locked
Adding members of various groups to another group - duplicate entries RRS feed

  • Question

  • I need to add members of various groups to a new group. Adding just the groups themselves as members isn't an option as the new group is a distribution list that we'll be using essentially as a listserv, and as such users will need to be removed piecemeal from the new group as needed (but not removed from their original group).

    I'm using the following Powershell script to do this:

    Add-ADGroupMember -Identity "NewGroup" -Members (Get-ADGroupMember -Identity "OldGroup1")

    This worked fine for adding members of the first group to the new group. However when trying to add members of a second group (we'll call it OldGroup2) to the new group it fails with the error "Add-ADGroupMember : The specified account name is already a member of the group".

    There is a bit of overlap between users of OldGroup1 and OldGroup2, and it appears that since it sees one match that already exists it doesn't add any of the users from OldGroup2.

    So I have two questions:

    1: Is there a way to format the above Powershell command so that it ignores users who are already a member of NewGroup and continue adding users?

    2. If not is there a command I can run to compare the members of the two groups to see who's a member of both groups (so I can temporarily remove them and run the above script, then add them back)?

    Monday, August 26, 2019 2:22 PM

Answers

  • Thanks, I'll take a look at the first link you provided. Using email address to filter won't do the trick in this case as not all email users are going to be in the new group; I have to use only OldGroup1 and OldGroup2 as a filter for who gets added to the new group.

    I suppose an inelegant way to implement your elegant solution would be to create garbage email addresses for members of the two old groups; then I could use that solution. I'll keep that in mind.

    Hi,

    I don't think you got me right..you don't need to filter based on e-mail address.The second option would look like this in your case:

    #Importing the AD module
    Import-Module ACtiveDirectory
    
    #Define the new Group
    $NewADGroup = "CN=NewGroup,OU=Groups,DC=corp,DC=company,DC=com" 
    #Get all the users in the new group
    $UsersNewGroup = Get-ADGroupMember -Identity $NewADGroup -Recursive
    #Get all the users in the old group
    $UsersOldGroup = Get-ADGroupMember -Identity "OldGroup1"
    
    foreach ($user in $UsersOldGroup){
        #Check if the user is contained in the new group and if not, add it
        if (!($UsersNewGroup -contains $user)){
        
        Add-ADGroupMember -Identity $NewADGroup -Members $user
      }
    }




    Does this makes sense?

    Regards,


    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov






    Monday, August 26, 2019 3:09 PM

All replies

  • Hi,

    you can dump the users of the OldGroup1 to a CSV file and then compare the user against that CSV file before adding it to the NewGroup. Please use the code from the following thread:

    Add-ADGroupMember fails if a member is already in the group

    You can use both answers from the thread. 

    There is also one other option, which I like better because it is more elegant:

    How to skip if user existing in ADgroup? (Active Directory Power Shell)

    This is also a ready-to-use solution, which you can leverage. What I particularly like about it is this part:

    # Get AD users with specified emailadresses wich are not memberof specified group
    $ADUsers = Get-ADUser -filter "($($EmailDomains_Filter)) -and (-not (MemberOf -eq '$($ADGroup)'))" -Properties emailaddress

    You can remove part of the filter and use only this:

    # Get AD users with specified emailadresses wich are not memberof specified group
    $ADUsers = Get-ADUser -filter "(-not (MemberOf -eq '$($ADGroup)')" -Properties emailaddress

    Just get the group before running this:

    #Group Membership to check for.
    $ADGroup = "CN=Test_Group,OU=Groups,DC=corp,DC=company,DC=com" 

    This should do the job. I cannot test it right now, but you can do this easily. 

    Regards,



    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov





    Monday, August 26, 2019 2:48 PM
  • Thanks, I'll take a look at the first link you provided. Using email address to filter won't do the trick in this case as not all email users are going to be in the new group; I have to use only OldGroup1 and OldGroup2 as a filter for who gets added to the new group.

    I suppose an inelegant way to implement your elegant solution would be to create garbage email addresses for members of the two old groups; then I could use that solution. I'll keep that in mind.

    Monday, August 26, 2019 2:53 PM
  • Thanks, I'll take a look at the first link you provided. Using email address to filter won't do the trick in this case as not all email users are going to be in the new group; I have to use only OldGroup1 and OldGroup2 as a filter for who gets added to the new group.

    I suppose an inelegant way to implement your elegant solution would be to create garbage email addresses for members of the two old groups; then I could use that solution. I'll keep that in mind.

    Hi,

    I don't think you got me right..you don't need to filter based on e-mail address.The second option would look like this in your case:

    #Importing the AD module
    Import-Module ACtiveDirectory
    
    #Define the new Group
    $NewADGroup = "CN=NewGroup,OU=Groups,DC=corp,DC=company,DC=com" 
    #Get all the users in the new group
    $UsersNewGroup = Get-ADGroupMember -Identity $NewADGroup -Recursive
    #Get all the users in the old group
    $UsersOldGroup = Get-ADGroupMember -Identity "OldGroup1"
    
    foreach ($user in $UsersOldGroup){
        #Check if the user is contained in the new group and if not, add it
        if (!($UsersNewGroup -contains $user)){
        
        Add-ADGroupMember -Identity $NewADGroup -Members $user
      }
    }




    Does this makes sense?

    Regards,


    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!) Blog: https://blog.pohn.ch/ Twitter: @StoyanChalakov






    Monday, August 26, 2019 3:09 PM
  • This did the trick thank you!
    Tuesday, August 27, 2019 2:13 PM