroupsObj | Out-GridView -PassThru | Add-ADGroupMember -Member $CopyToUser

Upvotes: 0

Paul Havens
Paul Havens

Reputation: 9

param ( [Parameter(Mandatory=$true)][string]$CopyFromUser, [Parameter(Mandatory=$true)][string]$CopyToUser )

    $FromUserGroups = (Get-ADUser $CopyFromUser -Properties MemberOf).MemberOf
    $CopyToUser = Get-ADUser $CopyToUser -Properties MemberOf
    $FromUserGroups | Add-ADGroupMember -Members $CopyToUser

Upvotes: 0

TheMadTechnician
TheMadTechnician

Reputation: 36297

Use Get-ADUser for both users. Then use the -notcontains operator to filter groups.

$CopyFromUser = Get-ADUser JSmith -prop MemberOf
$CopyToUser = Get-ADUser MAdams -prop MemberOf
$CopyFromUser.MemberOf | Where{$CopyToUser.MemberOf -notcontains $_} |  Add-ADGroupMember -Member $CopyToUser

Upvotes: 15

CitizenRon
CitizenRon

Reputation: 895

Something like this should tell you if a group contains a specific member:

If ((Get-ADGroup "Domain Admins" -Properties Members).Members -Contains (Get-ADUser "AdminBob").DistinguishedName) {write-host "Yes"}

There might be something simpler but this was the first thing that came to mind.

Upvotes: 0

Related Questions