Solved

Power shell script to copy a Distribution Group and create a new security group - E2K10

Posted on 2015-01-08
10
1,807 Views
Last Modified: 2015-01-09
Is it possible to copy a distribution group to a new security group? I have several DG's that have the members i want to be in a new Security Group. Some of the DG's have 50 or 60 people and im trying to avoid having to add them in one by one.
0
Comment
Question by:msidnam
  • 4
  • 4
  • 2
10 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40537964
You should be able to do this via powershell... See below.

import-module activedirectory
$DistributionGroup = "CN=DisGroupName,OU=GroupOUName,DC=domain,DC=com"
$SecurityGroup = "CN=SecGroupName,OU=GroupOUName,DC=domain,DC=com"

$AddMember = Get-DistributionGroupMember -Identity $DistributionGroup
         foreach ($User in $AddMember) {
                 Add-AdGroupMember -identity $SecurityGroup -Members $User.distinugishedName
           }

Open in new window


Will.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40537975
Are not Mail Enabled Security groups  better option IF both groups have the same membership? You dont need both groups at all.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40538214
I would agree to a certain extent but Mail Enabled Security Groups are not a great practice in regards to Security.

Example.
If you have a cross-departmental project with multiple users from different departments that have different levels of access within the company if you use a Mail Enabled Security Group for Projects updates you will need to add all of these members to one of the departments mail enabled security groups (say Accounting_MailEnabledSecurityGroup). While all of the people on the project will get the email updates everyone that is not in the Accounting Department will now have access to files or share access to anything this Mail Enabled Security Group has access to, Security Hold.

This also applies to a users from say "Marketing" that needs to be informed of monthly meeting updates. If you have Security and Distribution Groups you can just add this person to the Distribution Group rather than a Mail ENabled Security Group which has ACL's tied to it.

I personally like to keep my Distribution Group and Security Groups separate so i know exactly the purpose for adding specific people. Might be a little more work at first creating them but it will be much easier to identify.

Mail Enabled Security Groups have there place and benefits but if you want a more secure proof environment you should keep them separate as much as possible IMO.

Will.
0
 
LVL 2

Author Comment

by:msidnam
ID: 40538429
I changed the code to match my environment, but i get he error below:

Add-ADGroupMember : Cannot validate argument on parameter 'Members'. The argument is null or empty. Supply an argument
that is not null or empty and then try the command again.
At C:\scripts\DGtoSG.ps1:7 char:69
+                  Add-AdGroupMember -identity $SecurityGroup -Members <<<<  $User.distinugishedName
    + CategoryInfo          : InvalidData: (:) [Add-ADGroupMember], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.AddADGrou
   pMember
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40539295
Ok sorry about that. I was just looking at the script and I forgot to add the Exchange snap-in. This is why you are getting this error message. I have re-did the script and i have tested this in my lab and it works without issues.

import-module activedirectory
Add-PSSnapin microsoft.exchange.management.powershell.admin
$DistributionGroup = "CN=testing1,OU=DomainUsers,DC=a,DC=com"
$SecurityGroup = "CN=AD_Group2,OU=DomainUsers,DC=a,DC=com"

$AddMember = Get-DistributionGroupMember -Identity $DistributionGroup
         foreach ($User in $AddMember) {
                 Add-AdGroupMember -identity $SecurityGroup -Members $User.distinguishedName
           }

Open in new window


Depending on the version of Exchange you have the snap-ins are different commands.

Exchange 2007: add-pssnapin microsoft.exchange.management.powershell.admin
Exchange 2010: add-pssnapin microsoft.exchange.management.powershell.e2010
Exchange 2013: add-pssnapin microsoft.exchange.management.powershell.e2013

Replace the second line with the Exchange version you have in your environment.

Also change the Distribution and Security Group DistinguishedNames.

Will.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 2

Author Comment

by:msidnam
ID: 40540033
I was doing this from the EMS before. should i be doing this from a normal powershell window?
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40540058
EMS is fine.
0
 
LVL 2

Author Comment

by:msidnam
ID: 40540133
I am doing it from EMS. While i get the error below, it does work and copies thememebers from the DG to the Sec Group:

Add-PSSnapin : A positional parameter cannot be found that accepts argument 'microsoft.exchange.management.powershell.e
2010'.
At C:\scripts\DGtoSG.ps1:2 char:13
+ Add-PSSnapin <<<<  add-pssnapin microsoft.exchange.management.powershell.e2010
    + CategoryInfo          : InvalidArgument: (:) [Add-PSSnapin], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.AddPSSnapinCommand

I commented out: add-pssnapin microsoft.exchange.management.powershell.e2010

and it works perfectly. However, i dont see a difference between the original one you did for me and this one other than, add-pssnapin microsoft.exchange.management.powershell.e2010. Perhaps my formatting was wrong and it didnt like the -Members option? I did this through a program called PowerGUI Script editor that understands powershell language.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40540228
I rarely use the EMS. I always use powershell with added snap-ins and modules. It is more flexible IMO. When i ran the script from powershell ISE or Console it worked with out and errors and copied the groups successfully.

Also the difference between the 2 scripts is that if you copied my first script exactly there is a typo in $user.DistinguishedName ( $User.distinugishedName)

Which was probably throwing the error message. If you were doing it in the EMS the entire time time then you didn't need to add the pssnapin.

Will.
0
 
LVL 2

Author Comment

by:msidnam
ID: 40540337
I'm getting old. My eyes aren't what they used to be. I was trying to figure out what was the difference and i didn't catch the typo. Everything is working great. Thanks again.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
A procedure for exporting installed hotfix details of remote computers using powershell
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now