Create AD Group and Copy a Group’s Members with PowerShell

This week, I was asked if I could export a list of users who were members of a specific group in Active Directory. My Question: What’s this list for? Answer: We’re working on a project that requires us to create a new security group in Active Directory and we’re going to add all the users on the list to the new group. I determined that this new group really was necessary. My response: I can do even better than providing you guys with a list. I can create the new AD group, output a list of users, and import them into the new group.

I had previously created a couple of PowerShell scripts that would help me get started. One of them created an AD group and the other added a single user to an AD group. I combined my existing scripts and nested the add user to group portion in a for each loop:

PowerShell to the Rescue!

Here’s an updated script based on Jeffery Hicks comments. You’ve gotta love the PowerShell community.

µ

About Mike F Robbins

PowerShell Enthusiast | IT Pro | Winner of the Advanced Category in the 2013 PowerShell Scripting Games | Author of Chapter 6 in the PowerShell Deep Dives Book.
This entry was posted in Active Directory, PowerShell. Bookmark the permalink.

9 Responses to Create AD Group and Copy a Group’s Members with PowerShell

  1. You can skip all the ADSI nonsense. Add the users to the group and get the names in one line.

    Add-ADGroupMember $NewGrpName -Member (Get-ADGroupMember $ExistingGrpName) -passthru | get-adgroupmember | Select Name

  2. Actually, you can do everything in a single command:

    new-adgroup -name $newGrpName -GroupScope $grpScope -description $description -GroupCategory $GrpCat -path $path -passthru |
    Add-ADGroupMember -member (Get-ADGroupMember $existingGrpName) -passthru |
    Get-ADGroupMember | Select Name

    The “trick” is to take advantage of -Passthru so objects get written to the pipeline.

    • Stefan Peters says:

      Jeffery, I have comp2.ps1 file:
      param($t1, $t2)
      “arg1 $t1″
      “arg2 $t2″
      New-ADOrganizationalUnit -Name Groups -path ‘ou=$t1,ou=Microsoft Exchange Hosted Organizations,dc=mwc,dc=local’
      New-AdGroup -Name $t1 -GroupScope Global -path “ou=groups,ou=$t1,ou=Microsoft Exchange Hosted Organizations,dc=mwc,dc=local”

      When I run the ps1 with parameter fakecom the display returns
      arg1 fakecom
      but an error occures in new-adorganizaitonunit and the new-adgroup command.
      There is the parameters $t1 not replaces by the fakecom.

      Please advice.
      Thanks
      Stefan

      • Stefan Peters says:

        New-ADOrganizationalUnit : Directory object not found
        At C:scriptsklaarcomp2.ps1:4 char:25
        + New-ADOrganizationalUnit <<<< -Name Groups -path 'ou=$t1,ou=Microsoft Exchan
        ge Hosted Organizations,dc=mwc,dc=local'
        + CategoryInfo : ObjectNotFound: (OU=Groups,ou=$t…dc=mwc,dc=loc
        al:String) [New-ADOrganizationalUnit], ADIdentityNotFoundException
        + FullyQualifiedErrorId : Directory object not found,Microsoft.ActiveDirec
        tory.Management.Commands.NewADOrganizationalUnit

        New-ADGroup : The specified group already exists
        At C:scriptsklaarcomp2.ps1:5 char:12
        + New-AdGroup <<<< -Name $t1 -GroupScope Global -path "ou=groups,ou=$t1,ou=Mic
        rosoft Exchange Hosted Organizations,dc=mwc,dc=local"
        + CategoryInfo : NotSpecified: (CN=fakecom,ou=g…dc=mwc,dc=local
        :String) [New-ADGroup], ADException
        + FullyQualifiedErrorId : The specified group already exists,Microsoft.Act
        iveDirectory.Management.Commands.NewADGroup

        this is the error I get.

  3. Khoa Le says:

    I want to know how to duplicate a security group with the members copied over in AD. Say group name is A. I want to make a copy B and copy all of members from A to B.

  4. Roderic M says:

    I need to copy my users from one AD to another AD but need to keep all groups and privileges the same using powershell scripting in AXutil for Dynamics AX2012

  5. Brad West says:

    Great post, especially Jeffery’s refinements. I’ve used this technique several times. You can also add the -Server switch to target a Domain Controller in a different domain in a more complex AD Forest. You could then create variables for source and target domains in the groups are in different domains (Universal Groups only in this scenario)

  6. Thomas Duggan says:

    Great script! I’m working on a project where I need to create security groups for a series of subfolders with the same members as the security groups (read only and read/write) for the parent folder. This script makes this very easy. I’ve been trying to figure out, with my limited scripting experience, how to add a line to the script that would read the “managed by” role from the existing group and assign that user to the “managed by” role in the new group. Even if I just input the user name into the script as a variable and have it assigned to “managed by” role for the new group, that would help (the folder manager for the parent folder is assigned to all the subfolders at this point, so it wouldn’t change that often). Any suggestions?

    • Jason Larson says:

      Set-ADGroup -Identity $newGrpName -ManagedBy (Get-ADGroup $existingGrpName -Properties ‘ManagedBy’).ManagedBy

Leave a Reply