Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Power shell script to copy a Distribution Group and create a new security group - E2K10

Posted on 2015-01-08
10
Medium Priority
?
3,051 Views
Last Modified: 2015-01-09
Is it possible to copy a distribution group to a new security group? I have several DG's that have the members i want to be in a new Security Group. Some of the DG's have 50 or 60 people and im trying to avoid having to add them in one by one.
0
Comment
Question by:msidnam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
10 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40537964
You should be able to do this via powershell... See below.

import-module activedirectory
$DistributionGroup = "CN=DisGroupName,OU=GroupOUName,DC=domain,DC=com"
$SecurityGroup = "CN=SecGroupName,OU=GroupOUName,DC=domain,DC=com"

$AddMember = Get-DistributionGroupMember -Identity $DistributionGroup
         foreach ($User in $AddMember) {
                 Add-AdGroupMember -identity $SecurityGroup -Members $User.distinugishedName
           }

Open in new window


Will.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40537975
Are not Mail Enabled Security groups  better option IF both groups have the same membership? You dont need both groups at all.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40538214
I would agree to a certain extent but Mail Enabled Security Groups are not a great practice in regards to Security.

Example.
If you have a cross-departmental project with multiple users from different departments that have different levels of access within the company if you use a Mail Enabled Security Group for Projects updates you will need to add all of these members to one of the departments mail enabled security groups (say Accounting_MailEnabledSecurityGroup). While all of the people on the project will get the email updates everyone that is not in the Accounting Department will now have access to files or share access to anything this Mail Enabled Security Group has access to, Security Hold.

This also applies to a users from say "Marketing" that needs to be informed of monthly meeting updates. If you have Security and Distribution Groups you can just add this person to the Distribution Group rather than a Mail ENabled Security Group which has ACL's tied to it.

I personally like to keep my Distribution Group and Security Groups separate so i know exactly the purpose for adding specific people. Might be a little more work at first creating them but it will be much easier to identify.

Mail Enabled Security Groups have there place and benefits but if you want a more secure proof environment you should keep them separate as much as possible IMO.

Will.
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 2

Author Comment

by:msidnam
ID: 40538429
I changed the code to match my environment, but i get he error below:

Add-ADGroupMember : Cannot validate argument on parameter 'Members'. The argument is null or empty. Supply an argument
that is not null or empty and then try the command again.
At C:\scripts\DGtoSG.ps1:7 char:69
+                  Add-AdGroupMember -identity $SecurityGroup -Members <<<<  $User.distinugishedName
    + CategoryInfo          : InvalidData: (:) [Add-ADGroupMember], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.AddADGrou
   pMember
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 2000 total points
ID: 40539295
Ok sorry about that. I was just looking at the script and I forgot to add the Exchange snap-in. This is why you are getting this error message. I have re-did the script and i have tested this in my lab and it works without issues.

import-module activedirectory
Add-PSSnapin microsoft.exchange.management.powershell.admin
$DistributionGroup = "CN=testing1,OU=DomainUsers,DC=a,DC=com"
$SecurityGroup = "CN=AD_Group2,OU=DomainUsers,DC=a,DC=com"

$AddMember = Get-DistributionGroupMember -Identity $DistributionGroup
         foreach ($User in $AddMember) {
                 Add-AdGroupMember -identity $SecurityGroup -Members $User.distinguishedName
           }

Open in new window


Depending on the version of Exchange you have the snap-ins are different commands.

Exchange 2007: add-pssnapin microsoft.exchange.management.powershell.admin
Exchange 2010: add-pssnapin microsoft.exchange.management.powershell.e2010
Exchange 2013: add-pssnapin microsoft.exchange.management.powershell.e2013

Replace the second line with the Exchange version you have in your environment.

Also change the Distribution and Security Group DistinguishedNames.

Will.
0
 
LVL 2

Author Comment

by:msidnam
ID: 40540033
I was doing this from the EMS before. should i be doing this from a normal powershell window?
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 40540058
EMS is fine.
0
 
LVL 2

Author Comment

by:msidnam
ID: 40540133
I am doing it from EMS. While i get the error below, it does work and copies thememebers from the DG to the Sec Group:

Add-PSSnapin : A positional parameter cannot be found that accepts argument 'microsoft.exchange.management.powershell.e
2010'.
At C:\scripts\DGtoSG.ps1:2 char:13
+ Add-PSSnapin <<<<  add-pssnapin microsoft.exchange.management.powershell.e2010
    + CategoryInfo          : InvalidArgument: (:) [Add-PSSnapin], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.AddPSSnapinCommand

I commented out: add-pssnapin microsoft.exchange.management.powershell.e2010

and it works perfectly. However, i dont see a difference between the original one you did for me and this one other than, add-pssnapin microsoft.exchange.management.powershell.e2010. Perhaps my formatting was wrong and it didnt like the -Members option? I did this through a program called PowerGUI Script editor that understands powershell language.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40540228
I rarely use the EMS. I always use powershell with added snap-ins and modules. It is more flexible IMO. When i ran the script from powershell ISE or Console it worked with out and errors and copied the groups successfully.

Also the difference between the 2 scripts is that if you copied my first script exactly there is a typo in $user.DistinguishedName ( $User.distinugishedName)

Which was probably throwing the error message. If you were doing it in the EMS the entire time time then you didn't need to add the pssnapin.

Will.
0
 
LVL 2

Author Comment

by:msidnam
ID: 40540337
I'm getting old. My eyes aren't what they used to be. I was trying to figure out what was the difference and i didn't catch the typo. Everything is working great. Thanks again.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question