Discussing a worst-case scenario where an admin has to add a few users to completely different active directory groups looks to be painful and yes I have done it manually done it many times. It eats a lot of our time and energy but I created a part-time script that has eventually solved my problem once and for all.
Today we are going to discuss the same on how I created a silly script which does our job effecietly.
Script Requirements
Before we proceed further we need to understand some active directory cmdlets so that they don’t hurt us after the script is ready.
1. Get-ADGroupMember, as the name suggests, this cmdlet will provide us the list of the active directory group members of a specific security group.
Syntax:
Get-ADGroupMember
[-AuthType <ADAuthType>]
[-Credential <PSCredential>]
[-Identity] <ADGroup>
[-Partition <String>]
[-Recursive]
[-Server <String>]
[<CommonParameters>]
Example
PS C:\> Get-ADGroupMember -Identity Administrators
distinguishedName : CN=Domain Admins,CN=Users,DC=Fabrikam,DC=com
name : Domain Admins
objectClass : group
objectGUID : 5ccc6037-c2c9-42be-8e92-c8f98afd0011
SamAccountName : Domain Admins
SID : S-1-5-21-41432690-3719764436-1984117282-512
distinguishedName : CN=Enterprise Admins,CN=Users,DC=Fabrikam,DC=com
name : Enterprise Admins
objectClass : group
objectGUID : 0215b0a5-aea1-40da-b598-720efe930ddf
SamAccountName : Enterprise Admins
SID : S-1-5-21-41432690-3719764436-1984117282-519
2. Add-ADGroupMember, as the name suggests, this cmdlet will provide add the given users to the provided AD security group.
Syntax:
Add-ADGroupMember
[-WhatIf]
[-Confirm]
[-AuthType <ADAuthType>]
[-Credential <PSCredential>]
[-Identity] <ADGroup>
[-Members] <ADPrincipal[]>
[-MemberTimeToLive <TimeSpan>]
[-Partition <String>]
[-PassThru]
[-Server <String>]
[-DisablePermissiveModify]
[<CommonParameters>]
Example:
$User = Get-ADUser -Identity "CN=Chew David,OU=UserAccounts,DC=NORTHAMERICA,DC=FABRIKAM,DC=COM" -Server "northamerica.fabrikam.com"
$Group = Get-ADGroup -Identity "CN=AccountLeads,OU=UserAccounts,DC=EUROPE,DC=FABRIKAM,DC=COM" -Server "europe.fabrikam.com"
Add-ADGroupMember -Identity $Group -Members $User -Server "europe.fabrikam.com"
3. In this script we will be using Try and Catch if you are unfamiliar with this rad the article to fresh-up your mind.
PowerShell script to add users to multiple groups
Step #1
Make sure the CSV is in the given format before you run the script so that it fetches the required attributes. Below is the example of the CSV format where the user column is for the users who are required to add and the group column is the required groups where each user needs to be added.
{<######### CSV format ########## >
user,group
test1,”domain admins”
test2,Administrators #>}
Step #2
Make sure you are using $ErrorActionPreference carefully as if it sets to “silentlycontinue” there will be no errors shown.
Import-csv will import our csv file.
In $check1 the script will check the respective group name and will fetch the users under that group. If $check1 contains the same user in the .csv list then it will war us by executing the condition in the if condition.
$ErrorActionPreference = "SilentlyContinue"
Import-CSV c:\users\dbharali\desktop\list.csv | % {
$check1= Get-ADGroupMember -Identity ($_.group) | select -ExpandProperty Name
if ($check1 -contains $_.user){
write-host "$($_.User) is already a member of $($_.Group) !" -ForegroundColor red
}
Step #3
In case it doesn’t match the loop will continue to the else condition where we have our try-catch block.
The Try block tries to add the required users to the required groups mentioned in the .csv file.
else{
Try{
Write-host "Checking $($_.Users) in $($_.Group).......... " -ForegroundColor cyan
Add-ADGroupMember -Identity $_.group -Member $_.User -ErrorAction SilentlyContinue
Step #4
The last and important step is where we will get to know whether we succeeded or not.
$check2 will again check the required groups and save the user name to itself.
If condition checks the user name of the .csv list with the user list it found in $check2 in case it gets that then it will show us the message that we have successfully added the user to the required group.
Catch block capture the exception we have encountered in the script.
$check2 = Get-ADGroupMember -Identity ($_.group) | select -ExpandProperty Name
if ($check2 -contains $_.user){
write-host "$($_.User) is successfully added to $($_.Group) !" -ForegroundColor green
}
}
catch{
Write-Warning "Exception String: $($_.Exception.Message)"
}
}
}
Conclusion
I hope you have liked this post (Add users to multiple groups using PowerShell from CSV) and will implement this whenever it is required to add the users to the required groups. Things you should always remember is to try with one user and one group so that it will be easy for you to make changes. Let me know if you want a blog post on some other script that might amaze you.
We are working continuously to provide you with the better and the best scripts daily. We will publish weekly hence don’t forget to subscribe to our newsletter.
