Add an Active Directory User to the Same Groups as Another User with PowerShell

A request has been received to grant additional permissions to an existing user in your organizations Active Directory environment. The username of this existing user is “frank0”. In additional to his current responsibilities, Frank will be taking on the responsibilities of Alan who goes by the username of “alan0”.

Note: The examples shown in this blog article are being performed on a Windows 8.1 machine that has the remote server administration tools installed. The Active Directory module is not explicitly imported in these examples since Windows 8.1 runs PowerShell version 4 and the module auto-loading feature which was first introduced in PowerShell version 3 takes care of importing the module.

First, take a look at what Active Directory groups “alan0” is a member of. These are the groups that “frank0” needs to be made a member of:

ad-copygroup1a

The dotted notation style of accessing the MemberOf property could also be used:

ad-copygroup2

Frank is currently a member of the “Information Technology” group:

ad-copygroup3a

A simple one-liner can be used to add Frank as a member of each of Alan’s groups:

Nothing is returned by default if the command completes successfully:

ad-copygroup4

Use the -PassThru parameter with the previous command to receive feedback about what groups Frank is being added as a member of:

ad-copygroup6

In addition to the “Information Technology” group, Frank is now a member of all the groups that Alan is a member of:

ad-copygroup5a

Want to add multiple users to the same groups that Alan is a member of? No problem:

ad-copygroup7

µ

17 Comments

  1. Phil

    Awesome! Great tutorial, thank you

    Reply
  2. Bruno

    thanks for this oneliners.. great help

    Reply
  3. Joshua Thomas

    I have users in another domain and their linked account in the main domain, example, domainA is a dummy account for linked mailboxes on exchange, but the main account is on domainB. not all accounts in DomainA are dummy accounts. so I want to take UserA from DomainA and take DomainB\UserB from domainB and add him to the groups DomainA\UserA are in.

    Reply
  4. hectormarcia

    extremely simple yet extremely powerful.

    Thank you so much for this info Mike

    Reply
  5. Swapnil

    We have three domain controllers in our Company so when we give user ID from copy it shows that user not found in XXX domain, as user belongs to YYY domain, So how can we give differentiate domain when entering user ID.

    Reply
  6. Matiss

    IT helped me, thanks a lot!

    Reply
  7. Marvin MEjia

    Yes it does work, thanks!
    Questio, is there a POwershell script to copy group membership from an user to a Group? I am working on evaluating ways to migrate from one domain to another, and this function would be great.

    Reply
  8. Tom

    Greetings. I came across your script doing a google search and it worked as I was expecting. My question is, before I run this script, is there a way that I can run a remove permissions line for the user that is getting the new permissions, with the exception of a couple of groups that they need to be in. For example, I am looking to remove person1 from all groups, except the domain users group and the group they need to be in to receive their home directory. Once the remove is done, this script would be ran to grant the person the permissions they would be receiving from the model after user. Any help would be greatly appreciated! The model after part worked like a charm in our environment. I’m just looking to make things easier when we have a bunch of accounts that are moving departments or being shuffled around. Thanks in advance

    Reply
    • Zachary Abbott

      Hi Tom – this will do what you want; obviously change the group names to match those you wish to leave in place. As with any script, test in your own environment before putting into production!

      $user = “TOM”

      get-aduser $user | Get-ADPrincipalGroupMembership | where {$_.name -ne “Domain Users” -and $_.name -ne “Visitors” -and $_.name -ne “staff” -and $_.name -ne “OneDrive for Business Customers”} | Remove-ADGroupMember -Members $user -confirm:$False

      NOTE: You could also use variables to define the groups, if it makes more sense (for example, if the groups would change often depending on your circumstances)

      $user = “TOM”
      $group1 = “Domain Users”
      $group2 = “Staff”

      get-aduser $user | Get-ADPrincipalGroupMembership | where {$_.name -ne $group1 -and $_.name -ne $group2} | Remove-ADGroupMember -Members $user -confirm:$False

      Reply
  9. Kenneth Wernicke

    thnx, a simple way to “copy” permissions.

    Reply
  10. Bill G

    This helped a lot, thanks

    Reply
  11. Dilen

    Very Useful! Thank you!

    Reply
  12. Achille

    Thank you very much!!!

    Reply
  13. Zachary Abbott

    A simpler way to do this might be:

    $source= “User1”
    $target= “User2”
    get-adprincipalgroupmembership $source | add-adgroupmember -members $target -PassThru | select Name

    Reply
  14. Dan

    Thank you very much for putting this together, very useful

    Reply
  15. Ex

    Thanks for this… very well written guide and useful code! Saved me a lot of time!

    Reply

Leave a Reply

%d bloggers like this: