Use PowerShell to Copy the Group Membership of one Active Directory User to Another Active Directory User Account

You have an Active Directory user account and you want to make a second user a member of the same groups without removing the second user from any groups they may already be a member of.

I prefer using the Quest PowerShell Cmdlets for Active Directory for doing my AD administration work. They have been downloaded and installed on the system this is being run from. The Quest snap-in has been added to make the cmdlets available.

User ‘afuller’ is a member of several groups in this active directory environment and the user ‘lcallahan’ is currently only a member of the domain users group as shown below:

I want ‘lcallahan’ to be a member of the same groups as ‘afuller’. I attempt a one liner which generates an error because ‘lcallahan’ can’t be added to the domain users group since that user is already a member of it. Strangely enough, already being a member of the domain users group seems to be the only group that causes this error. If the user is a member of any of the other groups already, those other groups don’t cause any errors.

I’ll exclude that group by using the Where-Object cmdlet and since PowerShell verison 3 is also installed on the system this is being run from, I’ll use the new simplified syntax for Where-Object.

Now ‘lcallahan’ is a member of the same groups as ‘afuller’. This wouldn’t affect any of the groups that ‘lcallahan’ was already a member of.

Update 02/11/14
I’ve written an updated version of this blog article that uses the Microsoft Active Directory PowerShell cmdlets that are part of the Remote Server Administration Tools (RSAT): http://mikefrobbins.com/2014/01/30/add-an-active-directory-user-to-the-same-groups-as-another-user-with-powershell/

µ

3 Comments

  1. scottw

    Mike, I had to modify the where statement to get this to work:
    Get-QADUser ‘userx’|
    Get-QADMemberOf |
    where-object {$_.name -ne ‘domain users’} |
    Add-QADGroupMember -Member ‘usery’

    Reply
  2. Chris

    I get this post is extremely old and not many people even view this post any more. but I first want to say thanks this post was extremely useful for me. but now I have a follow up question. We have 2 domains in a 2 way trust. All new user accounts are created on DomainB. We have some security groups on DomainA that have members from DomainB are in. So my question now. Is there a way do a similar thing as this blog post but across 2 domains in a trust? Basically, if we have 2 users on DomainB and I need to add user2 to all the same groups on DomainA that user 1 is already a member of.

    Reply
  3. Chris

    I figured it out.
    I ran these commands from the domain (we will call it domain1 in this example) where the groups are located. This should be pretty easy now to pipe multiple users from a csv file now as well.

    $existinguser = Get-QADUser domain2\existing.username
    $newuser = Get-QADUser domain2\new.username

    Get-QADMemberOf $existinguser.SID | where name -ne ‘domain users’ | Add-QADGroupMember -Member $newuser.SID

    Reply

Leave a Reply

%d bloggers like this: