Copy Group Memberships from one user to another

Have you ever found yourself needing to copy 1 user’s group memberships to another user in order to make sure both had identical permissions needed for their daily job? I’ve had to do this far more times than I’d like to count. Typically it’s easiest to do this upon creation of the new user’s account because you can simply copy the source user’s account through Active Directory Users and Computers. But what if both users already exist?

Well the script below will help alleviate this issue by using Powershell in conjuction with the Quest AD Tools.

The first way to do this is to simply run the script within an IDE like PowerGUI Script Editor. Simply copy and paste the code listed below and then modify the source/target users and domain controller and the script should run on your machine.


add-pssnapin quest.activeroles.admanagement

# Be sure to change "domaincontroller" to the domain controller which you want to make these changes on. You can use
# the -UseGlobalCatalog switch if you'd like in order to make the changes to your GC 

connect-qadservice "domaincontroller" -credential (get-credential) 

$sourceuser = samaccountname
$targetuser = samaccountname 

# This will store all applicable groups into a variable called groupmembership

$groupmembership = get-qaduser $sourceuser | select -ExpandProperty memberof 

# This will loop through all groups in groupmembership and apply the memberships

foreach ($group in $groupmembership) { add-qadgroupmember -identity $group -member $targetuser } 

The second way to do this is to simply build a reusable ps1 file which asks for params in order to complete the task. Simply copy and paste the code below into notepad then save as a .ps1 file.


###########################################################################
#
# NAME: Copy-GroupMemberships.ps1
#
# AUTHOR: Joshua Schofield
#
# COMMENT: Must have Quest Active Roles Installed
#
# EXAMPLE: c:\scriptscopy-groupmemberships.ps1 -domaincontroller MYDC01 -sourceuser JDOE -targetuser JSMITH
#
# VERSION HISTORY: 1
#
# VERSION DATE:    8/21/2012
#
# VERSION COMMENTS: Tested and Validated
#
#
###########################################################################

param (

	[Parameter(Mandatory = $true)]
	$SourceUser,

	[Parameter(Mandatory = $true)]
	$TargetUser,

	[Parameter(Mandatory = $true)]
	$DomainController
)

add-pssnapin quest.activeroles.admanagement -ErrorAction SilentlyContinue | Out-Null

#   You can use the -UseGlobalCatalog switch if you'd like in order to make the changes to your GC
connect-qadservice $DomainController -credential (get-credential)  

#   This will store all applicable groups into a variable called groupmembership
$groupmembership = get-qaduser $sourceuser | select -ExpandProperty memberof    

#    This will loop through all groups in groupmembership and apply the memberships
foreach ($group in $groupmembership) { add-qadgroupmember -identity $group -member $targetuser }     

Posted in Active Directory, PowerShell, Windows OS and tagged , , , , , , , , , , , , .

13 Comments

  1. Josh
    Is the domain controller portion really needed if you are in a single domain forest? Just curious. Great script. Just added your site to my reader. Keep up the good work.

    • Great point Aaron.

      For the quest cmdlet connect-qadservice you can either use the FQDN of you domain name or a domain controller. If you leave the field blank it will use your currently logged in domain as the default domain to use.

      I’m betting you have more than 1 domain controller, and maybe more than 1 AD site, if I am correct then using a specific domain controller will allow you to make the changes directly to an individuals AD Site. This will allow them to see immediate change upon log off/log on.

      Another way to use the connect-qadservice command is to add the switch -useglobalcatalog and this will connect you to your domains globalcatalog server and make the changes there.

      With my environment being so large (14 or so Forests, 20 +/- domains, and domain controllers around the world) it is easiest for my team and I to just simply select a DC and make the changes there and we can test immediately.

      • Hey Josh, I figured that was the reason you were doing this. I just wanted to make sure that it would work either way. Keep up the good work

        aaron

  2. I truly love your blog.. Very nice colors & theme.
    Did you create this amazing site yourself? Please reply back as I’m hoping to create my own site and would like to learn where you got this from or exactly what the theme is called. Appreciate it!

    • Hey there. Thanks for the complements on my page. I just wish I wasn’t so busy with work and could upload more of my scripts. I did in fact create this site on my own however I did use a theme provided by wordpress. The theme is: INove By mg12.

      • I am seeing this issue and we have two diamon controllers set up. I am working through a Lync deployment and I’ve got everything working but voicemail. Is there any other way I can set up voicemail?

  3. Hey I am so delighted I found your blog, I really found you by error, while I was browsing on Aol for something else, Nonetheless I
    am here now and would just like to say many thanks for a marvelous post and a all
    round interesting blog (I also love the theme/design),
    I don’t have time to browse it all at the minute but I have saved it and also added your RSS feeds, so when I have time I will be back to read a great deal more, Please do keep up the fantastic job.

    • Im glad this was of use to you. I have so many more scripts to share just haven’t had the time. If you have any requests on how to do something let me know.

Leave a Reply

Your email address will not be published. Required fields are marked *