?
Solved

Powershell script to pull all AD accounts from a specified OU and add them as member into a Security Group

Posted on 2014-11-11
12
Medium Priority
?
949 Views
Last Modified: 2014-11-21
Is there a Powershell script that can pull all the users AD account from an OU and add them to a specific Security Group? I want to automate this and not have to rely on each site helpdesk to add manually as a member of this group when setting up a new user. A lot of time they forget so best way is having this scheduled to run daily.
0
Comment
Question by:CiscoAzn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
12 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 40436241
something like this should work:

Get-ADUser -Filter * -SearchBase "OU=OU, DC=domain, DC=com" | % { add-adgroupmember  - identity <groupname> -member $_.samaccountname }

Open in new window

0
 

Author Comment

by:CiscoAzn
ID: 40436279
No this did not work.
0
 
LVL 29

Expert Comment

by:becraig
ID: 40436296
What specifically did not work ?

I am hoping you actually put in the right values for the OU and for the groupname  ?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 24

Expert Comment

by:VB ITS
ID: 40437412
Try this:
Get-ADUser -SearchBase 'OU=Users,OU=Company,DC=domain,DC=com' -Filter * | % { Add-ADGroupMember 'Name of Security Group' -Members $_ }

Open in new window

Make sure you modify the bit after the -SearchBase switch to match your environment. Also change the 'Name of Security Group' to match the pre-Windows 2000 name of your group.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40437426
To elaborate, here's a screenshot of the properties of a Security Group where I changed it's name but not the pre-Windows 2000 name
Security-Group-Names.pngIf you look at the top bar, you'll see that I've named the group Dummy Group. If I then attempt to run the above script and use the group name Dummy Group then PowerShell will spit out an error for each and every user in the OU.

If I change the script to use the group name Security Group then it will work as expected and add all the users within the OU to the group.

Hope this clears things up.
0
 

Author Comment

by:CiscoAzn
ID: 40438835
VB ITS ... this worked!! Can you tell me if you know how to pull multiple OU's into one single security group?
0
 
LVL 29

Expert Comment

by:becraig
ID: 40438843
I am not sure what would have worked in the script VBITS provided that would not in mine since they are exactly the same thing ?

Are you asking to have the members of multiple OUs added to a single security group ?
If so, you can either populate a text file with all the OUs and simply pipe into a foreach loop.
0
 

Author Comment

by:CiscoAzn
ID: 40438858
becraig,
Your script gave me multiple errors. Can you give me an example of what you're stating to populate all the OU's?
0
 
LVL 29

Expert Comment

by:becraig
ID: 40438870
you can get all OUs using Get-ADOrganizationalUnit
e.g :
Get-ADOrganizationalUnit -Filter 'Name -like "*"' | FT Name, DistinguishedName -A

More info:

http://ss64.com/ps/get-adorganizationalunit.html
0
 

Author Comment

by:CiscoAzn
ID: 40438879
That's not really helping me if there's no real examples that can be scripted and tested.
0
 
LVL 29

Expert Comment

by:becraig
ID: 40438900
There are 3 examples on the page I provided the link to, but let me post them here:
Examples

Get all the Organizational Units in the domain:

PS C:\>
Get-ADOrganizationalUnit -Filter 'Name -like "*"' | FT Name, DistinguishedName -A

Open in new window


Gets the Organizational Unit with DistinguishedName 'OU=Sydney,OU=Demo,DC=SS64,DC=COM':

PS C:\>
Get-ADOrganizationalUnit -Identity 'OU=Sydney,OU=Demo,DC=SS64,DC=COM' | FT Name,Country,PostalCode,City,StreetAddress,State -A

Open in new window


Gets OUs underneath the 'Sydney' Organizational Unit using an LDAP filter:

PS C:\>
 Get-ADOrganizationalUnit -LDAPFilter '(name=*)' -SearchBase 'OU=Sydney,OU=Demo,DC=SS64,DC=COM' -SearchScope OneLevel | FT Name,Country,PostalCode,City,StreetAddress,State

Open in new window

0
 
LVL 24

Accepted Solution

by:
VB ITS earned 2000 total points
ID: 40439161
You can use this CiscoAzn:
$OUs = 'OU=Users1,OU=Company,DC=domain,DC=com','OU=Users2,OU=Company,DC=domain,DC=com','OU=Users3,OU=Company,DC=domain,DC=com'

$OUs | ForEach { Get-ADUser -Filter * -SearchBase $_ | % { Add-ADGroupMember 'Name of Security Group' -Members $_ }}

Open in new window

Just modify the first line as needed and add/remove the DNs for your OUs separated by a comma.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Suggested Courses
Course of the Month15 days, 11 hours left to enroll

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question