samiam41
asked on
Add members in one group to another group via script
Hey Experts!! As part of an on-going migration, I need to migrate users from group-x to group-y but this will be an on-going event so I need to be able to change the AD path for group-x.
How could I do this with a batch script where it will prompt me for "group-x" and output who was moved into a log file?
Thanks for your help!
How could I do this with a batch script where it will prompt me for "group-x" and output who was moved into a log file?
Thanks for your help!
What do you mean by change AD path ?
If you want to add users from one domain to another over trust, you do need domain local group \ universal group as target group and then you can copy group members from one domain to domain local \ universal group in another domain.
If you want to add users from one domain to another over trust, you do need domain local group \ universal group as target group and then you can copy group members from one domain to domain local \ universal group in another domain.
$group = Get-ADGroupMember -Identity "CN=Sourcegroup,dc=sourcedomain,dc=com"
Foreach ($member in $group)
{ Add-ADGroupMember -Identity "CN=targetgroup,DC=targetdomain,dc=com" $member}
# Replace source group with one from which you want to copy members
# Target group must be domain local group \ universal in target domain
ASKER
Thanks for the replies. Let me try to explain it a little further.
Groups are in the same domain. The OU's are different, such as:
Department (OU)
>Admin (OU)
>>Groups (OU)
>>>GroupABC
>Finance (OU)
>>Groups (OU)
>>>GroupDEF
>Research (OU)
>>Groups (OU)
>>>GroupGHI
I need to copy the users in GroupABC (the variable that I would like the script to prompt me with) into GroupGHI (the constant in the script). When I run the script again, I would like to have the script prompt me for the name of the group (variable) and then begin copying those users to GroupGHI (the constant hardcoded into the script).
I would prefer to use batch as that is what all of my other scripts are and I don't have time to get into PS at the moment. Thank you!
Groups are in the same domain. The OU's are different, such as:
Department (OU)
>Admin (OU)
>>Groups (OU)
>>>GroupABC
>Finance (OU)
>>Groups (OU)
>>>GroupDEF
>Research (OU)
>>Groups (OU)
>>>GroupGHI
I need to copy the users in GroupABC (the variable that I would like the script to prompt me with) into GroupGHI (the constant in the script). When I run the script again, I would like to have the script prompt me for the name of the group (variable) and then begin copying those users to GroupGHI (the constant hardcoded into the script).
I would prefer to use batch as that is what all of my other scripts are and I don't have time to get into PS at the moment. Thank you!
Then script would work as below
It will ask you simple name of source group and target group you have to enter one time in script as per your requirement
U have to call this script on Windows 2008 R2 and above server with elevated PowerShell
Do not forget to set Executionpolicy to remotesigned OR unrestricted
In order to do that run below commands on 2008 R2 DC in elevated PowerShell
Set-Executionpolicy RemoteSigned
when prompted, type yes
Actually then limjianan code should work, however, $input variable is not acceptable by PowerShell and -add parameter is also not available
Hence I modified those TWO parameters
If you do not want to use PowerShell, Probably some expert might help you in another scripting language.
It will ask you simple name of source group and target group you have to enter one time in script as per your requirement
Import-Module ActiveDirectory
$GroupName = Read-Host -Prompt "Please Enter Source Group Name"
$group = Get-ADGroupMember -Identity $GroupName
Foreach ($member in $group)
{ Add-ADGroupMember -Identity "TargetGroupName" $member}
# Shell will prompt you for source group name from which you want to copy members
# Target group you have to enter one time only in a script)
U have to call this script on Windows 2008 R2 and above server with elevated PowerShell
Do not forget to set Executionpolicy to remotesigned OR unrestricted
In order to do that run below commands on 2008 R2 DC in elevated PowerShell
Set-Executionpolicy RemoteSigned
when prompted, type yes
Actually then limjianan code should work, however, $input variable is not acceptable by PowerShell and -add parameter is also not available
Hence I modified those TWO parameters
If you do not want to use PowerShell, Probably some expert might help you in another scripting language.
Here's a .bat version.
Note: I put an ECHO prefix for testing reasons. Remove the prefix to run it for real:
Note: I put an ECHO prefix for testing reasons. Remove the prefix to run it for real:
@echo off
set Grp=GroupGHI
:GetGroup
SET /P Grp=What group to add to %Grp%?
set FNMembers=Members.txt
net group %Grp% /domain>%FNMembers%
if %errorlevel% neq 0 (echo Invalid group. Try again. & pause & goto :GetGroup)
for /f "tokens=* skip=8" %%a in (%FNMembers%) do (
call :AddToGroup "%%a"
)
goto :eof
:AddToGroup
if %1 equ "The command completed successfully." goto :eof
for %%a in (%~1) do (
echo net group %Grp% %%a /add /domain
)
You don't need to use a foreach construction.
Just pipe Get-ADGroupMember to Add-ADPrincipalGroupMember ship
You will see reference to this latter cmdlet in the help documentation for Add-ADGroupMember
ie based on the above
You can also use the output of the Get-ADGroupMember cmdlet to view the list of users too that you were adding.
