Hello, PowerShell enthusiast today we will understand how to mirror two AD groups using PowerShell. Sometimes back there was some urgency in my infra to mirror two different AD group users for completely different security groups and there were 1000-2000 users who needed to be checked and added. I was doing this process manually but was mistakenly adding the user who was already part of the security group.
The process took me ages to complete but let me share the script which I have created to mitigate this ridiculously easy activity.
Mirroring two AD groups using PowerShell
How to use Get-Adgroupmember?
As the name suggests Get-Adgroupmember gets the Active directory group members of the given group name.
Syntax:
Get-ADGroupMember
[-AuthType <ADAuthType>]
[-Credential <PSCredential>]
[-Identity] <ADGroup>
[-Partition <String>]
[-Recursive]
[-Server <String>]
[<CommonParameters>]
Example:
We will be using the same type of script as ours.
Get-ADGroupMember -Identity Administrators
distinguishedName : CN=Domain Admins,CN=Users,DC=Fabrikam,DC=com
name : Domain Admins
objectClass : group
objectGUID : 5ccc6037-c2c9-42be-8e92-c8f98afd0011
SamAccountName : Domain Admins
SID : S-1-5-21-41432690-3719764436-1984117282-512
How to use Add-Adgroupmember?
Well, this is used to add single or multiple users to a security group.
Syntax:
Add-ADGroupMember
[-WhatIf]
[-Confirm]
[-AuthType <ADAuthType>]
[-Credential <PSCredential>]
[-Identity] <ADGroup>
[-Members] <ADPrincipal[]>
[-MemberTimeToLive <TimeSpan>]
[-Partition <String>]
[-PassThru]
[-Server <String>]
[-DisablePermissiveModify]
[<CommonParameters>]
Example:
Add-ADGroupMember -Identity SvcAccPSOGroup -Members SQL01,SQL02
Find more related AD PowerShell scripts from here –> AD Scripts
Mirroring AD Groups PowerShell script
#Step 1
We need to provide the name of the groups which need to get mirrored.
$group1 = read-host "Enter group 1"
$group2 = read-host "Enter group 2"
#Step 2
Fetching the members from the specified groups in #Step 1.
$a= get-adgroupmember -identity $group1 |select -expandproperty Name
write-host "$group1 members are $a"
$b= get-adgroupmember -identity $group2 |select -expandproperty Name
write-host "$group2 members are $b"
#Step 3
We will be using a nested Foreach loop so that we can match 2 AD groups and identify what is missing in $group2 when compared to $group1.
Under if condition we will compare the results of $c and $d with -notcontains as the name suggests it identifies what is not there in either of the groups.
Add- groupmember will be used to add the members in $group2 which are not there when compared to $group1.
Get-ADgroupmember provides the members now present in $group2.
Foreach($c in $a)
{
Foreach($d in $b)
{
if ($c -notcontains $d)
{
write-host "adding $c to $group2"
add-adgroupmember -members $c -identity $group2
write-host "$c is added to $group2"
}
else
{write-host "$c is not copied"}
}
}
write-host "$group2 members are"
get-adgroupmember -identity $group2 |select -expandproperty Name
Conclusion
I hope you have liked the post Mirroring two AD groups using PowerShell and will implement this whenever it is required. Things you should always remember is to try with one more member and another group with no members so that it will be easy for you to make changes. Let me know if you want a blog post on some other script that might amaze you.
We are working continuously to provide you with the better and the best scripts daily. We will publish weekly hence don’t forget to subscribe to our newsletter.
