Use PowerShell to Copy the Group Membership of one Active Directory User to Another Active Directory User Account

You have an Active Directory user account and you want to make a second user a member of the same groups without removing the second user from any groups they may already be a member of.

I prefer using the Quest PowerShell Cmdlets for Active Directory for doing my AD administration work. They have been downloaded and installed on the system this is being run from. The Quest snap-in has been added to make the cmdlets available.

User ‘afuller’ is a member of several groups in this active directory environment and the user ‘lcallahan’ is currently only a member of the domain users group as shown below:

Add-PSSnapin -Name Quest.ActiveRoles.ADManagement
Get-QADUser 'afuller' |
Get-QADMemberOf

Get-QADUser 'lcallahan' |
Get-QADMemberOf

user-copy-adgroups1.png

I want ‘lcallahan’ to be a member of the same groups as ‘afuller’. I attempt a one liner which generates an error because ‘lcallahan’ can’t be added to the domain users group since that user is already a member of it. Strangely enough, already being a member of the domain users group seems to be the only group that causes this error. If the user is a member of any of the other groups already, those other groups don’t cause any errors.

Get-QADUser 'afuller' |
Get-QADMemberOf |
Add-QADGroupMember -Member 'lcallahan'

user-copy-adgroups2.png

I’ll exclude that group by using the Where-Object cmdlet and since PowerShell verison 3 is also installed on the system this is being run from, I’ll use the new simplified syntax for Where-Object.

Get-QADUser 'afuller' |
Get-QADMemberOf |
where name -ne 'domain users' |
Add-QADGroupMember -Member 'lcallahan'

user-copy-adgroups3.png

Now ‘lcallahan’ is a member of the same groups as ‘afuller’. This wouldn’t affect any of the groups that ‘lcallahan’ was already a member of.

Get-QADUser 'lcallahan' |
Get-QADMemberOf

user-copy-adgroups4.png

Update 02/11/14 I’ve written an updated version of this blog article that uses the Microsoft Active Directory PowerShell cmdlets that are part of the Remote Server Administration Tools (RSAT): https://mikefrobbins.com/2014/01/30/add-an-active-directory-user-to-the-same-groups-as-another-user-with-powershell/

µ