Solved

Power shell script to copy a Distribution Group and create a new security group - E2K10

Posted on 2015-01-08
10
2,627 Views
Last Modified: 2015-01-09
Is it possible to copy a distribution group to a new security group? I have several DG's that have the members i want to be in a new Security Group. Some of the DG's have 50 or 60 people and im trying to avoid having to add them in one by one.
0
Comment
Question by:msidnam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
10 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40537964
You should be able to do this via powershell... See below.

import-module activedirectory
$DistributionGroup = "CN=DisGroupName,OU=GroupOUName,DC=domain,DC=com"
$SecurityGroup = "CN=SecGroupName,OU=GroupOUName,DC=domain,DC=com"

$AddMember = Get-DistributionGroupMember -Identity $DistributionGroup
         foreach ($User in $AddMember) {
                 Add-AdGroupMember -identity $SecurityGroup -Members $User.distinugishedName
           }

Open in new window


Will.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40537975
Are not Mail Enabled Security groups  better option IF both groups have the same membership? You dont need both groups at all.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40538214
I would agree to a certain extent but Mail Enabled Security Groups are not a great practice in regards to Security.

Example.
If you have a cross-departmental project with multiple users from different departments that have different levels of access within the company if you use a Mail Enabled Security Group for Projects updates you will need to add all of these members to one of the departments mail enabled security groups (say Accounting_MailEnabledSecurityGroup). While all of the people on the project will get the email updates everyone that is not in the Accounting Department will now have access to files or share access to anything this Mail Enabled Security Group has access to, Security Hold.

This also applies to a users from say "Marketing" that needs to be informed of monthly meeting updates. If you have Security and Distribution Groups you can just add this person to the Distribution Group rather than a Mail ENabled Security Group which has ACL's tied to it.

I personally like to keep my Distribution Group and Security Groups separate so i know exactly the purpose for adding specific people. Might be a little more work at first creating them but it will be much easier to identify.

Mail Enabled Security Groups have there place and benefits but if you want a more secure proof environment you should keep them separate as much as possible IMO.

Will.
0
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

 
LVL 2

Author Comment

by:msidnam
ID: 40538429
I changed the code to match my environment, but i get he error below:

Add-ADGroupMember : Cannot validate argument on parameter 'Members'. The argument is null or empty. Supply an argument
that is not null or empty and then try the command again.
At C:\scripts\DGtoSG.ps1:7 char:69
+                  Add-AdGroupMember -identity $SecurityGroup -Members <<<<  $User.distinugishedName
    + CategoryInfo          : InvalidData: (:) [Add-ADGroupMember], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.AddADGrou
   pMember
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40539295
Ok sorry about that. I was just looking at the script and I forgot to add the Exchange snap-in. This is why you are getting this error message. I have re-did the script and i have tested this in my lab and it works without issues.

import-module activedirectory
Add-PSSnapin microsoft.exchange.management.powershell.admin
$DistributionGroup = "CN=testing1,OU=DomainUsers,DC=a,DC=com"
$SecurityGroup = "CN=AD_Group2,OU=DomainUsers,DC=a,DC=com"

$AddMember = Get-DistributionGroupMember -Identity $DistributionGroup
         foreach ($User in $AddMember) {
                 Add-AdGroupMember -identity $SecurityGroup -Members $User.distinguishedName
           }

Open in new window


Depending on the version of Exchange you have the snap-ins are different commands.

Exchange 2007: add-pssnapin microsoft.exchange.management.powershell.admin
Exchange 2010: add-pssnapin microsoft.exchange.management.powershell.e2010
Exchange 2013: add-pssnapin microsoft.exchange.management.powershell.e2013

Replace the second line with the Exchange version you have in your environment.

Also change the Distribution and Security Group DistinguishedNames.

Will.
0
 
LVL 2

Author Comment

by:msidnam
ID: 40540033
I was doing this from the EMS before. should i be doing this from a normal powershell window?
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40540058
EMS is fine.
0
 
LVL 2

Author Comment

by:msidnam
ID: 40540133
I am doing it from EMS. While i get the error below, it does work and copies thememebers from the DG to the Sec Group:

Add-PSSnapin : A positional parameter cannot be found that accepts argument 'microsoft.exchange.management.powershell.e
2010'.
At C:\scripts\DGtoSG.ps1:2 char:13
+ Add-PSSnapin <<<<  add-pssnapin microsoft.exchange.management.powershell.e2010
    + CategoryInfo          : InvalidArgument: (:) [Add-PSSnapin], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.AddPSSnapinCommand

I commented out: add-pssnapin microsoft.exchange.management.powershell.e2010

and it works perfectly. However, i dont see a difference between the original one you did for me and this one other than, add-pssnapin microsoft.exchange.management.powershell.e2010. Perhaps my formatting was wrong and it didnt like the -Members option? I did this through a program called PowerGUI Script editor that understands powershell language.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40540228
I rarely use the EMS. I always use powershell with added snap-ins and modules. It is more flexible IMO. When i ran the script from powershell ISE or Console it worked with out and errors and copied the groups successfully.

Also the difference between the 2 scripts is that if you copied my first script exactly there is a typo in $user.DistinguishedName ( $User.distinugishedName)

Which was probably throwing the error message. If you were doing it in the EMS the entire time time then you didn't need to add the pssnapin.

Will.
0
 
LVL 2

Author Comment

by:msidnam
ID: 40540337
I'm getting old. My eyes aren't what they used to be. I was trying to figure out what was the difference and i didn't catch the typo. Everything is working great. Thanks again.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Previously, on our Nano Server Deployment series, we've created a new nano server image and deployed it on a physical server in part 2. Now we will go through configuration.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question