Copy AD Group Membership to Another User in PowerShell

When you create a new user in an Active Directory domain, sometimes you need to make them a member of a large number of groups. It is quite tiresome to add a user to groups manually through the ADUC console, so it is easier to copy the group membership from one user to another using a PowerShell script. It is also convenient when an employee leaves your company department and you have to assign a new employee the same AD security groups.

Suppose, you need to copy the group membership from user jsanti and add a new user account (a.adams) to the same groups.

To run the following PoSh scripts, Active Directory for PowerShell module is used. You can install it as a part of RSAT toolkit or copy and import the AD PowerShell module manually without RSAT installation.

Get the list of groups of the source user using Get-ADUser cmdlet:

$getusergroups = Get-ADUser –Identity jsanti -Properties memberof | Select-Object -ExpandProperty memberof

To add a new user to the same groups, it is enough to send the list of groups to Add-ADGroupMember cmdlet via a pipe:

$getusergroups | Add-ADGroupMember -Members a.adams -verbose

To add a user to a domain security groups, run the commands under a domain administrator account or a user account that is delegated privileges to add users to AD groups.

Then make sure that a new user has been successfully added to the same groups as the source user:

Get-ADUser -Identity a.adams -Properties memberof | Select-Object -ExpandProperty memberof

You can use the Get-ADPrincipalGroupMembership generic cmdlet to copy group membership of any AD object (user, computer or group).

$userSource= “jsanti" $userTarget=”a.adams” $sourceGroups = Get-ADPrincipalGroupMembership -Identity $userSource Add-ADPrincipalGroupMembership -Identity $userTarget -MemberOf $sourceGroups

You can use a PowerShell script that automatically writes a text log file containing the information about adding a user to groups:

$logfile="c:\LOG\CopyAdGroup.log" $userSource= “jsanti" $userTarget=”a.adams” $Time = Get-Date Add-content $logfile -value $Time -Encoding UTF8 Add-content $logfile -value "_______________" Add-content $logfile -value "Copying AD groups from $userSource to $userTarget" -Encoding UTF8 $sourceGroups = (Get-ADPrincipalGroupMembership -Identity $userSource).SamAccountName foreach ($group in $sourceGroups) { Add-content $logfile -value "Adding $userTarget to $group" -Encoding UTF8 try { $log=Add-ADPrincipalGroupMembership -Identity $userTarget -MemberOf $group Add-content $logfile -value $log -Encoding UTF8 } catch { Add-content $logfile $($Error[0].Exception.Message) -Encoding UTF8 Continue } } Add-content $logfile -value "_______________"

You can track adding users to AD groups in the domain controller security logs.

Another popular task is to copy all users from one domain group to another. To do it, you can use this PowerShell command:

Get-ADGroupMember "LA-GPO-Admins" | ForEach-Object {Add-ADGroupMember "LA-Server-Admins" -Members $_ }

You can use other ways to automatically add a user to AD groups depending on their position or other user attribute specified in AD. The following article provides an example of creating Active Directory dynamic groups.

Copy AD Group Membership to Another User in PowerShell

How to Extend or Shrink Virtual Hard Disks on Hyper-V?

Auditing Weak Passwords in Active Directory

Related Reading

Leave a Comment Cancel Reply