Windows

Add members to a group with PowerShell commandlet

Derek Schauland offers this tip on how to use Quest Software's free PowerShell commandlets to streamline tasks by setting up a simple script.

Sometimes managing groups in Active Directory becomes tedious and even overwhelming. Sure, you can add a user to multiple groups using Active Directory Users and Computers (ADUC) and in cases where group management doesn't happen often, this might be the way to go, but Quest Software has a set of PowerShell Commandlets that can make this task very easy to automate.

This post will look at some of the commandlets (cmd-lets) available from Quest for accomplishing this task. The best part is that the cmd-lets are free to download from: http://www.quest.com/powershell/activeroles-server.aspx.

Note: The Active Roles commandlets do not require Active Roles server to work with Active Directory.

Explore other powershell resources from Quest here.

Adding members to group

Suppose we have the following scenario, a lone administrator needs to add users to a new group in Active Directory. Because of other projects that need to be completed as soon as possible, adding them with ADUC will not be an efficient use of time. Here is how to streamline the task with PowerShell.

The first step is to download the Active Roles Server commandlets for PowerShell. When you get it installed the interface will look like Figure A. Note: During the installation you will be able to have the ActiveRoles installer configure PowerShell to handle all signed scripts, making the use of the tool a bit easier based on the way PowerShell handles security.

Figure A

The Active Roles interface for PowerShell (click to enlarge)

The Active Directory commandlets are only available from within the Active Roles session. To access this session, simply open it from the Quest Software directory on the Start Menu.

Adding users (or other groups) to Active Directory is a simple task, but when there are a large number of items to add, a script and list of users can be a great way to get the job done quickly.

The first thing to do is create a list of the objects you want to add using the following set of commands:

$pw = read-host "Enter your password" -ADSecureString
Connect-qadservice -ConnectionAccount ‘domain\admin username' -ConnectionPassword $pw
Get-qaduser -searchroot  ‘domain.com/UsersOU' | %{$_.DirectoryEntry.distinguishedName, $_.DirectoryEntry.description} | out-file c:\users.txt

This section of code connects to Active Directory using the specified username (domain\admin username) and prompts you to enter the password for the account. Then it searches the directory container UsersOU and returns all of the distinguished names and descriptions for user accounts in that container. Instead of returning them to the screen, they are pumped into C:\users.txt which can be read in later to add these members to a group.

Once you have a file containing the distinguished names of the users you need to add, reading the file into powershell and adding members to the group is quick and easy.

To use add-qadgroupmember you call the add-qadgroupmember cmdlet.

Then specify the parameters needed to tell PowerShell which group to add users to with the identity property followed by the distinguished name of the target group:

-identity "cn=newgroup,ou=groups,dc=domain,dc=com"

Next, you specify the -member property and the distinguished name of the user you need to add:

-member "cn=Derek,ou=users,dc=domain,dc=com"

The entire command looks like this:

add-qadgroupmember -identity "cn=newgroup,ou=groups,dc=domain,dc=com" -member "cn=Derek,ou=users,dc=domain,dc=com"

This will also return all results to the screen. In this case, one record is being added; however, using PowerShell to add one user to a group might take more time than using included GUI tools.

Looking back to our original example of allowing an administrator to loop through a file containing the distinguished names of users to add, might look something like this:

$group = "cn=newgroup,ou=groups,dc=domain,dc=com"
$list = Get-content c:\users.txt
Foreach($user in $list)
{
       add-qadgroupmember -identity $group -member $user
}

The code above creates a variable $group for the distinguished name of the group that will contain the users. Next the $list variable is defined to take in the content from c:\users.txt. The content in this text file is stored in a variable to be looped through during the remainder of the script.

The loop is where the work is done as, each pass through the loop looks at each user record within the $list variable, which contains the entire contents of users.txt and adds each user to the target group specified by the $group variable. When passed to the add-qadgroupmember cmdlet, the users are added one at a time until the list is completed.

When PowerShell is used for this type of maintenance, adding a huge list of users to a group takes very little time at all. There can be a bit of setup, but keeping the script small and useful makes the process very painless indeed.

About

Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.

3 comments
ajft
ajft

Can you fix the example, your "ADSecureString" should be "AsSecureString" $pw = read-host "Enter your password" -ADSecureString

Craig_B
Craig_B

Yesterday I had one person who was a member of some groups and a few other users that needed to be in the same groups, instead of writing a full script, I just threw together the following and ran from the command line. I used the actuall account names instead of the variables $UserA/B since it was such a simple task but here's the generic example: $UserAGroups = (get-qaduser $UserA ).memberof foreach ($group in $UserAGroups){add-qadgroupmember -Identity $group -member $UserB} To make this into more of a script: Write-Host "Copy UserA???s groups to UserB (make UserB a member of UserA???s groups)" $UserA = Read-Host "Enter Source Account Name (UserA)" $UserB = Read-Host "Enter Destination Account Name (UserB)" $UserAGroups = (get-qaduser $UserA ).memberof foreach ($group in $UserAGroups){add-qadgroupmember -Identity $group -member $UserB} You could tweak this to add a list of users, so UserA is one source and UserB is actually a list of users.

r3tic3nc3
r3tic3nc3

If you know the SamAccountName of the user whose groups you want to mirror you can add another user to all of his/her groups with the following one-liner: Get-QADUser UserA | Get-QADMemberOf | Add-QADGroupMember -Member UserB

Editor's Picks