Just pipe Get-ADGroupMember to Add-ADPrincipalGroupMember
You will see reference to this latter cmdlet in the help documentation for Add-ADGroupMember
ie based on the above
$dstGrp = "Destination Group Name"
$srcGrp = Read-Host -Prompt "Please Enter Source Group Name"
Get-ADGroupMember $srcGrp | Add-ADPrincipalGroupMembership -MemberOf $dstGrp
You can also use the output of the Get-ADGroupMember cmdlet to view the list of users too that you were adding.
wowow, i think there are more experts helping since my initial conversation :)
Plain batch; uses dsquery.exe, dsget.exe, and dsmod.exe from the RSAT AD tools; will create a log file in csv format in the script's folder. Doesn't complain when run several times against the same group.
@echo off
setlocal enabledelayedexpansion
set LogFile=%~dpn0.csv
set CsvDelim=,
set GroupTarget=GroupGHI
set GroupSource=&set /p "GroupSource=Please enter the name of the source group without quotes: "
if "%GroupSource%"=="" goto :eof
set GroupTargetDN=&for /f "delims=" %%a in ('dsquery.exe group -samid "%GroupTarget%"') do (set GroupTargetDN=%%~a)
if "%GroupTargetDN%"=="" (echo ERROR: Target group '%GroupTarget%' not found in AD.&exit /b 1)
set GroupSourceDN=&for /f "delims=" %%a in ('dsquery.exe group -samid "%GroupSource%"') do (set GroupSourceDN=%%~a)
if "%GroupSourceDN%"=="" (echo ERROR: Source group '%GroupSource%' not found in AD.&exit /b 1)
if not exist "%LogFile%" (
>"%LogFile%" echo "Object DN"%CsvDelim%"Source Group"%CsvDelim%"Target Group"%CsvDelim%"Copy Date"%CsvDelim%"Copy Time"%CsvDelim%"Result"
)
for /f "tokens=2 delims=,=" %%a in ("%GroupSourceDN%") do set GroupSource=%%a
echo Source DN: %GroupSourceDN%
echo Target DN: %GroupTargetDN%
echo Log file: %LogFile%
echo Retrieving target group members ...
set /a TargetCount = 0
for /f "delims=" %%a in ('dsget.exe group -members "%GroupTargetDN%"') do (
set /a TargetCount += 1
set Target[!TargetCount!]=%%~a
)
set /a SkippedCount = 0
set /a SuccessCount = 0
set /a ErrorCount = 0
for /f "delims=" %%a in ('dsget.exe group -members "%GroupSourceDN%"') do (call :AddMember "%%~a")
echo Done; added %SuccessCount% accounts, skipped %SkippedCount% accounts, encountered %ErrorCount% errors.
if not %ErrorCount%==0 (exit /b 1)
goto :eof
:AddMember
set ObjectDN=%~1
echo Processing '%ObjectDN%' ...
for /l %%i in (1, 1, %TargetCount%) do (
if /i "!Target[%%i]!"=="%ObjectDN%" (
echo ... already member of the target group.
set /a SkippedCount += 1
goto :eof
)
)
for /f "delims=" %%a in ('dsmod.exe group "%GroupTargetDN%" -addmbr "%ObjectDN%" 2^>^&1') do (set Result=%%a&goto :Next)
:Next
if "%Result:~0,16%"=="dsmod succeeded:" (
set Result=OK
set /a SuccessCount += 1
) else (
set /a ErrorCount += 1
)
echo ... %Result%
>>"%LogFile%" echo "%ObjectDN%"%CsvDelim%"%GroupSource%"%CsvDelim%"%GroupTarget%"%CsvDelim%"%Date%"%CsvDelim%"%Time%"%CsvDelim%"%Result%"
goto :eof
ASKER
Hey everyone. I'm back on this mini-project after working on a HVAC and VMWare issue.
I will update the group when I try out the suggestions you posted. Thanks Experts.
I will update the group when I try out the suggestions you posted. Thanks Experts.
ASKER
@oBdA, that script works amazing! I have two questions about it. The first is that the log file is the name of the script which causes problems. Is it possible to name of the log file to match the name of the source group? And the object DN path in the log file looks like this:
CN=Name\, User,OU=Users,OU=Dept,OU=D epts,OU=X, DC=Domain, DC=Domain1 ,DC=Domain 2,DC=Domai n3
Can the log file contain just CN=Name\, User ?
Thanks for the hard work.
@NewVillageIT, I'm testing your suggestion now.
CN=Name\, User,OU=Users,OU=Dept,OU=D
Can the log file contain just CN=Name\, User ?
Thanks for the hard work.
@NewVillageIT, I'm testing your suggestion now.
ASKER
I haven't tried the powershell options yet. I'm not familiar with PS so it will be awhile, if I get to them but I appreciate your help and posting your suggestions.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Closing this question out today. Thanks everyone for your help (and patience)!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks experts!!
I didn't have a chance to dive into the powershell portion of the suggestions as the project timeline changed, so my apologies for not being able to give them the time they deserved.
I look forward to working with you all again soon. Thanks everyone!
I didn't have a chance to dive into the powershell portion of the suggestions as the project timeline changed, so my apologies for not being able to give them the time they deserved.
I look forward to working with you all again soon. Thanks everyone!
install the required AD tools on windows 7
then you can run powershell
import-module activedirectory
$input = read-host "what is your group-x?"
$members = Get-ADGroupMember $input | select samaccountname
foreach ($member in $members){
add-adgroupmember -identity "group-y" -add $member
}
(coding are write on fly without really verify)
is this what you are looking for?
(i can write a better coding when i have back to work)