Copy AD User Group Memberships to to another user only copying Domain Users RRS feed

  • Question

  • Hello,

    I've posted here before about automating account creations.The part of the script to copy all group memberships was working on my test lab at home and as well as in the environment of my last job (Server 2012 R2 with Exchange On-Prem).

    I've made amends to it and have been allowed to use it at my new job but the script doesn't copy the user security groups to the new user.

    Below is the full script

    #Import AD and Exchange
    Import-Module ActiveDirectory
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://exchange.domain.com/PowerShell/ -Authentication Kerberos
    Import-PSSession $Session -AllowClobber

    #Import VB Add-Type -AssemblyName Microsoft.VisualBasic $vb = [Microsoft.VisualBasic.Interaction] #Variables $samaccount_to_copy = $vb::inputbox("Enter SAMAccount Name to Copy") $manageraccount = $vb::inputbox("Enter Manager SAMAccount Name") $new_displayname = $vb::inputbox("Enter Display Name of new user") $new_firstname = ($new_displayname.split(" ")[0]) $new_lastname = ($new_displayname.Substring($new_displayname.IndexOf(" ") +1)) $new_name = $new_displayname $new_samaccountname = "$($new_firstname.substring(0,1))$new_lastname" $CopyPath = $(try {(Get-AdUser $samaccount_to_copy).distinguishedName.Split(',',2)[1]} catch {$null}) $ManagerPath = $(try {(Get-AdUser $manageraccount).distinguishedName.Split(',',2)[1]} catch {$null}) $enable_user_after_creation = $true $password_never_expires = $false $cannot_change_password = $false $ad_account_to_copy = $(try {Get-ADUser $samaccount_to_copy -Properties Description, Office, OfficePhone, StreetAddress, City, State, PostalCode, Country, Title, Company, Department, Manager, EmployeeID} catch {$null}) $ad_account_manager = $(try {Get-ADUser $manageraccount -Properties Office, OfficePhone, StreetAddress, City, State, PostalCode, Country, Company, Department} catch {$null}) ##### Generate Random Password from DinoPass $web = New-Object Net.WebClient #Generates powershell web client $web.Headers.Add("Cache-Control", "no-cache"); $PwdString= $web.DownloadString("http://www.dinopass.com/password/simple") $PwdString = $PwdString.substring(0,1).toUpper() + $PwdString.substring(1) $Password = ConvertTo-SecureString -String $PwdString -AsPlainText -Force #####Check accounts exist##### $User = $(try {Get-ADUser $samaccount_to_copy -Properties * | Select Name} catch {$null}) If ($User -eq $Null) { Write-Host "User doesn't Exist in AD" } Else { Write-Host "User found in AD" } $Manager = $(try {Get-ADUser $manageraccount -Properties * | Select Name} catch{$null}) If ($Manager -eq $Null) { "Manager doesn't Exist in AD" } Else { "Manager found in AD" } #####Create account by copying user or user's manager's basic attributes##### $copy = if ($copy = $ad_account_to_copy ) { # return copy $copy } elseif($copy = $ad_account_manager ){ # return copy $copy }else{ Write-Host 'No manager or user specified' # cannot create user no copy returned } $path = if($path = $CopyPath ) { $path }elseif($path = $ManagerPath ){ $path }else{ Write-Host 'No Path found' } if($copy){ New-ADUser -SamAccountName $new_samaccountname -Instance $copy -Name $new_name -DisplayName $new_displayname -GivenName $new_firstname -Surname $new_lastname -PasswordNeverExpires $password_never_expires -CannotChangePassword $cannot_change_password -EmailAddress ($new_firstname + '.' + $new_lastname + '@' + "domain.com") -Enabled $enable_user_after_creation -UserPrincipalName ($new_samaccountname + '@' + "domain.com") -AccountPassword (ConvertTo-SecureString -AsPlainText $Password -Force) -Path $path # other changes }else{ Write-Host 'No account was specified.' } ##### Confirm new account created Get-ADUser $new_samaccountname ## Mirror all the groups of original account that is a member of or only copy Distribution Lists If ($samccount_to_copy) { Get-ADUser -Identity $samaccount_to_copy -Properties memberof | Select-Object -ExpandProperty memberof | Add-ADGroupMember -Members $new_samaccountname -PassThru | Select-Object -Property SamAccountName } Else { ($manageraccount) ForEach ($Group in Get-DistributionGroup) { ForEach ($Member in Get-DistributionGroupMember -identity $Group.Name | Where { $_.Name –eq $manageraccount }) { $Group.name } } Add-DistributionGroupMember -Identity $Group.Name -Member $new_samaccountname -verbose } Set-ADUser -Identity $new_samaccountname -Add @{ProxyAddresses="SMTP:"+$new_samaccountname+"."+"domain.com.au"}

    I originally used the below:

    If ($samccount_to_copy) 
        Get-ADPrincipalGroupMembership -Identity $samaccount_to_copy| % {Add-ADPrincipalGroupMembership -Identity $new_samaccountname -MemberOf $_}

    Which didn't work here either.

    Is there anything I can do to fix this or is there anything wrong I am using/doing?

    • Moved by Bill_Stewart Friday, January 26, 2018 3:47 PM This is not "fix/debug/rewrite my script for me" forum
    Friday, December 22, 2017 10:19 AM

All replies

  • You are asking us to debug a script for you.  We can answer questions and give you pointers.  The debugging is up to you.

    You will have to narrow down your issue.

    This Forum is for Scripting Question Rather than script requests

    Script Gallery.

    Learn PowerShell  

    Script requests


    Friday, December 22, 2017 10:52 AM
  • On your AD PowerShell console just try this command and see if you get any output.

    Get-ADPrincipalGroupMembership -Identity $samaccount_to_copy | ft Name

    If your output is null, then check your PowerShell version by using Get-Host cmdlet.
    If it's version 2.0, upgrade it to version 5.1 by installing WMF 5.1. Once it's installed and the computer rebooted, run the same command as above, you should get some output. Your script will then work. I ran into a similar problem at work where we use Windows 7 as the client computers. The upgrade resolves it.

    Unlike yours, I use the script below to copy the AD group membership.

    Get-ADPrincipalGroupMembership -Identity $samaccount_to_copy | %{Add-ADGroupMember -identity $_.Name -Members $new_samaccountname}

    Good Luck!

    Monday, December 25, 2017 6:39 PM