none
Powershell Script: Add users from an OU to an AD security Group RRS feed

  • Question

  • Hi

    can anybody point me to a link or have a script which I can get a list of users from an OU then put them into an AD security group

    Regards

    Tuesday, August 28, 2012 2:52 PM

Answers

  • Get-ADUser -SearchBase 'OU=UserAccounts,DC=contoso,DC=local' -Filter * | % { Add-ADGroupMember 'gp001' -Members $_ -WhatIf }
    


    Grant Ward, a.k.a. Bigteddy

    Tuesday, August 28, 2012 2:58 PM

All replies

  • Get-ADUser -SearchBase 'OU=UserAccounts,DC=contoso,DC=local' -Filter * | % { Add-ADGroupMember 'gp001' -Members $_ -WhatIf }
    


    Grant Ward, a.k.a. Bigteddy

    Tuesday, August 28, 2012 2:58 PM
  • Hi - thanks for the info the script didn't run as expected.

    What we are trying to achieve is that we have an OU with several child OU's below and we need to capture all user accounts from al OU's and then either be able to export to a CSV or pipe the out put to an AD group

    Tuesday, August 28, 2012 4:00 PM
  • Hi - thanks for the info the script didn't run as expected.

    What we are trying to achieve is that we have an OU with several child OU's below and we need to capture all user accounts from al OU's and then either be able to export to a CSV or pipe the out put to an AD group

    The script does exactly what you are describing.  It gets all users from the OU and all child OUs into a single security group.


    ¯\_(ツ)_/¯

    Tuesday, August 28, 2012 4:08 PM
  • Do you get an error? If so, it is because you haven't imported the AD Modules? Or do you get an error because one or more users are already members of the group. If the later, you can use the -ErrorAction parameter (of the Add-ADGroupMember cmdlet) and specify Continue or SilentlyContinue.


    Richard Mueller - MVP Directory Services

    Wednesday, August 29, 2012 1:12 AM
    Moderator
  • Hi

    I have used the AD modules

    when I run the command it then goes to postion 1 and asks each member individually to be selected - ideally I need all users to be added without being prompted - any ideas?

    Regards

    Wednesday, August 29, 2012 6:04 AM
  • I suspect there is something wrong with your -SearchBase.  Try this command by itself, substituting your own OU path.  Please post both the code you ran, and the output and/or errors.

    Get-ADUser -SearchBase 'OU=UserAccounts,DC=contoso,DC=local' -Filter *


    Grant Ward, a.k.a. Bigteddy


    • Edited by Bigteddy Wednesday, August 29, 2012 6:13 AM
    Wednesday, August 29, 2012 6:12 AM
  • Hi here are the details

    To test we exported to a csv file and he out put is correct - it seems to be the second part when the ouput is piped to the AD Group this seems to fail or ask which members need to be added at the 1st positional parameter

    Get-ADUser -SearchBase 'OU=Citrix PS4 Users,DC=dartgroup,DC=plc' -Filter * | export-csv c:\test.csv
    Wednesday, August 29, 2012 12:28 PM
  • I don't know what could be the problem.  The code I posted is correct, and works for me.

    Grant Ward, a.k.a. Bigteddy

    Wednesday, August 29, 2012 12:37 PM
  • I actually have a need for this code today but every time that script is posted inside the scroll bars I am unable to see the code.  I only see one line with the bar on it and I can only move it right or left, not up and down.

    What can i do for this?  I am running Windows XP SP3 and IE 7.

    Thanks,

    jrussell97

    Thursday, August 30, 2012 1:02 PM
  • Get-ADUser -SearchBase 'OU=UserAccounts,DC=contoso,DC=local' -Filter * | % { Add-ADGroupMember 'gp001' -Members $_ -WhatIf }

    Grant Ward, a.k.a. Bigteddy

    Thursday, August 30, 2012 1:21 PM
  • Thanks Grant.  I found a different way to do this but i will keep the code anyway.
    Thursday, August 30, 2012 8:28 PM
  • Thanks Grant.  I found a different way to do this but i will keep the code anyway.

