Categories

Adding a user to a group

In this http://msmvps.com/blogs/richardsiddaway/archive/2012/02/19/bulk-create-groups-script.aspx and subsequent posts we saw how to create security groups.

The memberof tab on the user’s properties shows to which groups the user belongs. One of the more common administration tasks in AD is adding or removing users from a group. This is how we do it in PowerShell

## adds users to groups            
$ou = "OU=BlogTests,DC=Manticore,DC=org"            
            
"`nMicrosoft"            
$name = "UserA"            
Get-ADUser -Identity $name -Properties * |            
Add-ADPrincipalGroupMembership -MemberOf GroupGblSecA            
            
"`nAD provider"            
$name = "UserB"            
$grpmem = Get-ItemProperty ad:\"CN=GroupGblSecA,OU=TestGroups,DC=Manticore,DC=org" -Name member            
$members = @($grpmem.member)            
$members = $members += "cn=$name,$ou"            
Set-ItemProperty ad:\"CN=GroupGblSecA,OU=TestGroups,DC=Manticore,DC=org" -Name member -Value $members            
            
"`nQuest"            
$name = "UserC"            
Get-QADUser -Identity $name  |            
Add-QADGroupMember -Identity GroupGblSecA            
            
"`nScript"            
$group = [adsi]"LDAP://CN=GroupGblSecA,OU=TestGroups,DC=Manticore,DC=org"            
$name = "UserD"            
            
$group.Add("LDAP://cn=$name,$ou")             
$group.SetInfo()


 



The Microsoft and Quest cmdlets provide a cmdlet to achieve this task – with the Microsoft cmdlets we have to use Add-ADPrincipalGroupMembership rather than Add-ADGroupMember.



The provider treats the members of the group as as array so we use the standard technique of adding a member – using the users distinguished name



The script gets the group object and uses the Add() method – note that we have to give the whole LDAP string not just the distinguished name of the user

Leave a Reply