PowerShell: How to add all users in an OU to a Security Group using Get-ADUser and Add-ADGroupMember

PowerShellI’m currently setting up a new system for a client and wanted to add all users in a specific Organisational Unit (OU) to a specific Security Group.

I’ve written about Get-ADUser a few times before, so by combining that with another PowerShell cmdlet Add-ADGroupMember to add users to a group we should be in business!

In this example we’ll add users in the OU Head Office to the SSLVPN Users Security Group.


Right, on with a quick tutorial of Get-ADUser.The following screenshots are taken from my Windows Server 2012 R2 demo lab.

Lets start off with Get-ADUser -filter *

Get-ADUser -Filter starThis will return all the users in the domain.  Let’s make it a little more readable so we can see the users we want to add to a group.

Try Get-ADuser -FIlter * | ft Name, DistinguishedName -Autosize

Get-ADUser -Filter star ft name distinguishedname autosizeWe can see we have a few users in the OU Head Office, but the command is still returning other users as well. So let’s modify it to return only users in the Head Office OU.

We can use -SearchBase to specify and Active Directory path to search under.

Get-ADUser -SearchBase ‘OU=Head Office,DC=AD,DC=oxfordsbsguy,DC=com’ -Filter * | ft Name, DistinguishedName -Autosize

Get-ADUser -SearchBase -Filter star ft name distinguishedname autosize

Ok, so we can select the specific users in an OU. Now we have to add these to the SSLVPN Users Security Group.

The cmdlet to add user to a group is Add-ADGroupMember, we can find this out by using the Get-Command cmdlet or its abreviation GCM.

Get-Command *Group*

Will return all cmdlets with Group in their name.

Get-Command or GCM

We can then use Get-Help Add-ADGroupMember to view the cmdlet in more detail.

Get-Help Add-ADGroupMember

We can see the two parameters we need to use with the command is Indentity, which specifies the group we want to add members to, and Members, which specifices the users we want to add.

So as out Get-ADUser cmdlet gives us the users, lets try and pipe it into the Add-ADGroupMember cmdlet.

Get-ADUser -SearchBase ‘OU=Head Office,DC=AD,DC=oxfordsbsguy,DC=com’ -Filter * | Add-ADGroupMember -Identity ‘SSLVPN Users’

Get-ADUser -searchbase -Filter star pipe Add-ADGroupMember -IdentitiyThe Add-ADGroupMember cmdlet is stil requesting Members, so it seems it doesn’t accept the list we have outputted using Get-ADUser.

We still have options though, we can try the ForEach-Object cmldet and see if this helps us out.

ForEach-Object performs an action against each item in a collection of objects. In our case we want to use it to add each user in the list of users to a group. If we combine it with the $_ variable, which acts as a placeholder for the current object we should be on the right track. We can use -WhatIf to see what would happen if the command runs without making any changes until we get it correct.

Get-ADUser -SearchBase ‘OU=Head Office,DC=AD,DC=oxfordsbsguy,DC=com’ -Filter * | ForEach-Object {Add-ADGroupMember -Identity ‘SSLVPN Users’ -Members $_ -WhatIf}

Get-ADUser -searchbase -Filter star pipe ForEach-Object Add-ADGroupMember -Identitiy -Members -whatifSo we can see from above we have six outputs where a set is performed on the SSLVPN Users group. So I think we have cracked it!

Now lets run the command without -WhatIf.

Get-ADUser -SearchBase ‘OU=Head Office,DC=AD,DC=oxfordsbsguy,DC=com’ -Filter * | ForEach-Object {Add-ADGroupMember -Identity ‘SSLVPN Users’ -Members $_ }

Get-ADUser -searchbase -Filter star pipe ForEach-Object Add-ADGroupMember -Identitiy -MembersNo errors are returned which is a good start!, Now let’s check the SSL VPN Users security group in ADUC first before the command is run.

SSLVPN Users beforeAnd then after the command has been run.

SSLVPN Users after

So our final PowerShell command to add users in an OU to a Security Group is:

Get-ADUser -SearchBase ‘OU=Head Office,DC=AD,DC=oxfordsbsguy,DC=com’ -Filter * | ForEach-Object {Add-ADGroupMember -Identity ‘SSLVPN Users’ -Members $_ }

References:

Get-ADUser http://technet.microsoft.com/en-us/library/ee617241.aspx

Add-ADGroupMember https://technet.microsoft.com/en-gb/library/ee617210.aspx

ForEach-Object https://technet.microsoft.com/en-us/library/hh849731.aspx

PowerShell Variables: http://www.computerperformance.co.uk/powershell/powershell_variables.htm

TechNet Magazine: https://technet.microsoft.com/en-us/magazine/ee677578.aspx

Related Posts:

1. PowerShell: Get-ADComputer to retrieve computer last logon date – part 1

2. PowerShell: Get-ADUser to retrieve password last set and expiry information

3. Exchange PowerShell: How to list all SMTP email addresses in Exchange

4. Exchange PowerShell: How to enumerate Distribution Lists, managers and members

If you found this post useful please Share, Like or leave a comment! Thanks, Carl.

If you found this post useful, please share!

    Related Posts

    6 thoughts on “PowerShell: How to add all users in an OU to a Security Group using Get-ADUser and Add-ADGroupMember

    1. Rick Franz

      Thank you for the great information.

      What would the syntax be to add the users to multiple groups?

      Thanks

      Reply
      1. Peter

        A little late (only a year! Psh!), but it could look like something like this:

        Get-ADUser -SearchBase ‘OU=Head Office,DC=AD,DC=oxfordsbsguy,DC=com’ -Filter * | ForEach-Object {
        Add-ADGroupMember -Identity ‘SSLVPN Users’ -Members $_
        Add-ADGroupMember -Identity ‘A Second Group’ -Members $_
        }

        Reply
    2. AK

      super helpful – now if I could figure out how to add on prem AD users to a 365 security group in a hybrid setup scenario!

      Reply

    Leave a Reply

    Your email address will not be published. Required fields are marked *