Restructuring AD groups

Creating a subgroup and removing duplicate accounts from parent group is easy. I have just done this to one of the groups I manage (dev manager of one of the teams created a group for the team so I could include the group rather than individual members) and thought I would share the one-liner with you:

Compare-Object (Get-QADGroupMember MainGroup) (Get-QADGroupMember SubGroup) -ExcludeDifferent -IncludeEqual | Select -Expand InputObject | Remove-QADGroupMember MainGroup -WhatIf

Obviously, put your group names in there, and remove the -WhatIf if you want this command to actually change group membership.

The oneliner is pretty much self-explanatory:

  1. I first compare group membership of the two groups (using Compare-Object),
  2. Exclude the objects which are different and only retrieve the ones which are the same,
  3. Then I ask PowerShell to give me the actual objects (Select -Expand InputObject) – otherwise Compare-Object gives its wrappers with direction indicators and we do not need them here, and then
  4. Pipe these into the Remove-QADGroupMember command.

Very simple and saved me a few minutes today! Which I then used to write this blog post. 😉


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

My Recent Tweets


The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

December 2009
« Nov   Jan »

%d bloggers like this: