AD Group Membership Management « Dmitry’s PowerBlog: PowerShell and beyond

Manipulating AD group membership can definitely be one of the tasks you want to do in bulk and efficiently and PowerShell AD cmdlets are the best way of doing that. Below is my write-up on the main tasks you might need to perform and the PowerShell one-liners to do them.

The main tasks involve:

Populating groups based on user properties,
Copying group membership,
Comparing groups,
Restructuring groups.

Below is basically my PowerShell one-liners performing all of the task.

Let’s start with the simplest thing: create a group and populate it by users based on their attributes:

Get-QADUser -Department Accounting | Add-QADGroupMember DL.Accounting

Now, let’s copy the whole group membership to another group (I love this one-liner! Can you get simpler than that?):

Get-QADGroupMember DL.Accounting | Add-QADGroupMember AcctBackup

Let’s compare the two groups now to see whether the group membership is the same:
Compare-Object ( Get-QADGroupMember DL.Accounting) ( Get-QADGroupMember AcctBackup ) -IncludeEqual

InputObject                                                 SideIndicator
-----------                                                 -------------
CN=Jane Nikolsky,CN=Users,DC=domain1,DC=local               ==
CN=Chris Popolutsky,OU=Demo,DC=domain1,DC=local             ==
CN=Janus Demus,OU=Demo,DC=domain1,DC=local                  ==
CN=Kate Schmick,OU=Demo,DC=domain1,DC=local                 ==
CN=Natalia Karolli,OU=Demo,DC=domain1,DC=local              ==

Now, let’s split the accounting group into a few regional subgroups:

# Copy filtered group membership
Get-QADGroupMember DL.Accounting | where {$_.City -eq “Munich“} | Add-QADGroupMember DL.Munich.Accounting
Get-QADGroupMember DL.Accounting | where {$_.City -eq “Berlin“} | Add-QADGroupMember DL.Berlin.Accounting

# Nest the groups
Add-QADGroupMember -Identity DL.Accounting -Member domain1.local/demo/DL.Berlin.Accounting
Add-QADGroupMember -Identity DL.Accounting -Member domain1.local/demo/DL.Munich.Accounting

# Compare groups again
Compare-Object ( Get-QADGroupMember DL.Accounting) ( Get-QADGroupMember DL.Berlin.Accounting ) -IncludeEqual

InputObject                                                 SideIndicator
-----------                                                 -------------
CN=Janus Demus,OU=Demo,DC=domain1,DC=local                  ==
CN=Natalia Karolli,OU=Demo,DC=domain1,DC=local              ==
CN=Jane Nikolsky,CN=Users,DC=domain1,DC=local               <=
CN=Chris Popolutsky,OU=Demo,DC=domain1,DC=local             <=
CN=Kate Schmick,OU=Demo,DC=domain1,DC=local                 <=
CN=DL.Munich.Accounting,OU=Demo,DC=domain1,DC=local         <=
CN=DL.Berlin.Accounting,OU=Demo,DC=domain1,DC=local         <=

# Remove group member duplicates

Get-QADGroupMember DL.Berlin.Accounting | Remove-QADGroupMember DL.Accounting
Get-QADGroupMember DL.Munich.Accounting | Remove-QADGroupMember DL.Accounting

# Check if it worked
Compare-Object ( Get-QADGroupMember DL.Accounting) ( Get-QADGroupMember DL.Munich.Accounting ) -IncludeEqual

InputObject                                                 SideIndicator
-----------                                                 -------------
CN=Chris Popolutsky,OU=Demo,DC=domain1,DC=local             =>
CN=Kate Schmick,OU=Demo,DC=domain1,DC=local                 =>
CN=Jane Nikolsky,CN=Users,DC=domain1,DC=local               <=
CN=DL.Munich.Accounting,OU=Demo,DC=domain1,DC=local         <=
CN=DL.Berlin.Accounting,OU=Demo,DC=domain1,DC=local         <=

# No “Berlin” or “Munich” members left
Get-QADGroupMember DL.Accounting | ft Name, Type, City

Name                                    Type                                    City
----                                    ----                                    ----
Jane Nikolsky                           user                                    Orlando
DL.Munich.Accounting                    group
DL.Berlin.Accounting                    group

P.S. There are some known issues in AD cmdlets 1.0.5 which I worked around in the commands above. These will be fixed in later drops but I will mention them here just in case:

If you are adding members to a group not via a pipeline but by providing the -Member parameter, use canonical name for the new member.
If you have a group which has the same name as the beginning of another group name (e.g. AB and AB.CD) you might need to supply canonical name instead of name to disambiguate.

3 Responses to “AD Group Membership Management”

Feed for this Entry Trackback Address

1 Philipp November 6, 2007 at 3:36 pm

I think that the powershell method is not the best. Have you heard about active administrator ? I suppose it can do the same things without any coding.
2 dmitrysotnikov November 6, 2007 at 3:56 pm

Philipp, I have seen ScriptLogic’s Active Admin and it is a great tool.

By no means I am saying the PowerShell is the only way to manage groups. It is not and should not be. It is just a command-line which allows you to do tasks you can probably do with other means as well. It is just that sometimes UI is a better way to do some change, and sometimes it is the command-line.

As Jeffrey Snover was saying in Channel 9 it is not OR, it is AND: http://channel9.msdn.com/Showpost.aspx?postid=336098

When you have both UI and scripting/command-line you can pick the tool which is the most appropriate for your particular task. Choice is good.

Dmitry