none
Add users to group RRS feed

  • General discussion

  • I have created below script to add users from First_Group to Second_Group and get the status in output file. Pls tell me whether this is the best method or anything else need to add.

    $members1 = Get-ADGroupMember -Identity "<First_Group>" | Select -ExpandProperty SAMAccountName
    $group = "<Second_Group>"
    $members = Get-ADGroupMember -Identity $group | Select -ExpandProperty SAMAccountName
    ForEach ($user in $members1) {
        If ($members -contains $user) {
            "$User Already exists in $Group" | Out-File path\to\output.log -Append       
        } Else {
            Add-ADGroupMember -Identity $Group -Members $User -ErrorAction Stop
            "$User added to $Group" | Out-File path\to\output.log -Append     
        }
    }

    Sunday, August 19, 2018 2:16 PM

All replies

  • Hi,

    Looks good. Just a few remarks:

    1. You specify "<First_Group>" within the $members1 variable. But the "<Second-Group"> in its own variable. Looks better if you specify that too in a variable, or maybe even parameters, so you can feed them without modifying the file :)
    2. Since you are appending to output. You could choose to use Add-Content instead of Out-File. Nothing special though.
    3. You could wrap the Add-ADGroupMember within a try - catch block. e.g. So any errors will be put in the logs and the script continues after catching an error for a single group.

    try { Add-ADGroupMember -Identity $Group -Members $User -ErrorAction Stop "$User added to $Group" | Out-File path\to\output.log -Append } catch { "$User was not added to $Group because an error occured: $($_.Exception.Message)" | Out-File path\to\output.log -Append
    }



    Sunday, August 19, 2018 2:31 PM
  • It is good that you check each user to see if they are already a member of the group. You could add all new members in one step. The most common error, other than a user already being a member, would be lack of permissions, so you could create an array of users and add them in one step. You could code similar to:

    $members1 = Get-ADGroupMember -Identity "<First_Group>" | Select -ExpandProperty SAMAccountName $group = "<Second_Group>" $members = Get-ADGroupMember -Identity $group | Select -ExpandProperty SAMAccountName $Users = @() ForEach ($user in $members1) { If ($members -contains $user) { "$User Already exists in $Group" | Out-File path\to\output.log -Append } Else { $Users += $User "$User added to $Group" | Out-File path\to\output.log -Append } }

    # Check if any users need to be added to the group. If ($Users) {Add-ADGroupMember -Identity $Group -Members $Users -ErrorAction Stop}

    One note, however. If any group members are contacts (or distribution groups), they would not have a sAMAccountName. If that is possible, you can substitute distinguishedName for sAMAccountName. The script will work fine for members that are security groups or computers.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Sunday, August 19, 2018 4:11 PM
    Moderator
  • Thank you
    Sunday, August 19, 2018 5:48 PM
  • Thank you for showing alternate options. It will be great if you could suggest some website which will explain me advanced powershell usage for AD and I can add more scripts.
    Sunday, August 19, 2018 5:54 PM