Back
Featured image of post Copy local group memberships from one user to another
PowerShell

Copy local group memberships from one user to another

I came across the following challenge: A customer asked me to clone the group membership from one user to another! I did that in past for Active Directory users and groups, but never for local groups on a Windows system. But the customer has a test system with lots of local groups.

The Windows 10 LocalAccounts module doesn’t provide a function to do that directly, but it’s powerful enough to build something.

I already had an internal function (Get-LocalGroupMembership) that was able to dump a list of groups a given user is a member of. So I decided to tweak it just a little bit and use it to clone the local Group Membership from one User to another.

Here is the tweaked function:

function Get-LocalGroupMembership
{
   <#
         .SYNOPSIS
         Get all local Groups a given User is a Member of

         .DESCRIPTION
         The the the membership of all local Groups for a given User.
         The Given User could be a local User (COMPUTER\USER) or a Domain User (DOMAIN\USER).

         .PARAMETER UserName
         Given User could be a local User (COMPUTER\USER) or a Domain User (DOMAIN\USER).
         Default is the user that executes the function.

         .EXAMPLE
         PS C:\> Get-LocalGroupMembership

         Dump the Group Membership for the User that executes the function

         .EXAMPLE
         PS C:\> Get-LocalGroupMembership -UserName 'CONTOSO\John.Doe'

         Dump the Group Membership for the User John.Doe in the Domain CONTOSO

         .EXAMPLE
         PS C:\> Get-LocalGroupMembership -UserName "$env:COMPUTERNAME\John.Doe"

         Dump the Group Membership for the User John.Doe on the local computer

         .EXAMPLE
         PS C:\> Get-LocalGroupMembership -UserName 'CONTOSO\John.Doe' | Foreach-Object { Add-LocalGroupMember -Group $_ -Member "$env:COMPUTERNAME\John.Doe" -ErrorAction SilentlyContinue }

         Clone the Group Membership from User John.Doe in the Domain CONTOSO to User John.Doe on the local computer

         .NOTES
         This is just a quick and dirty solution for a problem I faced. (See last example)
   #>

   [CmdletBinding(ConfirmImpact = 'None')]
   [OutputType([psobject])]
   param
   (
      [Parameter(ValueFromPipeline,
      ValueFromPipelineByPropertyName)]
      [ValidateNotNullOrEmpty()]
      [Alias('User')]
      [string]
      $UserName = ("$env:USERDOMAIN" + '\' + "$env:USERNAME")
   )

   begin
   {
      # Create a new Object
      $LocalGroupMembership = @()
   }

   process
   {
      $AllGroups = (Get-LocalGroup -Name *)

      foreach ($LocalGroup in $AllGroups)
      {
         if (Get-LocalGroupMember -Group $LocalGroup.Name -ErrorAction SilentlyContinue | Where-Object -FilterScript {
               $_.name -eq $UserName
         })
         {
            $LocalGroupMembership += $LocalGroup.Name
         }
      }
   }
   end
   {
      # Dump the object to the console
      $LocalGroupMembership
   }
}

Here is the command line I used to clone the local Group Membership from one User to another:

Get-LocalGroupMembership -UserName 'CONTOSO\John.Doe' | Foreach-Object { Add-LocalGroupMember -Group $_ -Member 'CONTOSO\Jane.Doe' -ErrorAction SilentlyContinue }

There is also a Gist for this function, it is also part of my open-source repository.

I also created a function for the same requirement, but for Active Directory Users. I never had the request for doing something like this on a local Windows 10 system.

Never say never…

Copyright © 2016 - 2021 by Joerg Hochwald. All rights reserved.