Solved

Power shell script to copy a Distribution Group and create a new security group - E2K10

Posted on 2015-01-08
10
2,404 Views
Last Modified: 2015-01-09
Is it possible to copy a distribution group to a new security group? I have several DG's that have the members i want to be in a new Security Group. Some of the DG's have 50 or 60 people and im trying to avoid having to add them in one by one.
0
Comment
Question by:msidnam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
10 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40537964
You should be able to do this via powershell... See below.

import-module activedirectory
$DistributionGroup = "CN=DisGroupName,OU=GroupOUName,DC=domain,DC=com"
$SecurityGroup = "CN=SecGroupName,OU=GroupOUName,DC=domain,DC=com"

$AddMember = Get-DistributionGroupMember -Identity $DistributionGroup
         foreach ($User in $AddMember) {
                 Add-AdGroupMember -identity $SecurityGroup -Members $User.distinugishedName
           }

Open in new window


Will.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40537975
Are not Mail Enabled Security groups  better option IF both groups have the same membership? You dont need both groups at all.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40538214
I would agree to a certain extent but Mail Enabled Security Groups are not a great practice in regards to Security.

Example.
If you have a cross-departmental project with multiple users from different departments that have different levels of access within the company if you use a Mail Enabled Security Group for Projects updates you will need to add all of these members to one of the departments mail enabled security groups (say Accounting_MailEnabledSecurityGroup). While all of the people on the project will get the email updates everyone that is not in the Accounting Department will now have access to files or share access to anything this Mail Enabled Security Group has access to, Security Hold.

This also applies to a users from say "Marketing" that needs to be informed of monthly meeting updates. If you have Security and Distribution Groups you can just add this person to the Distribution Group rather than a Mail ENabled Security Group which has ACL's tied to it.

I personally like to keep my Distribution Group and Security Groups separate so i know exactly the purpose for adding specific people. Might be a little more work at first creating them but it will be much easier to identify.

Mail Enabled Security Groups have there place and benefits but if you want a more secure proof environment you should keep them separate as much as possible IMO.

Will.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 2

Author Comment

by:msidnam
ID: 40538429
I changed the code to match my environment, but i get he error below:

Add-ADGroupMember : Cannot validate argument on parameter 'Members'. The argument is null or empty. Supply an argument
that is not null or empty and then try the command again.
At C:\scripts\DGtoSG.ps1:7 char:69
+                  Add-AdGroupMember -identity $SecurityGroup -Members <<<<  $User.distinugishedName
    + CategoryInfo          : InvalidData: (:) [Add-ADGroupMember], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.AddADGrou
   pMember
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40539295
Ok sorry about that. I was just looking at the script and I forgot to add the Exchange snap-in. This is why you are getting this error message. I have re-did the script and i have tested this in my lab and it works without issues.

import-module activedirectory
Add-PSSnapin microsoft.exchange.management.powershell.admin
$DistributionGroup = "CN=testing1,OU=DomainUsers,DC=a,DC=com"
$SecurityGroup = "CN=AD_Group2,OU=DomainUsers,DC=a,DC=com"

$AddMember = Get-DistributionGroupMember -Identity $DistributionGroup
         foreach ($User in $AddMember) {
                 Add-AdGroupMember -identity $SecurityGroup -Members $User.distinguishedName
           }

Open in new window


Depending on the version of Exchange you have the snap-ins are different commands.

Exchange 2007: add-pssnapin microsoft.exchange.management.powershell.admin
Exchange 2010: add-pssnapin microsoft.exchange.management.powershell.e2010
Exchange 2013: add-pssnapin microsoft.exchange.management.powershell.e2013

Replace the second line with the Exchange version you have in your environment.

Also change the Distribution and Security Group DistinguishedNames.

Will.
0
 
LVL 2

Author Comment

by:msidnam
ID: 40540033
I was doing this from the EMS before. should i be doing this from a normal powershell window?
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40540058
EMS is fine.
0
 
LVL 2

Author Comment

by:msidnam
ID: 40540133
I am doing it from EMS. While i get the error below, it does work and copies thememebers from the DG to the Sec Group:

Add-PSSnapin : A positional parameter cannot be found that accepts argument 'microsoft.exchange.management.powershell.e
2010'.
At C:\scripts\DGtoSG.ps1:2 char:13
+ Add-PSSnapin <<<<  add-pssnapin microsoft.exchange.management.powershell.e2010
    + CategoryInfo          : InvalidArgument: (:) [Add-PSSnapin], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.AddPSSnapinCommand

I commented out: add-pssnapin microsoft.exchange.management.powershell.e2010

and it works perfectly. However, i dont see a difference between the original one you did for me and this one other than, add-pssnapin microsoft.exchange.management.powershell.e2010. Perhaps my formatting was wrong and it didnt like the -Members option? I did this through a program called PowerGUI Script editor that understands powershell language.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40540228
I rarely use the EMS. I always use powershell with added snap-ins and modules. It is more flexible IMO. When i ran the script from powershell ISE or Console it worked with out and errors and copied the groups successfully.

Also the difference between the 2 scripts is that if you copied my first script exactly there is a typo in $user.DistinguishedName ( $User.distinugishedName)

Which was probably throwing the error message. If you were doing it in the EMS the entire time time then you didn't need to add the pssnapin.

Will.
0
 
LVL 2

Author Comment

by:msidnam
ID: 40540337
I'm getting old. My eyes aren't what they used to be. I was trying to figure out what was the difference and i didn't catch the typo. Everything is working great. Thanks again.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
In previous parts of this Nano Server deployment series, we learned how to create, deploy and configure Nano Server as a Hyper-V host. In this part, we will look for a clustering option. We will create a Hyper-V cluster of 3 Nano Server host nodes w…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question