?
Solved

Power shell script to copy a Distribution Group and create a new security group - E2K10

Posted on 2015-01-08
10
Medium Priority
?
2,849 Views
Last Modified: 2015-01-09
Is it possible to copy a distribution group to a new security group? I have several DG's that have the members i want to be in a new Security Group. Some of the DG's have 50 or 60 people and im trying to avoid having to add them in one by one.
0
Comment
Question by:msidnam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
10 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40537964
You should be able to do this via powershell... See below.

import-module activedirectory
$DistributionGroup = "CN=DisGroupName,OU=GroupOUName,DC=domain,DC=com"
$SecurityGroup = "CN=SecGroupName,OU=GroupOUName,DC=domain,DC=com"

$AddMember = Get-DistributionGroupMember -Identity $DistributionGroup
         foreach ($User in $AddMember) {
                 Add-AdGroupMember -identity $SecurityGroup -Members $User.distinugishedName
           }

Open in new window


Will.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40537975
Are not Mail Enabled Security groups  better option IF both groups have the same membership? You dont need both groups at all.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40538214
I would agree to a certain extent but Mail Enabled Security Groups are not a great practice in regards to Security.

Example.
If you have a cross-departmental project with multiple users from different departments that have different levels of access within the company if you use a Mail Enabled Security Group for Projects updates you will need to add all of these members to one of the departments mail enabled security groups (say Accounting_MailEnabledSecurityGroup). While all of the people on the project will get the email updates everyone that is not in the Accounting Department will now have access to files or share access to anything this Mail Enabled Security Group has access to, Security Hold.

This also applies to a users from say "Marketing" that needs to be informed of monthly meeting updates. If you have Security and Distribution Groups you can just add this person to the Distribution Group rather than a Mail ENabled Security Group which has ACL's tied to it.

I personally like to keep my Distribution Group and Security Groups separate so i know exactly the purpose for adding specific people. Might be a little more work at first creating them but it will be much easier to identify.

Mail Enabled Security Groups have there place and benefits but if you want a more secure proof environment you should keep them separate as much as possible IMO.

Will.
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
LVL 2

Author Comment

by:msidnam
ID: 40538429
I changed the code to match my environment, but i get he error below:

Add-ADGroupMember : Cannot validate argument on parameter 'Members'. The argument is null or empty. Supply an argument
that is not null or empty and then try the command again.
At C:\scripts\DGtoSG.ps1:7 char:69
+                  Add-AdGroupMember -identity $SecurityGroup -Members <<<<  $User.distinugishedName
    + CategoryInfo          : InvalidData: (:) [Add-ADGroupMember], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.AddADGrou
   pMember
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 2000 total points
ID: 40539295
Ok sorry about that. I was just looking at the script and I forgot to add the Exchange snap-in. This is why you are getting this error message. I have re-did the script and i have tested this in my lab and it works without issues.

import-module activedirectory
Add-PSSnapin microsoft.exchange.management.powershell.admin
$DistributionGroup = "CN=testing1,OU=DomainUsers,DC=a,DC=com"
$SecurityGroup = "CN=AD_Group2,OU=DomainUsers,DC=a,DC=com"

$AddMember = Get-DistributionGroupMember -Identity $DistributionGroup
         foreach ($User in $AddMember) {
                 Add-AdGroupMember -identity $SecurityGroup -Members $User.distinguishedName
           }

Open in new window


Depending on the version of Exchange you have the snap-ins are different commands.

Exchange 2007: add-pssnapin microsoft.exchange.management.powershell.admin
Exchange 2010: add-pssnapin microsoft.exchange.management.powershell.e2010
Exchange 2013: add-pssnapin microsoft.exchange.management.powershell.e2013

Replace the second line with the Exchange version you have in your environment.

Also change the Distribution and Security Group DistinguishedNames.

Will.
0
 
LVL 2

Author Comment

by:msidnam
ID: 40540033
I was doing this from the EMS before. should i be doing this from a normal powershell window?
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40540058
EMS is fine.
0
 
LVL 2

Author Comment

by:msidnam
ID: 40540133
I am doing it from EMS. While i get the error below, it does work and copies thememebers from the DG to the Sec Group:

Add-PSSnapin : A positional parameter cannot be found that accepts argument 'microsoft.exchange.management.powershell.e
2010'.
At C:\scripts\DGtoSG.ps1:2 char:13
+ Add-PSSnapin <<<<  add-pssnapin microsoft.exchange.management.powershell.e2010
    + CategoryInfo          : InvalidArgument: (:) [Add-PSSnapin], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.AddPSSnapinCommand

I commented out: add-pssnapin microsoft.exchange.management.powershell.e2010

and it works perfectly. However, i dont see a difference between the original one you did for me and this one other than, add-pssnapin microsoft.exchange.management.powershell.e2010. Perhaps my formatting was wrong and it didnt like the -Members option? I did this through a program called PowerGUI Script editor that understands powershell language.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40540228
I rarely use the EMS. I always use powershell with added snap-ins and modules. It is more flexible IMO. When i ran the script from powershell ISE or Console it worked with out and errors and copied the groups successfully.

Also the difference between the 2 scripts is that if you copied my first script exactly there is a typo in $user.DistinguishedName ( $User.distinugishedName)

Which was probably throwing the error message. If you were doing it in the EMS the entire time time then you didn't need to add the pssnapin.

Will.
0
 
LVL 2

Author Comment

by:msidnam
ID: 40540337
I'm getting old. My eyes aren't what they used to be. I was trying to figure out what was the difference and i didn't catch the typo. Everything is working great. Thanks again.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Recently we ran in to an issue while running some SQL jobs where we were trying to process the cubes.  We got an error saying failure stating 'NT SERVICE\SQLSERVERAGENT does not have access to Analysis Services. So this is a way to automate that wit…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video discusses moving either the default database or any database to a new volume.
Suggested Courses
Course of the Month10 days, 1 hour left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question