    How about sharing how you discovered how to do it, to help out others.
    Wednesday, July 24, 2013 5:09 PM
  • Hi - thanks for the info the script didn't run as expected.

    What we are trying to achieve is that we have an OU with several child OU's below and we need to capture all user accounts from al OU's and then either be able to export to a CSV or pipe the out put to an AD group

    dsquery user "OU=organizationalunit,DC=name,dc=com" -limit 0 >> filename.txt

    with the filename.txt you can do this:

    for /f "tokens=* delims= " %i in (filename.txt) do dsmod group "CN=groupname,OU=organizationalUnit,DC=name,DC=com" -addmbr %i

    or, just pipe the initial results into the dsmod command:

    dsquery user "OU=organizationalunit,DC=name,dc=com" | dsmod group "CN=groupname,OU=organizationalUnit,DC=name,DC=com" -addmbr

    Tuesday, December 17, 2013 3:48 AM
  • based on Bigteddy request, I'm using the following powershell command:

    Get-ADUser -SearchBase 'OU=organizationnalunit,DC=nam,DC=com' -Filter * | % {Add-ADGroupMember '
    grp001' -Members $_.DistinguishedName }
    Simple and direct! :)
    • Proposed as answer by Валера2 Tuesday, March 19, 2019 1:08 PM
    Friday, January 31, 2014 11:13 AM
  • Very simple! Tks a lot! ;) 
    Thursday, July 31, 2014 3:02 PM
  • Unfortantly this script didnt work for me either. 

    What did work was 

    Get-ADUser -SearchBase 'OU=Terminated,DC=contoso,DC=com' -Filter * | ForEach-Object {Add-ADGroupMember -Identity 'SecurityGroup_name' -Members $_ }

    • Proposed as answer by Thewee Wednesday, July 19, 2017 12:55 PM
    Tuesday, April 19, 2016 6:02 PM
  • Same here the above scripts did not work, but the one that you shared works fine

    Thank you

    Friday, May 20, 2016 8:23 PM
  • Try
        {
        $properties = @('Name', 'Enabled', 'HomeDirectory', 'DistinguishedName')
        
        $ou = 'OU=Terminated,DC=contoso,DC=com' # whatever the Ou might need to be

        $adGroupName = 'Group001'

        $dc = 'dc01.contoso.local'

        $adUserIds = Get-ADUser -Filter {Enabled -eq "True"} -SearchBase ($ou) -Properties $properties | Select-object $properties | Sort-Object Name

        foreach($adUsers in $adUserIds)
            {
            $adGroupMembership = Get-ADPrincipalGroupMembership -Identity $($adUsers.DistinguishedName) -Server $dc

            $adGroup = Get-ADGroup $adGroupName

            if($adGroupMembership -like $($adGroup.Name))
                {
                "$adUsers.Name is alreay a member of group $($adGroup.Name)"
                }

             else
                {
                "Adding Active Directory user $($adUsers.Name) the the global security group $($adGroup.Name)"

                Add-ADPrincipalGroupMembership -Confirm:$false -Identity $($adUsers.DistinguishedName) -MemberOf $($adGroup.DistinguishedName) -Server $dc -WhatIf -ErrorAction Stop
                }
            }
        }
                
    Catch
        {
        $ErrorMessage = $_.Exception.Message

        $ErrorMessage
        }
    Tuesday, August 2, 2016 12:47 AM
  • I think the issue people are having with the accepted solution is the "-WhatIf" parameter specified at the end of the example.  Those who work in PowerShell regularly recognize this as a parameter that will show the results of the command running but not actually perform this command.  It is assumed that once you evaluate the results and are happy with them, you remove that portion.  The command would look like below, replacing the SearchBase and the Group Name with your own:

    Get-ADUser -SearchBase 'OU=UserAccounts,DC=contoso,DC=local' -Filter * | % { Add-ADGroupMember 'gp001' -Members $_ }

    Wednesday, March 14, 2018 8:51 PM
  • Why do people keep trying to answer a question that was answered and closed 6 years ago??????


    \_(ツ)_/

    Wednesday, March 14, 2018 9:12 PM