Add an Active Directory User to the Same Groups as Another User with PowerShell

A request has been received to grant additional permissions to an existing user in your organizations Active Directory environment. The username of this existing user is “frank0”. In additional to his current responsibilities, Frank will be taking on the responsibilities of Alan who goes by the username of “alan0”.

Note: The examples shown in this blog article are being performed on a Windows 8.1 machine that has the remote server administration tools installed. The Active Directory module is not explicitly imported in these examples since Windows 8.1 runs PowerShell version 4 and the module auto-loading feature which was first introduced in PowerShell version 3 takes care of importing the module.

First, take a look at what Active Directory groups “alan0” is a member of. These are the groups that “frank0” needs to be made a member of:


The dotted notation style of accessing the MemberOf property could also be used:


Frank is currently a member of the “Information Technology” group:


A simple one-liner can be used to add Frank as a member of each of Alan’s groups:

Nothing is returned by default if the command completes successfully:


Use the -PassThru parameter with the previous command to receive feedback about what groups Frank is being added as a member of:


In addition to the “Information Technology” group, Frank is now a member of all the groups that Alan is a member of:


Want to add multiple users to the same groups that Alan is a member of? No problem:




  1. Phil

    Awesome! Great tutorial, thank you

  2. Bruno

    thanks for this oneliners.. great help

  3. Joshua Thomas

    I have users in another domain and their linked account in the main domain, example, domainA is a dummy account for linked mailboxes on exchange, but the main account is on domainB. not all accounts in DomainA are dummy accounts. so I want to take UserA from DomainA and take DomainB\UserB from domainB and add him to the groups DomainA\UserA are in.

  4. hectormarcia

    extremely simple yet extremely powerful.

    Thank you so much for this info Mike

  5. Swapnil

    We have three domain controllers in our Company so when we give user ID from copy it shows that user not found in XXX domain, as user belongs to YYY domain, So how can we give differentiate domain when entering user ID.

  6. Matiss

    IT helped me, thanks a lot!

  7. Marvin MEjia

    Yes it does work, thanks!
    Questio, is there a POwershell script to copy group membership from an user to a Group? I am working on evaluating ways to migrate from one domain to another, and this function would be great.

  8. Tom

    Greetings. I came across your script doing a google search and it worked as I was expecting. My question is, before I run this script, is there a way that I can run a remove permissions line for the user that is getting the new permissions, with the exception of a couple of groups that they need to be in. For example, I am looking to remove person1 from all groups, except the domain users group and the group they need to be in to receive their home directory. Once the remove is done, this script would be ran to grant the person the permissions they would be receiving from the model after user. Any help would be greatly appreciated! The model after part worked like a charm in our environment. I’m just looking to make things easier when we have a bunch of accounts that are moving departments or being shuffled around. Thanks in advance

    • Zachary Abbott

      Hi Tom – this will do what you want; obviously change the group names to match those you wish to leave in place. As with any script, test in your own environment before putting into production!

      $user = “TOM”

      get-aduser $user | Get-ADPrincipalGroupMembership | where {$ -ne “Domain Users” -and $ -ne “Visitors” -and $ -ne “staff” -and $ -ne “OneDrive for Business Customers”} | Remove-ADGroupMember -Members $user -confirm:$False

      NOTE: You could also use variables to define the groups, if it makes more sense (for example, if the groups would change often depending on your circumstances)

      $user = “TOM”
      $group1 = “Domain Users”
      $group2 = “Staff”

      get-aduser $user | Get-ADPrincipalGroupMembership | where {$ -ne $group1 -and $ -ne $group2} | Remove-ADGroupMember -Members $user -confirm:$False

  9. Kenneth Wernicke

    thnx, a simple way to “copy” permissions.

  10. Bill G

    This helped a lot, thanks

  11. Dilen

    Very Useful! Thank you!

  12. Achille

    Thank you very much!!!

  13. Zachary Abbott

    A simpler way to do this might be:

    $source= “User1”
    $target= “User2”
    get-adprincipalgroupmembership $source | add-adgroupmember -members $target -PassThru | select Name

  14. Dan

    Thank you very much for putting this together, very useful

  15. Ex

    Thanks for this… very well written guide and useful code! Saved me a lot of time!

  16. Madhu

    thanks for this !! its very simple and understandable !

  17. Danielle

    Very Awesome, Thanks!

    I am trying to run a similar script, but using computers. Is there a way you could help? I have to replace many computers, and I would like a script that would ask for the existing computer name and the replacement computer name. It would then push the AD Security groups to the replacement computer from the existing computer.
    Any insight would be useful.
    Thanks again!

  18. Danielle Bieber

    Thank You! Do you know the command if the user is on a different domain in the forest?

    • Danielle Bieber

      I used your command and added -Server (domain controller name) after GetADUser and Add-ADGroupMember for users on our other domain. The other domain controller has Powershell 2009 and I don’t like the commands for it.

  19. Mahmoud A. Atallah

    Really big thanks it’s very helpful command

    Get-ADUser -Identity -Properties memberof | Select-Object -ExpandProperty memberof |
    Add-ADGroupMember -Members

  20. Octavio Ricci

    Thanks for this tip. But i have a doubt.
    Why “add-adgroupmember” accepts a type of “string” if in it´s property -identity it accepts a Adgroup ByValue?

    Thanks in advance.

    • David Colley

      Great information. This works great on AD, is there anyway this can be done exactly the same on the email distribution groups in Office 365?

      Thank you.

  21. David

    This is amazing, is there a way for the script to ask you ” Who do you want to copy memberships from?” and “Who do you want to add the memberships to?”


    • angrykreyon

      it’s maybe not the best way, but works like a charm.

      $user1=read-host ‘Enter user name to read groups from’
      $user2=read-host ‘Enter user name to add to the groups’
      Get-ADUser -Identity $user1 -Properties memberof |
      Select-Object -ExpandProperty memberof |
      Add-ADGroupMember -Members $user2

  22. Saurabh Joshi

    Hello Mike,
    This script really helped me a lot.

    How to add users with adding them to groups like above script;


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: