Home > Active Directory, PowerShell, Windows OS > Copy Group Memberships from one user to another

Copy Group Memberships from one user to another

Have you ever found yourself needing to copy 1 user’s group memberships to another user in order to make sure both had identical permissions needed for their daily job? I’ve had to do this far more times than I’d like to count. Typically it’s easiest to do this upon creation of the new user’s account because you can simply copy the source user’s account through Active Directory Users and Computers. But what if both users already exist?

Well the script below will help alleviate this issue by using Powershell in conjuction with the Quest AD Tools.

The first way to do this is to simply run the script within an IDE like PowerGUI Script Editor. Simply copy and paste the code listed below and then modify the source/target users and domain controller and the script should run on your machine.



add-pssnapin quest.activeroles.admanagement

#   Be sure to change "domaincontroller" to the domain controller which you want to make these changes on. You can use
#   the -UseGlobalCatalog switch if you'd like in order to make the changes to your GC 

connect-qadservice domaincontroller -credential (get-credential)  



$sourceuser = samaccountname                 
$targetuser = samaccountname                  


#   This will store all applicable groups into a variable called groupmembership

$groupmembership = get-qaduser $sourceuser | select -ExpandProperty memberof     

#    This will loop through all groups in groupmembership and apply the memberships

foreach ($group in $groupmembership) { add-qadgroupmember -identity $group -member $targetuser }     


The second way to do this is to simply build a reusable ps1 file which asks for params in order to complete the task. Simply copy and paste the code below into notepad then save as a .ps1 file.


###########################################################################
#
# NAME: Copy-GroupMemberships.ps1
#
# AUTHOR: Joshua Schofield
#
# COMMENT: Must have Quest Active Roles Installed
#
# EXAMPLE: c:\scripts\copy-groupmemberships.ps1 -domaincontroller MYDC01 -sourceuser JDOE -targetuser JSMITH
#
# VERSION HISTORY: 1
#
# VERSION DATE:    8/21/2012
#
# VERSION COMMENTS: Tested and Validated
#
#
###########################################################################


param (

	[Parameter(Mandatory = $true)]
	$SourceUser,
	
	[Parameter(Mandatory = $true)]
	$TargetUser,
	
	[Parameter(Mandatory = $true)]
	$DomainController
)

add-pssnapin quest.activeroles.admanagement -ErrorAction SilentlyContinue | Out-Null

#   You can use the -UseGlobalCatalog switch if you'd like in order to make the changes to your GC
connect-qadservice $DomainController -credential (get-credential)  

#   This will store all applicable groups into a variable called groupmembership
$groupmembership = get-qaduser $sourceuser | select -ExpandProperty memberof    

#    This will loop through all groups in groupmembership and apply the memberships
foreach ($group in $groupmembership) { add-qadgroupmember -identity $group -member $targetuser }     


Advertisements
  1. August 29, 2012 at 1:52 pm

    Nice scripting! Thanks for sharing Josh!

    • August 29, 2012 at 1:54 pm

      Not a problem. Thanks for viewing. Message me if you have questions

  2. Aaron Perrault
    August 30, 2012 at 7:40 pm

    Josh
    Is the domain controller portion really needed if you are in a single domain forest? Just curious. Great script. Just added your site to my reader. Keep up the good work.

    • August 31, 2012 at 12:58 pm

      Great point Aaron.

      For the quest cmdlet connect-qadservice you can either use the FQDN of you domain name or a domain controller. If you leave the field blank it will use your currently logged in domain as the default domain to use.

      I’m betting you have more than 1 domain controller, and maybe more than 1 AD site, if I am correct then using a specific domain controller will allow you to make the changes directly to an individuals AD Site. This will allow them to see immediate change upon log off/log on.

      Another way to use the connect-qadservice command is to add the switch -useglobalcatalog and this will connect you to your domains globalcatalog server and make the changes there.

      With my environment being so large (14 or so Forests, 20 +/- domains, and domain controllers around the world) it is easiest for my team and I to just simply select a DC and make the changes there and we can test immediately.

      • Aaron Perrault
        August 31, 2012 at 1:00 pm

        Hey Josh, I figured that was the reason you were doing this. I just wanted to make sure that it would work either way. Keep up the good work

        aaron

  3. August 31, 2012 at 1:06 pm

    Yea that was it. If you have any suggestions or want to see any other tasks performed with powershell let me know.

  4. July 12, 2013 at 11:39 am

    I truly love your blog.. Very nice colors & theme.
    Did you create this amazing site yourself? Please reply back as I’m hoping to create my own site and would like to learn where you got this from or exactly what the theme is called. Appreciate it!

    • July 15, 2013 at 11:59 am

      Hey there. Thanks for the complements on my page. I just wish I wasn’t so busy with work and could upload more of my scripts. I did in fact create this site on my own however I did use a theme provided by wordpress. The theme is: INove By mg12.

  5. July 31, 2013 at 2:34 am

    Hey I am so delighted I found your blog, I really found you by error, while I was browsing on Aol for something else, Nonetheless I
    am here now and would just like to say many thanks for a marvelous post and a all
    round interesting blog (I also love the theme/design),
    I don’t have time to browse it all at the minute but I have saved it and also added your RSS feeds, so when I have time I will be back to read a great deal more, Please do keep up the fantastic job.

  6. August 7, 2013 at 6:29 pm

    Howdy! This post could not be written much better! Looking through this post reminds me
    of my previous roommate! He always kept preaching about this.
    I most certainly will forward this post to him.
    Pretty sure he’ll have a great read. I appreciate you for sharing!

    • August 7, 2013 at 7:52 pm

      Im glad this was of use to you. I have so many more scripts to share just haven’t had the time. If you have any requests on how to do something let me know.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: