One project that consistently saves me time every day is my custom Active Directory Users and Computer MMC. This MMC contains quick links to commonly visited OUs and embedded scripts for fast access! But this custom MMC only saves me time if I update it to match my current work.
Because of a very large site migration, I found myself needing to duplicate group memberships very quickly. I was pulling a fireman and migrating group memberships manually. What I needed was an extendable but simple way to automate this. Once again, PowerShell came to the rescue! The script below makes duplicating group memberships with PowerShell a breeze!
This PowerShell script makes use of the Quest AD cmdlets. If you don’t have these cmdlets installed, you can download them from here. This script is designed to be completely standalone. Because of that, we start by adding our Quest tools and prompting for a source and a destination computer.
Add-PSSnapin Quest.ActiveRoles.ADManagement $SourceComputer= read-host "What is the source computer? (This computer is in the groups already.)" $DestinationComputer= read-host "What is the destination computer? (This computer needs to be added to groups.)" $DestinationComputer = Get-QADComputer -Identity $DestinationComputer
Your source computer should be the computer that is already in the correct groups. Your destination computer is the machine that needs to be placed in the correct groups. This script is flexible enough to accept a DestinationComputer prefix. For example, typing GAMCN for the DestinationComputer will grab every computer that begins with that prefix!
We now need to find out every group that our SourceComputer is a member of. We can do this by piping our SourceComputer to Get-QADMemberOf. Every computer is automatically a member of domain computers. To prevent errors, we overwrite the $Groups and exclude the Domain Computers group. This is done with the Where alias (where-object). In that segment, we are basically saying Where the Group Name does not equal (-ne) Domain Computers. If you have other groups that should be excluded, you could copy this line and replace “Domain Computers” with your group.
$Groups= Get-QADComputer $SourceComputer | Get-QADMemberof $Groups = $Groups | Where {$_.Name -ne "Domain Computers"}
Finally, we can cycle through each group by using a Foreach statement. By calling Add-QADGroupMember, we can add our new computer to every group that it should be a member of. If our DestinationComputer variable contains multiple computers, we will also automatically cycle through those computer names. To prevent a bunch of text, the ErrorAction is set to silently continue.
Foreach ($Group in $Groups) { Add-QADGroupMember $Group $DestinationComputer -ErrorAction SilentlyContinue pause }
The Complete Duplicating Group Memberships with PowerShell Scripts
Below are two versions of this script. The first is the complete script from the segments above. The second script will optionally move computers to the destination computer OU as well.
#Duplicate Group Memberships but Do Not Move to an OU Add-PSSnapin Quest.ActiveRoles.ADManagement $SourceComputer= read-host "What is the source computer? (This computer is in the groups already.)" $DestinationComputer= read-host "What is the destination computer? (This computer needs to be added to groups.)" $DestinationComputer = Get-QADComputer -Identity $DestinationComputer $Groups= Get-QADComputer $SourceComputer | Get-QADMemberof $Groups = $Groups | Where {$_.Name -ne "Domain Computers"} Foreach ($Group in $Groups) { Add-QADGroupMember $Group $DestinationComputer -ErrorAction SilentlyContinue } pause
#Duplicate Group Memberships and Prompt to Move to an OU Add-PSSnapin Quest.ActiveRoles.ADManagement $SourceComputer = read-host "What is the source computer? (This computer is in the groups already.)" $DestinationComputer = read-host "What is the destination computer? (This computer needs to be added to groups.)" $DestinationComputer = Get-QADComputer -Identity $DestinationComputer $ParentOU = Get-QADComputer $SourceComputer | select ParentContainer -Unique -ExpandProperty ParentContainer $MoveComputer = Read-Host "Would you like to move the DestinationComputer(s) to $ParentOU ?" $Groups = Get-QADComputer $SourceComputer | Get-QADMemberof $Groups = $Groups | Where {$_.Name -ne "Domain Computers"} Foreach ($Group in $Groups) { Add-QADGroupMember $Group $DestinationComputer -ErrorAction SilentlyContinue } if ($MoveComputer -eq "Yes"){ foreach ($Computer in $DestinationComputer){ Move-QADObject -Identity $Computer.Name -NewParentContainer $ParentOU } } pause
If these scripts help you out (or if you have an improvement), leave a note in the comment section below!