I while ago I publish some PowerShell tooling to copy the Active Directory group memberships between users. The tooling also able to sync the group memberships; if the Target User belongs to a group whom the Source User doesn’t, the tooling can remove these groups. That is perfect for cloning or during the movement of users between divisions.
Today I faced the challenge to do a quick on boarding for some users! The fast solution for that challenge:
Get-ADUser -Identity SOURCEUSER -Properties memberof | Select-Object -ExpandProperty memberof | Add-ADGroupMember -Members TARGET1, TARGET2, TARGET3
This quick and dirty solution worked perfect!
Here is the same as the quick and dirty solution, more robust and as a function:
function Copy-ADUserGroupMembershipSimple
{
<#
.SYNOPSIS
Copy group memberships from a given Source User to a Target User(s) in Active Directory
.DESCRIPTION
Copy group memberships from a given Source User to a Target User(s) in Active Directory.
Simple Version of Copy-ADUserGroupMemberships
.PARAMETER SourceUser
Source-User Object.
Specifies an Active Directory group object by providing one of the following values.
The identifier in parentheses is the LDAP display name for the attribute.
Distinguished Name
Example: CN=johndoe,OU=europe,CN=users,DC=corp,DC=contoso,DC=com
GUID (objectGUID)
Example: 599c3d2e-f72d-4d20-8a88-030d99495f20
Security Identifier (objectSid)
Example: S-1-5-21-3165297888-301567370-576410423-1103
Security Accounts Manager (SAM) Account Name (sAMAccountName)
Example: johndoe
.PARAMETER TargetUser
Target-User Object.
Specifies an Active Directory group object by providing one of the following values.
The identifier in parentheses is the LDAP display name for the attribute.
Distinguished Name
Example: CN=janedoe,OU=europe,CN=users,DC=corp,DC=contoso,DC=com
GUID (objectGUID)
Example: 599c3d2e-f72d-4d20-8a88-030d99495f20
Security Identifier (objectSid)
Example: S-1-5-21-3165297888-301567370-576410423-1103
Security Accounts Manager (SAM) Account Name (sAMAccountName)
Example: janedoe
.PARAMETER PassThru
Use the -PassThru parameter with the previous command to receive feedback about what groups the Target is being added as a member of.
.EXAMPLE
PS C:\> Copy-ADUserGroupMembershipSimple -SourceUser 'SourceUser' -TargetUser 'TargetUser'
Copy group memberships from SourceUser to TargetUser
.EXAMPLE
PS C:\> Copy-ADUserGroupMembershipSimple -SourceUser 'SourceUser' -TargetUser 'TargetUser1', 'TargetUser2'
Copy group memberships from SourceUser to TargetUser1 and TargetUser2
.EXAMPLE
PS C:\> Copy-ADUserGroupMembershipSimple -SourceUser 'SourceUser' -TargetUser 'TargetUser' -PassThru
Use the -PassThru parameter with the previous command to receive feedback about what groups the Target is being added as a member of.
.NOTES
Version: 1.0.0
GUID: 71152a07-f167-44ff-bf1b-f0f7a0149717
Author: Joerg Hochwald
Companyname: enabling Technology
Copyright: Copyright (c) 2019, enabling Technology - All rights reserved.
License: https://opensource.org/licenses/BSD-3-Clause
Releasenotes:
1.0.0 2019-07-09: Initial Release
THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE USER.
.LINK
Copy-ADUserGroupMemberships
.LINK
https://github.com/jhochwald/PowerShell-collection/
.LINK
Get-ADUser
.LINK
Add-ADGroupMember
#>
[CmdletBinding(ConfirmImpact = 'Low',
SupportsShouldProcess = $true)]
param
(
[Parameter(Mandatory = $true,
ValueFromPipeline = $true,
ValueFromPipelineByPropertyName = $true,
Position = 0,
HelpMessage = 'Source-User Object.')]
[ValidateNotNullOrEmpty()]
[Alias('Source')]
[string]
$SourceUser,
[Parameter(Mandatory = $true,
ValueFromPipeline = $true,
ValueFromPipelineByPropertyName = $true,
Position = 1,
HelpMessage = 'Target-User Object.')]
[ValidateNotNullOrEmpty()]
[Alias('Target')]
[string[]]
$TargetUser,
[Parameter(ValueFromPipeline = $true,
ValueFromPipelineByPropertyName = $true,
Position = 2)]
[switch]
$PassThru = $null
)
process
{
if ($pscmdlet.ShouldProcess($TargetUser, 'Modify/add Group Membership'))
{
try
{
$paramGetADUser = @{
Identity = $SourceUser
Properties = 'memberof'
Verbose = $(if ($pscmdlet.MyInvocation.BoundParameters['Verbose'].IsPresent)
{
$true
}
else
{
$false
}
)
}
$paramAddADGroupMember = @{
Members = $TargetUser
Verbose = $(if ($pscmdlet.MyInvocation.BoundParameters['Verbose'].IsPresent)
{
$true
}
else
{
# Workaround: If not present it is empty not false
$false
}
)
PassThru = $(if ($pscmdlet.MyInvocation.BoundParameters['PassThru'].IsPresent)
{
$true
}
else
{
# Workaround: If not present it is empty not false
$false
}
)
}
if (($pscmdlet.MyInvocation.BoundParameters['PassThru'].IsPresent))
{
# Show the output / PassThru in a nice format
((Get-ADUser @paramGetADUser) | Select-Object -ExpandProperty memberof | Add-ADGroupMember @paramAddADGroupMember | Select-Object -ExpandProperty SamAccountName)
}
else
{
# Do not show any output / Verbose will be shown
$null = ((Get-ADUser @paramGetADUser) | Select-Object -ExpandProperty memberof | Add-ADGroupMember @paramAddADGroupMember)
}
}
catch
{
#region ErrorHandler
# get error record
[Management.Automation.ErrorRecord]$e = $_
# retrieve information about runtime error
$info = [PSCustomObject]@{
Exception = $e.Exception.Message
Reason = $e.CategoryInfo.Reason
Target = $e.CategoryInfo.TargetName
Script = $e.InvocationInfo.ScriptName
Line = $e.InvocationInfo.ScriptLineNumber
Column = $e.InvocationInfo.OffsetInLine
}
Write-Verbose -Message $info
Write-Error -Message ($info.Exception) -ErrorAction Stop
# Only here to catch a global ErrorAction overwrite
break
#endregion ErrorHandler
}
}
}
}
There is a Gist available for better readability and syntax highlighting. This function is also part of my default repository.